| Summary: | rng.service: "No pkcs11 slots available" | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Bjarne Thomsen <bjarne.thomsen> |
| Component: | RPM Packages | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED WORKSFORME | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, tmb |
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| URL: | https://blog.hqcodeshop.fi/archives/441-Adding-a-source-of-randomness-to-a-Linux.html | ||
| Whiteboard: | |||
| Source RPM: | rng-tools-6.7-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Bjarne Thomsen
2020-01-17 11:49:10 CET
I have possibly found the cause of the strange message "No pkcs11 slots available". I had been experimenting with the packages pcsc-lite and opensc, but had forgotten about it. These with libraries have now been uninstalled. I can now restart the rngd without getting any errors. The two last messages from "systemctl status rngd" are now: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory Failed to init entropy source pkcs11 Does this imply that the correct working of rngd requires an Error! Well, you need opensc (and its lib) CC:
(none) =>
tmb I tried to re-install opensc with lib. Now I again get: No pkcs11 slots available Failed to init entropy source pkcs11 Furthermore, the prescription in the URL did not work. Quoting: The only change I made was to have the ExecStart-line say as: ExecStart=/sbin/rngd -f --rng-device=/dev/TrueRNG --fill-watermark=4000 The device /dev/TrueRNG does work. Have you followed the instructions to setup udev rules and so on ? Yes, it just makes a symlink: ls -l /dev/TrueRNG: lrwxrwxrwx 1 root root 7 Jan 17 22:38 /dev/TrueRNG -> ttyACM0 Yes, I followed the prescription with opensc/library installed. I have not yet tried without installing opensc. Why should I install opensc, when I have no SmartCard? I actually had the idéa that it could be used with Yubico keys, but this is not the way to go. This is why opensc was installed in the first place. Niel Horman: bug fix update on Dec 16 2019: "Enhance logging to more clearly indicate which entropy source is issuing a given log message" Yes, "dd if=/dev/TrueRNG of=random.bytes bs=64 count=1024" did work. I have tested Niel Horman's prescription without opensc+lib. It looks interesting: systemctl restart rngd cat /proc/sys/kernel/random/entropy_avail 4036 It should display a number greater than 4000 and smaller than 4096. However, after some time I obtain: cat /proc/sys/kernel/random/entropy_avail 3887 It looks as if some numbers are removed from the bottom of the pool at regular intervals. However, if I now repeat: systemctl restart rngd 4033 This seems to indicate that the source of randomness has not permanently been replaced by /dev/TrueRNG, but "systemctl restart rngd" must be run at regular intervals. Is that where opensc+lib comes into the picture? Do I need a SmartCard configured to manage the entropy pool at regular intervals? I am confused. This problem is solved. I found "rngd --list": Available and enabled entropy sources: 2: Intel RDRAND Instruction RNG (rdrand) My hardware does not have a /dev/hwrng, so i cannot be substituted with /dev/TrueRNG. My hardware does not have a SmartCard reader, so it cannot use the pksc11 source. To use TrueRNG requires a box with another hardware source. Bad for me .. Try this: copy the /usr/lib/systemd/system/rngd.service to /etc/systemd/system/rngd.service then edit /etc/systemd/system/rngd.service And under [Service] add the line: Environment=HRNGDEVICE=/dev/TrueRNG and try to restart the service, does it work then ? [Service] Environment=HRNGDEVICE=/dev/TrueRNG ExecStart=/sbin/rngd -f --fill-watermark=4000 and then I restarted systemctl restart rngd cat /proc/sys/kernel/random/entropy_avail but that is how it was before. How kan I se, that the source is not 2: Intel RDRAND Instruction RNG (rdrand) Should I try to put in a "--exclude 2" like this ExecStart=/sbin/rngd -f --exclude 2 --fill-watermark=4000 or should it be --exclude=2 The "--exclude 2" does not make any difference. It is still "Initalizing entropy source rdrand". How can I see if it uses TrueRNG or rdrand? I have moved the TrueRNG to a small Intel NUC8-i5. On that box hwrng exists as device 0. The rngd starts with hwrng initializing. This also happens after I substituted with /dev/TrueRNG in /etc/systemd/sustem/ So my USB-TrueRNG seems to be working on the NUC8i5 box. I had not forgotten this bug, but it is far beyond my ken, so had no idea what to suggest nor whom to ask. So thanks to Thomas for jumping in; even though the suggestions did not resolve the issue. And to you Bjarne for finding a solution.
> To use TrueRNG requires a box with another hardware source (c8)
> So my USB-TrueRNG seems to be working on the NUC8i5 box (c12)
Would you agree to close the bug?CC:
(none) =>
lewyssmith The real question is if a pool of TrueRNG entropies are needed considering the many cryptographically strong hash functions available. This was not the case 30 years ago but the situation has changed. This can always be re-opened if needed. Status:
NEW =>
RESOLVED |