Entropy from TPM of Fedora 23?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have a server that I want to use to test Libreswan VPN software.  This 
requires a lot of entropy (for random number generation).

Unfortunately, the box, a Dell, has a processor with no RdRand 
instruction.  But it does have a TPM 1.2 module, and that is supposed to 
be able to generate entropy.

I don't know how to get the TPM to feed entropy to the Linux kernel RNG.

Is there a cookbook explaining how to do this?

I installed Trousers to handle the TPM device.  That provides "tcsd"
the daemon that manages "Trusted Computing resources" (including TPM).

I installed tpm_tools.

I initialized the TPM with
	tpm_takeownership -y -z

rngd is the daemon that is supposed to feed hardware entropy to the
kernel RNG.  It is part of the rng-tools package.  I would have
thought that enabling the TPM would allow rngd to harvest entropy from
the TPM.  That does not seem to be the case.

rngd can open /dev/tpm0 but cannot read from it.  (This isn't obvious
since rngd's diagnostics are not very specific.)

I think that the problem is that only one thing is allowed to open the
TPM at once, and that one thing is currently something else.  Probably tcsd.

Here's a closed bugzilla against RHEL7 that seems relevant:
<https://bugzilla.redhat.com/show_bug.cgi?id=921122>

My problem certainly isn't the same.  tcsd seems to be running and
happy.  Compare this with what Steve Grubb said in Comment 5.

    [build@bluebird ~]$ systemctl status tcsd
    ● tcsd.service - TCG Core Services Daemon
       Loaded: loaded (/usr/lib/systemd/system/tcsd.service; enabled; vendor preset: disabled)
       Active: active (running) since Tue 2016-05-17 13:09:28 EDT; 1h 13min ago
      Process: 798 ExecStart=/sbin/tcsd (code=exited, status=0/SUCCESS)
     Main PID: 838 (tcsd)
       CGroup: /system.slice/tcsd.service
	       └─838 /sbin/tcsd

    May 17 13:09:27 bluebird.mimosa.com systemd[1]: Starting TCG Core Services Daemon...
    May 17 13:09:28 bluebird.mimosa.com tcsd[798]: TCSD TDDL[798]: TrouSerS ioctl: (25) Inappropriate ioctl for device
    May 17 13:09:28 bluebird.mimosa.com tcsd[798]: TCSD TDDL[798]: TrouSerS Falling back to Read/Write device support.
    May 17 13:09:28 bluebird.mimosa.com systemd[1]: Started TCG Core Services Daemon.
    May 17 13:09:28 bluebird.mimosa.com TCSD[838]: TrouSerS trousers 0.3.13: TCSD up and running.
    [build@bluebird ~]$ 

But rngd is neither running nor happy:

    [build@bluebird ~]$ systemctl status rngd
    ● rngd.service - Hardware RNG Entropy Gatherer Daemon
       Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
       Active: inactive (dead) since Tue 2016-05-17 13:09:28 EDT; 1h 17min ago
      Process: 751 ExecStart=/sbin/rngd -f (code=exited, status=0/SUCCESS)
     Main PID: 751 (code=exited, status=0/SUCCESS)

    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
    May 17 13:09:28 bluebird.mimosa.com rngd[751]: No entropy sources working, exiting rngd
    [build@bluebird ~]$ 

(The read errors are from trying to read /dev/hwrng.  The error code is for "No such device".)

Here's a run of a version of rngd that I instrumented:
    [build@bluebird ~]$ sudo ./rngd -f -v -r /dev/NOTHING
    Unable to open file /dev/tpm0: Device or resource busy
    can't open any entropy source
    Maybe RNG device modules are not loaded
    [build@bluebird ~]$ 

-f: don't daemonize
-v: verbose
-r /dev/NOTHING: replace /dev/hwrng with a meaningless path to preven using it.

According to this old page <https://fedoraproject.org/wiki/Features/rngd_default_on>

	Note that when using TPM, rngd currently conflicts with tcsd
	from TrouSerS. The solution to that is a kernel module which
	is probably going to be merged upstream in the 3.7 kernel, as
	it unfortunately missed the 3.6 merge window; however, it is a
	small patchset and it can be trivially backported. It should
	be in James Morris' linux-security git tree shortly; otherwise
	search for Kent Yoder on LKML.

I don't know what that module is, whether my system has it, and if so,
is it actually loaded.  There are two loaded modules with tpm in their name:

    tpm_tis 20480 0 - Live 0xffffffffa033b000
    tpm 40960 2 tpm_tis, Live 0xffffffffa0104000

It is even possible that the TPM is being used now.  Monitoring
/proc/sys/kernel/random/entropy_avail seems to show more entropy that
I observed yesterday.  But it isn't enough for what I'm trying to do.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
http://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux