How to enable the random number generator daemon (rngd) to take advantage of entropy provided by RDRAND?

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 6.4

  • rngd

Issue

  • How to disable or enable the FIPS 140-2 test service for particular instance of time?

  • Even after marking it as ignore (i) why does repeated below error message appear in /var/log/messages file ?

Jun 30 23:00:23  rngd: too many FIPS failures, disabling entropy source
Jul  1 10:45:19  rngd: failed fips test
Jul  1 14:54:46  rngd: failed fips test
Jul  2 03:38:06  rngd: too many FIPS failures, disabling entropy source
Jul  2 03:38:06  rngd: No entropy sources working, exiting rngd

Resolution

  • rngd is a daemon that check and feed random data from hardware device to kernel random device.

  • Before it feed the random data, it will first do a FIPS 140-2 test to check if the data from input random source is sufficiently random in statistical mean. If the test failed, it will print such message and wait 1 second to get the new data from the input random source and test again. It will continue this loop until the data passed the test.

  • The reason for this is that it is not unlikely that at some time during normal operation the tests will fail. This does not necessarily mean the system is not operating properly, it is just a statistically rare event.
    In that case we don't want to forever disable the input random source, we will just leave it disabled for the period of time until the tests are rerun and passed.

  • Further issue is still in analysis phase by Red Hat engineering team as per private bugzilla 833620

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments