I have a server that I want to use to test Libreswan VPN software. This
requires a lot of entropy (for random number generation).
Unfortunately, the box, a Dell, has a processor with no RdRand
instruction. But it does have a TPM 1.2 module, and that is supposed to
be able to generate entropy.
I don't know how to get the TPM to feed entropy to the Linux kernel RNG.
Is there a cookbook explaining how to do this?
I installed Trousers to handle the TPM device. That provides "tcsd"
the daemon that manages "Trusted Computing resources" (including TPM).
I installed tpm_tools.
I initialized the TPM with
tpm_takeownership -y -z
rngd is the daemon that is supposed to feed hardware entropy to the
kernel RNG. It is part of the rng-tools package. I would have
thought that enabling the TPM would allow rngd to harvest entropy from
the TPM. That does not seem to be the case.
rngd can open /dev/tpm0 but cannot read from it. (This isn't obvious
since rngd's diagnostics are not very specific.)
I think that the problem is that only one thing is allowed to open the
TPM at once, and that one thing is currently something else. Probably tcsd.
Here's a closed bugzilla against RHEL7 that seems relevant:
<https://bugzilla.redhat.com/show_bug.cgi?id=921122>
My problem certainly isn't the same. tcsd seems to be running and
happy. Compare this with what Steve Grubb said in Comment 5.
[build@bluebird ~]$ systemctl status tcsd
● tcsd.service - TCG Core Services Daemon
Loaded: loaded (/usr/lib/systemd/system/tcsd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2016-05-17 13:09:28 EDT; 1h 13min ago
Process: 798 ExecStart=/sbin/tcsd (code=exited, status=0/SUCCESS)
Main PID: 838 (tcsd)
CGroup: /system.slice/tcsd.service
└─838 /sbin/tcsd
May 17 13:09:27 bluebird.mimosa.com systemd[1]: Starting TCG Core Services Daemon...
May 17 13:09:28 bluebird.mimosa.com tcsd[798]: TCSD TDDL[798]: TrouSerS ioctl: (25) Inappropriate ioctl for device
May 17 13:09:28 bluebird.mimosa.com tcsd[798]: TCSD TDDL[798]: TrouSerS Falling back to Read/Write device support.
May 17 13:09:28 bluebird.mimosa.com systemd[1]: Started TCG Core Services Daemon.
May 17 13:09:28 bluebird.mimosa.com TCSD[838]: TrouSerS trousers 0.3.13: TCSD up and running.
[build@bluebird ~]$
But rngd is neither running nor happy:
[build@bluebird ~]$ systemctl status rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Tue 2016-05-17 13:09:28 EDT; 1h 17min ago
Process: 751 ExecStart=/sbin/rngd -f (code=exited, status=0/SUCCESS)
Main PID: 751 (code=exited, status=0/SUCCESS)
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error
May 17 13:09:28 bluebird.mimosa.com rngd[751]: No entropy sources working, exiting rngd
[build@bluebird ~]$
(The read errors are from trying to read /dev/hwrng. The error code is for "No such device".)
Here's a run of a version of rngd that I instrumented:
[build@bluebird ~]$ sudo ./rngd -f -v -r /dev/NOTHING
Unable to open file /dev/tpm0: Device or resource busy
can't open any entropy source
Maybe RNG device modules are not loaded
[build@bluebird ~]$
-f: don't daemonize
-v: verbose
-r /dev/NOTHING: replace /dev/hwrng with a meaningless path to preven using it.
According to this old page <https://fedoraproject.org/wiki/Features/rngd_default_on>
Note that when using TPM, rngd currently conflicts with tcsd
from TrouSerS. The solution to that is a kernel module which
is probably going to be merged upstream in the 3.7 kernel, as
it unfortunately missed the 3.6 merge window; however, it is a
small patchset and it can be trivially backported. It should
be in James Morris' linux-security git tree shortly; otherwise
search for Kent Yoder on LKML.
I don't know what that module is, whether my system has it, and if so,
is it actually loaded. There are two loaded modules with tpm in their name:
tpm_tis 20480 0 - Live 0xffffffffa033b000
tpm 40960 2 tpm_tis, Live 0xffffffffa0104000
It is even possible that the TPM is being used now. Monitoring
/proc/sys/kernel/random/entropy_avail seems to show more entropy that
I observed yesterday. But it isn't enough for what I'm trying to do.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
http://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org