Changelog:
===========
- mix data fed to the kernel byte-wise from multiple sources
- added option to attempt more persistent use of slow entropy sources
- fix some missing m4 quotes
- improved debug output to show FIPS failures more clearly
- added a named pipe entropy source
- adjusted linux poolsize
- fixed some pkcs11 error messages
- fixed ignorefail and random_step options
(From OE-Core rev: 51f15cde22d3caf77778750f122b94a7cd0fe508)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since we want to be able to stop unpacking to WORKDIR, correct the WORKDIR
references in recipe do_compile/do_install tasks to use UNPACKDIR in the
appropraite places instead.
(From OE-Core rev: d73595df69667fe9d12ecd407b77a0b8dae2109c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit d2b445384d.
Revert this commit since:
- some systems using oe-core master may still be using kernels from
before 5.6 pulled in the rng-tools algorithm, and
- some hardware platforms may not have a hardware random number generator
and could therefore need to run rngd to avoid long boot-time initialization
due to a depleted entropy pool.
(From OE-Core rev: 828afafb3bff54079fcba9bdab2ec87ac13e4ce6)
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Nothing in oe-core depends on rng-tools anymore:
e7e1bc43ca rng-tools: splitting the rng-tools systemd/sysvinit serivce as a package
so move it to meta-oe for people who still want to run rngd
as a service for some reason or for those who want to run rng-test.
(From OE-Core rev: 9a651e5bc2492cf864261e8f17e4cbe34d6d48ce)
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This package used to use libsysfs, but has been modified to read
the /sys file system directly. This build dependency is no longer
needed.
(From OE-Core rev: 9ee39dd1d505f787e7bf4e3aa2b527f17c3a78cd)
Signed-off-by: david d zuhn <david.zuhn@sonos.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Delete dependency on dev-hwrng.device and systemd-udev-settle services
as they can be troublesome because difference devices may have different
devices to detect resulting in delayed boot.
do not run if included in a container image
Add EXTRA_ARGS via /etc/default/rng-tools e.g. if your device has
hw RNG then something like this
EXTRA_ARGS="-r /dev/hwrng"
You can also use drop-ins for enhacing systemd unit file from machine
layer via a bbappend and adding a fragment to systemd
/etc/systemd/system/rng-tools.service.d/10-hwrng.conf
where you can add
[Unit]
Requires=dev-hwrng.device
After=dev-hwrng.device
(From OE-Core rev: ab73f6e8efb97682441f012c41d35a549e899cce)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The systemd-udev-settle service is listed as obsolete and does in
some cases result in a significant boot time. Replace that with a
specific wait for the random source hardware device to be loaded.
Before this change:
Startup finished in 4.025s (kernel) + 2min 13.236s (userspace) = 2min 17.262s
multi-user.target reached after 2min 8.153s in userspace
After this change:
Startup finished in 3.956s (kernel) + 13.294s (userspace) = 17.250s
multi-user.target reached after 9.522s in userspace
(From OE-Core rev: d43e283d749ddd8fd6722411d051f0e505054c6f)
Signed-off-by: Drew Moseley <drew@moseleynet.net>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
do_compile error :
| ../git/rngd_jitter.c: In function 'rngd_notime_start':
| ../git/rngd_jitter.c:56:45: error: invalid use of undefined type 'struct jent_notime_ctx'
| 56 | ret = -pthread_attr_init(&thread_ctx->notime_pthread_attr);
enable macro JENT_CONF_ENABLE_INTERNAL_TIMER to use struct jent_notime_ctx
(From OE-Core rev: e9fac3b6d32262e489992b116275d3eabcc35b4a)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-Adding-ability-to-detect-non-posix-extensions-for-pt.patch
0002-Allow-for-use-of-either-pthread-affinity-set-methods.patch
removed since they're included in 6.15.
Changelog:
=========
Adjust rngtests for better behavior in travis
fix use of non-posix setaffinity call to allow building on strict posix (musl) systems
Add armv6l to list of detected arches for pkcs11
misc fixes to allow building on libc-musl
fix a deadlock in jitter shutdown sequence
minor warning fixups (unused variables)
improve cpu detection code
improve jitter cpu monopolization on small/single cpu systems
(From OE-Core rev: 63b1c5ccd178fdd6f8af1d1b9f7fab529b1746e9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is uncertainty about the default branch name in git going forward.
To try and cover the different possible outcomes, add branch names to all
git:// and gitsm:// SRC_URI entries.
This update was made with the script added to contrib in this patch which
aims to help others convert other layers.
(From OE-Core rev: b51c405faf6f8c0365f7533bfaf470d79152a463)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rngd needs to start after `systemd-udev-settle` in order for the kernel
modules of the random source hardware to be loaded before it is started.
However, since the `rngd.service` does not require or want
`systemd-udev-settle.service` it might not be scheduled for start and
the `After=systemd-udev-settle.service` there has no effect.
Adding `Wants=systemd-udev-settle.service` provides a weak requirement
to it, so that the `rngd` is started after it, if possible.
