[yocto] [meta-openssl102-fips][PATCH 12/15] rng-tools: fix rngd failed in fips mode
Hongxu Jia
hongxu.jia at windriver.com
Sun Sep 22 07:57:05 PDT 2019
The FIPS test is something done on government or more secure organizations
for extra security check.
...
root at qemux86-64:~# systemctl status rngd
Unit rngd-tools.service could not be found.
root at qemux86-64:~# systemctl status rngd
rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago
Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS)
Main PID: 317 (code=exited, status=0/SUCCESS)
Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source
...
>From rngd manual, add `-i' to default
...
-i, --ignorefail
Ignore repeated fips failures
...
After applying the fix
...
rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago
Main PID: 121 (rngd)
Tasks: 2
Memory: 1.8M
CGroup: /system.slice/rngd.service
/usr/sbin/rngd -f -r /dev/hwrng -i
Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted
...
Refer:
https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
recipes-support/rng-tools/rng-tools/default | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-support/rng-tools/rng-tools/default b/recipes-support/rng-tools/rng-tools/default
index b9f8e03..1ae6b33 100644
--- a/recipes-support/rng-tools/rng-tools/default
+++ b/recipes-support/rng-tools/rng-tools/default
@@ -1 +1 @@
-EXTRA_ARGS="-r /dev/hwrng"
+EXTRA_ARGS="-r /dev/hwrng -i"
--
2.7.4
More information about the yocto
mailing list