-
Bug
-
Resolution: Done-Errata
-
Major
-
rhel-8.8.0
-
None
-
Important
-
rhel-sst-security-compliance
-
ssg_security
-
26
-
None
-
False
-
-
No
-
None
-
-
Pass
-
None
-
-
x86_64
-
None
Description of problem:
rngd.service fails to start with fips enabled
Version-Release number of selected component (if applicable):
RHEL8.8
rng-tools 6.15-3.el8
How reproducible:
- fips-mode-setup --check
FIPS mode is enabled.
- systemctl restart rngd.service
- systemctl status rngd.service
● rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2023-05-17 19:22:15 UTC; 6min ago
Condition: start condition failed at Wed 2023-05-17 19:28:26 UTC; 2s ago
└─ ConditionKernelCommandLine=!fips=1 was not met
Main PID: 231 (code=exited, status=0/SUCCESS)
May 17 19:22:05 localhost rngd[231]: [rdrand]: Enabling RDRAND rng support
May 17 19:22:05 localhost rngd[231]: [rdrand]: Initialized
May 17 19:22:05 localhost rngd[231]: [jitter]: JITTER timeout set to 5 sec
May 17 19:22:05 localhost rngd[231]: [jitter]: Initializing AES buffer
May 17 19:22:09 localhost rngd[231]: [jitter]: Unable to obtain AES key, disabling JITTER source
May 17 19:22:09 localhost rngd[231]: [jitter]: Initialization Failed
May 17 19:22:15 localhost rngd[231]: [rdrand]: Shutting down
May 17 19:22:15 localhost systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon...
May 17 19:22:15 localhost systemd[1]: rngd.service: Succeeded.
May 17 19:22:15 localhost systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon.
Steps to Reproduce:
1. check and enable fips and reboot
- fips-mode-setup --check
Installation of FIPS modules is not completed.
FIPS mode is disabled.
- fips-mode-setup --enable
Kernel initramdisks are being regenerated. This might take some time.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.
- shutdown -r now
2. check the fips mode is enabled after the reboot
- fips-mode-setup --check
FIPS mode is enabled.
3. install rng-tools
- dnf install rng-tools
4. start rngd.service
- systemctl start rngd.service
5. check the status of rngd.service
- systemctl status rngd.service
● rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2023-05-17 19:22:15 UTC; 6min ago
Condition: start condition failed at Wed 2023-05-17 19:28:26 UTC; 2s ago
└─ ConditionKernelCommandLine=!fips=1 was not met
Main PID: 231 (code=exited, status=0/SUCCESS)
May 17 19:22:05 localhost rngd[231]: [rdrand]: Enabling RDRAND rng support
May 17 19:22:05 localhost rngd[231]: [rdrand]: Initialized
May 17 19:22:05 localhost rngd[231]: [jitter]: JITTER timeout set to 5 sec
May 17 19:22:05 localhost rngd[231]: [jitter]: Initializing AES buffer
May 17 19:22:09 localhost rngd[231]: [jitter]: Unable to obtain AES key, disabling JITTER source
May 17 19:22:09 localhost rngd[231]: [jitter]: Initialization Failed
May 17 19:22:15 localhost rngd[231]: [rdrand]: Shutting down
May 17 19:22:15 localhost systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon...
May 17 19:22:15 localhost systemd[1]: rngd.service: Succeeded.
May 17 19:22:15 localhost systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon.
Actual results:
rngd.service fails to start when fips enabled
Expected results:
rngd.service starts normally with fips enabled
Additional info:
I've noticed a new condition, "ConditionKernelCommandLine=!fips=1", added to "/usr/lib/systemd/system/rngd.service" file.
If I remove that line from the file then the service starts normally.
Is there a reason that this condition was added for fips?
- external trackers
- links to
-
RHBA-2024:128049 scap-security-guide bug fix and enhancement update
- mentioned on