rpms
/
rng-tools
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import rng-tools-6.8-3.el8

This commit is contained in:
CentOS Sources 2020-04-28 05:39:23 -04:00 committed by Andrew Lukoshko
parent 96ee372812
commit 05cb9ffc36
12 changed files with 304 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/jitterentropy-library-2.1.2.tar.gz
SOURCES/rng-tools-6.6.tar.gz
SOURCES/rng-tools-6.8.tar.gz

2
.rng-tools.metadata
View File

@ -1,2 +1,2 @@
2fed101132b55f9d5008ed22fde54ef9e4cfc75d SOURCES/jitterentropy-library-2.1.2.tar.gz
2d1a03fdbed9ee00ea1f610037c626d995a4a697 SOURCES/rng-tools-6.6.tar.gz
25a20dfc818f3d95d3c63145feb7c102c1572540 SOURCES/rng-tools-6.8.tar.gz

34
SOURCES/0001-Default-to-one-thread-if-getaffinity-returns-an-erro.patch
View File

@ -1,34 +0,0 @@
From d2b4876231ac9c2e26880ebe428bfb41e60e098e Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@tuxdriver.com>
Date: Wed, 19 Dec 2018 10:10:44 -0500
Subject: [PATCH] Default to one thread if getaffinity returns an error
Its possible on virt systems, for sched_getaffinity to return an error
if the vm has cpus, but cgroup placement restricts that set to 0
physical processors. In that event, just default to 1 thread on cpu 0
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
---
rngd_jitter.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/rngd_jitter.c b/rngd_jitter.c
index 4e4b348..d14a3ba 100644
--- a/rngd_jitter.c
+++ b/rngd_jitter.c
@@ -421,7 +421,11 @@ int init_jitter_entropy_source(struct rng *ent_src)
cpus = CPU_ALLOC(i);
cpusize = CPU_ALLOC_SIZE(i);
CPU_ZERO_S(cpusize, cpus);
- sched_getaffinity(0, cpusize, cpus);
+ if (sched_getaffinity(0, cpusize, cpus) < 0) {
+ message(LOG_DAEMON|LOG_DEBUG, "Can not determine affinity of process, defaulting to 1 thread\n");
+ CPU_SET(0,cpus);
+ }
+
num_threads = CPU_COUNT_S(cpusize, cpus);
if (num_threads >= ent_src->rng_options[JITTER_OPT_THREADS].int_val)
--
2.17.2

60
SOURCES/Add-reserved-option-value-to-not-change-write_wakeup.patch Normal file
View File

@ -0,0 +1,60 @@
From 02b720e951160f652b0744f679d57623b81b1d8f Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@tuxdriver.com>
Date: Mon, 2 Dec 2019 11:35:16 -0500
Subject: [PATCH 2/2] Add reserved option value to not change
write_wakeup_threshold
several distributions use a separate single shot service to set the
write_wakeup_threashold, which allows for non-root users to run rngd. This
results in a warning however, when rngd attempts to write the
write_wakeup_threshold. Avoid this by allowing a reserved value, 0 for the
fill-watermark option that causes rngd to just not touch the
write_wakeup_threshold
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
---
rngd.8.in | 4 +++-
rngd_linux.c | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/rngd.8.in b/rngd.8.in
index 181f35d..16a359a 100644
--- a/rngd.8.in
+++ b/rngd.8.in
@@ -106,7 +106,9 @@ if the entropy pool size couldn't be determined.
Setting this too high will cause \fIrngd\fR to dominate the contents of the
entropy pool. Low values will hurt system performance during entropy
starves. Do not set \fIfill-watermark\fR above the size of the
-entropy pool (usually 4096 bits).
+entropy pool (usually 4096 bits). A value of 0 to this option will cause no
+watermark to be set.
+
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Suppress all messages
diff --git a/rngd_linux.c b/rngd_linux.c
index 51c38ac..9e60088 100644
--- a/rngd_linux.c
+++ b/rngd_linux.c
@@ -94,6 +94,9 @@ void init_kernel_rng(const char* randomdev)
randomdev, strerror(errno));
exit(EXIT_USAGE);
}
+ /* Don't set the watermark if the watermark is zero */
+ if (!arguments->fill_watermark)
+ return;
f = fopen("/proc/sys/kernel/random/write_wakeup_threshold", "w");
if (!f) {
@@ -105,7 +108,7 @@ void init_kernel_rng(const char* randomdev)
}
if (err) {
message(LOG_DAEMON|LOG_WARNING,
- "unable to adjust write_wakeup_threshold: %s",
+ "unable to adjust write_wakeup_threshold: %s\n",
strerror(errno));
}
--
2.21.0

