Loading...
Loading...
Description of problem: rngd.service fails to start with fips enabled Version-Release number of selected component (if applicable): RHEL8.8 rng-tools 6.15-3.el8 How reproducible: fips-mode-setup --check FIPS mode is enabled. systemctl restart rngd.service systemctl status rngd.service ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Wed 2023-05-17 19:22:15 UTC; 6min ago Condition: start condition failed at Wed 2023-05-17 19:28:26 UTC; 2s ago └─ ConditionKernelCommandLine=!fips=1 was not met Main PID: 231 (code=exited, status=0/SUCCESS) May 17 19:22:05 localhost rngd[231]: [rdrand]: Enabling RDRAND rng support May 17 19:22:05 localhost rngd[231]: [rdrand]: Initialized May 17 19:22:05 localhost rngd[231]: [jitter]: JITTER timeout set to 5 sec May 17 19:22:05 localhost rngd[231]: [jitter]: Initializing AES buffer May 17 19:22:09 localhost rngd[231]: [jitter]: Unable to obtain AES key, disabling JITTER source May 17 19:22:09 localhost rngd[231]: [jitter]: Initialization Failed May 17 19:22:15 localhost rngd[231]: [rdrand]: Shutting down May 17 19:22:15 localhost systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon... May 17 19:22:15 localhost systemd[1]: rngd.service: Succeeded. May 17 19:22:15 localhost systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon. Steps to Reproduce: 1. check and enable fips and reboot fips-mode-setup --check Installation of FIPS modules is not completed. FIPS mode is disabled. fips-mode-setup --enable Kernel initramdisks are being regenerated. This might take some time. Setting system policy to FIPS Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be enabled. Please reboot the system for the setting to take effect. shutdown -r now 2. check the fips mode is enabled after the reboot fips-mode-setup --check FIPS mode is enabled. 3. install rng-tools dnf install rng-tools 4. start rngd.service systemctl start rngd.service 5. check the status of rngd.service systemctl status rngd.service ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Wed 2023-05-17 19:22:15 UTC; 6min ago Condition: start condition failed at Wed 2023-05-17 19:28:26 UTC; 2s ago └─ ConditionKernelCommandLine=!fips=1 was not met Main PID: 231 (code=exited, status=0/SUCCESS) May 17 19:22:05 localhost rngd[231]: [rdrand]: Enabling RDRAND rng support May 17 19:22:05 localhost rngd[231]: [rdrand]: Initialized May 17 19:22:05 localhost rngd[231]: [jitter]: JITTER timeout set to 5 sec May 17 19:22:05 localhost rngd[231]: [jitter]: Initializing AES buffer May 17 19:22:09 localhost rngd[231]: [jitter]: Unable to obtain AES key, disabling JITTER source May 17 19:22:09 localhost rngd[231]: [jitter]: Initialization Failed May 17 19:22:15 localhost rngd[231]: [rdrand]: Shutting down May 17 19:22:15 localhost systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon... May 17 19:22:15 localhost systemd[1]: rngd.service: Succeeded. May 17 19:22:15 localhost systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon. Actual results: rngd.service fails to start when fips enabled Expected results: rngd.service starts normally with fips enabled Additional info: I've noticed a new condition, "ConditionKernelCommandLine=!fips=1", added to "/usr/lib/systemd/system/rngd.service" file. If I remove that line from the file then the service starts normally. Is there a reason that this condition was added for fips?
Done-Errata
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.