21
SOURCES/Fix-message-log-on-error-in-thread_entropy_task.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up ./rngd_jitter.c.message ./rngd_jitter.c
--- ./rngd_jitter.c.message 2019-12-02 11:41:40.456723553 -0500
+++ ./rngd_jitter.c 2019-12-02 11:43:09.331427470 -0500
@@ -302,15 +302,11 @@ static void *thread_entropy_task(void *d
while(written != me->buf_sz) {
message(LOG_DAEMON|LOG_DEBUG, "Writing to pipe\n");
ret = write(me->pipe_fd, &tmpbuf[written], me->buf_sz - written);
+ if ((ret < 0) && (errno != EBADF))
+ message(LOG_DAEMON|LOG_WARNING, "Error on pipe write: %s\n", strerror(errno));
message(LOG_DAEMON|LOG_DEBUG, "DONE Writing to pipe with return %ld\n", ret);
if (first)
me->active = 1;
- /*
- * suppress EBADF errors, as those indicate the pipe is
- * closed and we are exiting
- */
- if ((ret < 0) && (errno != EBADF))
- message(LOG_DAEMON|LOG_WARNING, "Error on pipe write: %s\n", strerror(errno));
if (!first && !me->active)
break;
first = 0;

29
SOURCES/jitter-rdtsc.patch Normal file
View File

@ -0,0 +1,29 @@
diff -up ./jitterentropy-library/jitterentropy.h.rdtsc ./jitterentropy-library/jitterentropy.h
--- ./jitterentropy-library/jitterentropy.h.rdtsc 2018-09-06 15:01:40.000000000 -0400
+++ ./jitterentropy-library/jitterentropy.h 2020-02-18 12:47:10.465684582 -0500
@@ -44,8 +44,12 @@
#ifdef __KERNEL__
#include "jitterentropy-base-kernel.h"
+#else /* __KERNEL__ */
+#ifdef __x86_64__
+#include "arch/jitterentropy-base-x86.h"
#else
#include "jitterentropy-base-user.h"
+#endif /* __x86_64__ */
#endif /* __KERNEL__ */
/* The entropy pool */
diff -up ./rngd_jitter.c.rdtsc ./rngd_jitter.c
--- ./rngd_jitter.c.rdtsc 2020-02-18 12:47:22.490646896 -0500
+++ ./rngd_jitter.c 2020-02-18 12:46:40.650778022 -0500
@@ -27,6 +27,9 @@
#include <unistd.h>
#include <signal.h>
#include <setjmp.h>
+#include <errno.h>
+#include <unistd.h>
+#include <fcntl.h>
#include "rng-tools-config.h"
#include <jitterentropy.h>

118
SOURCES/jitter-setjmp.patch Normal file
View File

@ -0,0 +1,118 @@
commit 3e47faae108df4824531bf9c003cc1c65b7b2842
Author: Neil Horman <nhorman@tuxdriver.com>
Date: Fri Jun 7 08:51:02 2019 -0400
Allow jitter threads to exit faster
Even with the recent pipe adjustments, it can take a long time for
jitterentropy to exit. This is because the call to jent_read_entropy
can take a long time to complete, and termination signal delivery won't
cause it to return early, like a syscall.
Mitigate this by using sigsetjmp/siglongjmp. We set a return point at
the top of the loop for each thread, and register a signal handler to
execute a siglongjmp back to that point so that we can recheck the
active flag and break the loop as soon as a signal is delivered.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
diff --git a/rngd_jitter.c b/rngd_jitter.c
index 54070ae..7f01ee9 100644
--- a/rngd_jitter.c
+++ b/rngd_jitter.c
@@ -26,6 +26,7 @@
#include <time.h>
#include <unistd.h>
#include <signal.h>
+#include <setjmp.h>
#include "rng-tools-config.h"
#include <jitterentropy.h>
@@ -48,6 +49,7 @@ struct thread_data {
int active;
int done;
struct timespec slptm;
+ sigjmp_buf jmpbuf;
};
static struct thread_data *tdata;
@@ -228,6 +230,16 @@ static inline void update_sleep_time(struct thread_data *me,
me->slptm.tv_nsec /= 2;
}
+void jitter_thread_exit_signal(int signum)
+{
+ pthread_t self = pthread_self();
+ int i;
+ for(i=0;i<num_threads;i++) {
+ if (threads[i] == self)
+ siglongjmp(tdata[i].jmpbuf, 1);
+ }
+}
+
static void *thread_entropy_task(void *data)
{
cpu_set_t cpuset;
@@ -263,6 +275,13 @@ static void *thread_entropy_task(void *data)
goto out;
}
+ /*
+ * Use setjmp here to allow us to return early from
+ * jent_read_entropy, as it can run for a long time
+ */
+ if (sigsetjmp(me->jmpbuf, 1))
+ goto out_interrupt;
+
/* Now go to sleep until there is more work to do */
do {
message(LOG_DAEMON|LOG_DEBUG, "JITTER thread on cpu %d wakes up for refill\n", me->core_id);
@@ -286,7 +305,11 @@ static void *thread_entropy_task(void *data)
message(LOG_DAEMON|LOG_DEBUG, "DONE Writing to pipe with return %ld\n", ret);
if (first)
me->active = 1;
- if (ret < 0)
+ /*
+ * suppress EBADF errors, as those indicate the pipe is
+ * closed and we are exiting
+ */
+ if ((ret < 0) && (errno != EBADF))
message(LOG_DAEMON|LOG_WARNING, "Error on pipe write: %s\n", strerror(errno));
if (!first && !me->active)
break;
@@ -296,6 +319,7 @@ static void *thread_entropy_task(void *data)
} while (me->active);
+out_interrupt:
free(tmpbuf);
out:
me->done = 1;
@@ -335,6 +359,7 @@ int validate_jitter_options(struct rng *ent_src)
return 0;
}
+
/*
* Init JITTER
*/
@@ -349,6 +374,9 @@ int init_jitter_entropy_source(struct rng *ent_src)
#ifdef HAVE_LIBGCRYPT
char key[AES_BLOCK];
#endif
+
+ signal(SIGUSR1, jitter_thread_exit_signal);
+
int ret = jent_entropy_init();
if(ret) {
message(LOG_DAEMON|LOG_WARNING, "JITTER rng fails with code %d\n", ret);
@@ -474,8 +502,8 @@ void close_jitter_entropy_source(struct rng *ent_src)
/* And wait for completion of each thread */
for (i=0; i < num_threads; i++) {
message(LOG_DAEMON|LOG_DEBUG, "Checking on done for thread %d\n", i);
+ pthread_kill(threads[i], SIGUSR1);
while (!tdata[i].done)
- pthread_kill(threads[i], SIGINT);
if(tdata[i].done) {
message(LOG_DAEMON|LOG_INFO, "Closing thread %d\n", tdata[i].core_id);
pthread_join(threads[i], NULL);

27
SOURCES/jitterentropy-build-static.patch
View File

@ -1,6 +1,6 @@
diff -up ./Makefile.am.build ./Makefile.am
--- ./Makefile.am.build 2018-10-20 11:38:30.000000000 -0400
+++ ./Makefile.am 2018-11-20 12:03:08.367191838 -0500
diff -up ./Makefile.am.static ./Makefile.am
--- ./Makefile.am.static 2019-11-07 14:20:39.000000000 -0500
+++ ./Makefile.am 2019-11-15 10:08:31.554914291 -0500
@@ -1,7 +1,7 @@
##
## Toplevel Makefile.am for rng-tools
@ -10,7 +10,7 @@ diff -up ./Makefile.am.build ./Makefile.am
sbin_PROGRAMS = rngd
bin_PROGRAMS = rngtest
@@ -23,14 +23,12 @@ if DARN
@@ -23,19 +23,17 @@ if DARN
rngd_SOURCES += rngd_darn.c
endif
@ -18,12 +18,19 @@ diff -up ./Makefile.am.build ./Makefile.am
rngd_SOURCES += rngd_jitter.c
-endif
-rngd_LDADD = librngd.a -lsysfs $(LIBS) ${libp11_LIBS} ${libcrypto_LIBS} ${libcurl_LIBS} ${libxml2_LIBS} ${openssl_LIBS} $(PTHREAD_LIBS)
+rngd_LDADD = librngd.a -lsysfs $(LIBS) jitterentropy-library/libjitterentropy.a ${libp11_LIBS} ${libcrypto_LIBS} ${libcurl_LIBS} ${libxml2_LIBS} ${openssl_LIBS} $(PTHREAD_LIBS)
+
+rngd_CFLAGS = ${pkcs11_CFLAGS} ${libp11_CFLAGS} ${libcrypto_CFLAGS} ${libxml2_CFLAGS} ${openssl_CFLAGS} $(PTHREAD_CFLAGS) -DHAVE_JITTER -I./jitterentropy-library/
+rngd_LDFLAGS = $(PTHREAD_CFLAGS)
-rngd_LDADD = librngd.a -lsysfs $(LIBS) ${libcurl_LIBS} ${libxml2_LIBS} ${openssl_LIBS} $(PTHREAD_LIBS)
+rngd_LDADD = librngd.a -lsysfs $(LIBS) jitterentropy-library/libjitterentropy.a ${libcurl_LIBS} ${libxml2_LIBS} ${openssl_LIBS} $(PTHREAD_LIBS)
-rngd_CFLAGS = ${libxml2_CFLAGS} ${openssl_CFLAGS} $(PTHREAD_CFLAGS)
+rngd_CFLAGS = ${libxml2_CFLAGS} ${openssl_CFLAGS} $(PTHREAD_CFLAGS) -DHAVE_JITTER -I./jitterentropy-library/
rngd_LDFLAGS = $(PTHREAD_CFLAGS)
if PKCS11
rngd_SOURCES += rngd_pkcs11.c
endif
-rngd_CFLAGS = ${pkcs11_CFLAGS} ${libp11_CFLAGS} ${libcrypto_CFLAGS} ${libxml2_CFLAGS} ${openssl_CFLAGS} $(PTHREAD_CFLAGS)
-rngd_LDFLAGS = $(PTHREAD_CFLAGS)
-
rngtest_SOURCES = exits.h stats.h stats.c rngtest.c
rngtest_LDADD = librngd.a

23
SOURCES/rng-tools-darn.patch
View File

@ -1,23 +0,0 @@
commit 901468598270db9c9f19f63f9812a94f5a44a487
Author: Neil Horman <nhorman@tuxdriver.com>
Date: Tue Nov 20 11:31:29 2018 -0500
Fix build break on ppc
didn't update the rng options properly for rng_darn.c
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
diff --git a/rngd_darn.c b/rngd_darn.c
index 45c81c7..abd34b0 100644
--- a/rngd_darn.c
+++ b/rngd_darn.c
@@ -126,7 +126,7 @@ static int refill_rand(struct rng *ent_src)
if (darn_buf_avail)
return 0;
- if (ent_src->options[DARN_USE_AES].int_val) {
+ if (ent_src->rng_options[DARN_OPT_AES].int_val) {
if (rand_bytes_served >= rekey_thresh) {
message(LOG_DAEMON|LOG_DEBUG, "rekeying DARN rng\n");
gcry_cipher_close(gcry_cipher_hd);

13
SOURCES/rngd-wake-threshold.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Hardware RNG Entropy Gatherer Wake threshold service
Before=rngd.service
[Service]
CapabilityBoundingSet=CAP_SYS_ADMIN
AmbientCapabilities=CAP_SYS_ADMIN
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c "PSIZE=$(cat /proc/sys/kernel/random/poolsize); let THRESH=$PSIZE*3/4; echo $THRESH>/proc/sys/kernel/random/write_wakeup_threshold"
[Install]
WantedBy=sysinit.target

8
SOURCES/rngd.service
View File

@ -1,8 +1,14 @@
[Unit]
Description=Hardware RNG Entropy Gatherer Daemon
Requires=rngd-wake-threshold.service
[Service]
ExecStart=/sbin/rngd -f
User=rngd
Group=rngd
CapabilityBoundingSet=CAP_SYS_ADMIN
AmbientCapabilities=CAP_SYS_ADMIN
ExecStart=/sbin/rngd -f --fill-watermark=0
TimeoutStartSec=60s
[Install]
WantedBy=sysinit.target

45
SPECS/rng-tools.spec
View File

@ -3,19 +3,22 @@
Summary: Random number generator related utilities
Name: rng-tools
Version: 6.6
Release: 2%{?dist}
Version: 6.8
Release: 3%{?dist}
Group: System Environment/Base
License: GPLv2+
URL: https://github.com/nhorman/rng-tools
Source0: https://github.com/nhorman/rng-tools/archive/rng-tools-%{version}.tar.gz
Source1: rngd.service
Source2: jitterentropy-library-2.1.2.tar.gz
Source3: rngd-wake-threshold.service
Patch0: jitterentropy-remove-install.patch
Patch1: jitterentropy-build-static.patch
Patch2: rng-tools-darn.patch
Patch3: 0001-Default-to-one-thread-if-getaffinity-returns-an-erro.patch
Patch2: jitter-setjmp.patch
Patch3: Fix-message-log-on-error-in-thread_entropy_task.patch
Patch4: Add-reserved-option-value-to-not-change-write_wakeup.patch
Patch5: jitter-rdtsc.patch
# https://sourceforge.net/p/gkernel/patches/111/
@ -43,10 +46,12 @@ mv jitterentropy-library-2.1.2 jitterentropy-library
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
./autogen.sh
%configure
%configure --without-pkcs11
%make_build
%install
@ -54,15 +59,19 @@ mv jitterentropy-library-2.1.2 jitterentropy-library
# install systemd unit file
install -Dt %{buildroot}%{_unitdir} -m0644 %{SOURCE1}
install -Dt %{buildroot}%{_unitdir} -m0644 %{SOURCE3}
%pre
getent passwd rngd >/dev/null || useradd -r -M -d %{_localstatedir}/lib/rngd -s /sbin/nologin -c "Random Number Generator Daemon" rngd
%post
%systemd_post rngd.service
%systemd_post rngd.service rngd-wake-threshold.service
%preun
%systemd_preun rngd.service
%systemd_preun rngd.service rngd-wake-threshold.service
%postun
%systemd_postun_with_restart rngd.service
%systemd_postun_with_restart rngd.service rngd-wake-threshold.service
%files
%{!?_licensedir:%global license %%doc}
@ -73,8 +82,28 @@ install -Dt %{buildroot}%{_unitdir} -m0644 %{SOURCE1}
%{_mandir}/man1/rngtest.1.*
%{_mandir}/man8/rngd.8.*
%attr(0644,root,root) %{_unitdir}/rngd.service
%attr(0644,root,root) %{_unitdir}/rngd-wake-threshold.service
%changelog
* Tue Feb 18 2020 Neil Horman <nhorman@redhat.com> - 6.8-3
- Fix coarse clock time on Azure (bz 180155)
* Mon Dec 02 2019 Neil Horman <nhorman@redhat.com> - 6.8-2
- Fix erroneous message due to bad errno check (bz 1776710)
- Enable addition of 0 value for fill-watermark (bz 1776710)
* Fri Nov 15 2019 Neil Horman <nhorman@redhat.com> - 6.8-1
- Update to latest upstream (bz 1769916)
* Wed Oct 09 2019 Neil Horman <nhorman@redhat.com> 6.6-5
- Fix group typo in rngd.service (bz 1751810)
* Fri Oct 04 2019 Neil Horman <nhorman@redhat.com> 6.6-4
- Revision bump to rebuild for new CI runs
* Mon Mar 25 2019 Neil Horman <nhorman@redhat.com> 6.2-3
- Allow rngd to run as non-privledged user (bz 1692435)
* Mon Dec 17 2018 Neil Horman <nhorman@redhat.com> 6.2-2
- default to 1 thread on cpu 0 if getaffinty returns error (bz 1658855)