(From OE-Core rev: e9715d4234eb7b45dee8b323799014646f0a1b07)
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Debug logs were only controlled by --debug flag while in --foreground mode.
In --daemon mode (the default for us) /var/log/message got stuffed with
details of entropy pool refilling, which is useless in production, and
hamful when log rotation then gets rid of the more useful logs.
This change makes the two modes consistently only produce debug logs when
--debug is specified.
(From OE-Core rev: 914526868656fd279b13ba8e4d721d27cb2a8792)
Signed-off-by: Yann Dirson <yann@blade-group.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Whilst rngd has to run as root, we can significantly constrain its
permissions (network is only required if nistbeacon is enabled).
(From OE-Core rev: 3ed70b755d0b60e61e0871f8b0cca2e2ab5e13f9)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rngd.service has a constraint of Before=sysinit.target, installing as
part of multi-user.target is an odd choice as unless it's pulled in by a
different dependency, an other target would not start it.
(From OE-Core rev: eeb1e236dab087b7565dbbf6979e2b4c03e56e91)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It do make sense to start rngd early in the boot process because
otherwise we would need to track every service that might need entropy
and explicitly configure it to start after rngd.
When used with systemd rngd blocked the shutdown process because it
simply missed the proper unit configuration. As the systemd
documentation explains, when using DefaultDependencies=no one also
have to explicitly configure the unit to properly stop at some point.
This is normaly achieved by having Before=shutdown.target and
Conflicts=shutdown.target set for the unit.
To have rngd started early again we reverte the changes done to
rngd.service in commit edf7606822 (rng-tools: fix rngd blocks system
shutdown). To have it properly stopped on shutdown we also add
Before=shutdown.target and Conflicts=shutdown.target.
(From OE-Core rev: a74e7df33e2c8ab2152e3217c0a5df3f65971713)
Signed-off-by: Alban Bedel <alban.bedel@aerq.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fix-rngd-fail-to-stop.patch is added to fix rngd blocks system shutdown
issue. But it causes rngd doesn't release CPU and causes 100% CPU
usage, so drop it.
The block shutdown issue is caused by comit [7cb64b9fe1 rng-tools: start
earlier in the boot process] which updated rngd.service. Revert the
modification of rngd.service.
Update sed expressions in do_install as well which fails to replace
second match in one line.
(From OE-Core rev: edf760682270de36850407c860bea5aea29e30bc)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade rng-tools from 6.6 to latest commit 9fc873c which 26 commits
beyond release 6.7:
$ git describe 9fc873c5af0e39263
v6.7-26-g9fc873c
Because it includes some critical fixes such as configure fails and
'Import yocto fixes for 6.6'.
* remove local patches that all are merged by upstream
* backport patch to fix rngd fails to stop issue
* add PACKAGECONFIG libp11
(From OE-Core rev: 3e09c8b5b6517da97a9ec0ce5deb4ba1b066d19b)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
this commit will permit to read the option from
/etc/default/rng-tools both from systemd and sysvinit unit file.
(From OE-Core rev: 16ced1a253c74c01ca414db2f1a010c083213b91)
Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Downloading your randomness directly from the US government
is a rare usecase but adds heavy dependencies.
Make it optional and non-default.
(From OE-Core rev: aecf7673095b2338ae4617900e8300b9601ca483)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
PACKAGECONFIG[libgcrypt] already adds it when necessary.
(From OE-Core rev: 6417d29ece333ee2b78e6e723201336cc17c41f6)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Fix typo of `--disable-jitterntropy' in both of PACKAGECONFIG and configure --help
- Enable jitterntropy for musl
(From OE-Core rev: c3b96aaa40413d66d8fc4252235e6fa27dd8db53)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since commit [f1dc9ac rng-tools: Fix crazy defaults] fixed
init based on sysvinit, this fix rngd.service based on systemd.
(From OE-Core rev: 078630b7bf8599ea2b3717ce33d2da0f7f26b0e2)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Entropy is needed earlier in the boot process in some cases, for example
connman can require it, and rgd doesn't require much, so move it earlier
in the boot process, 03 for sysvinit, and before sysinit for systemd.
(From OE-Core rev: 31c9b42aaeef3ad66e05e51b8209e87f2a22f091)
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This was added as the recipe didn't inherit systemd, but it does inherit
systemd now.
(From OE-Core rev: c70b70f045a5ccf62b19060f3438b38d9914e9a2)
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Feeding the output of /dev/urandom into /dev/random is pretty much insane
and not something we should encourage.
I can't really imagine a scenario where this would be a sensible idea since
/dev/urandom if effectively derived from /dev/random.
This changes the tool to default to /dev/hwrng which makes much more sense,
feeding hardware entropy into the random pool. In the QEMU case, this will
feed entropy from the host into the guests which is also what we want.
Yes, this change will cause rngd not to start if /dev/hwrng isn't present,
but it isn't needed if that isn't so I don't see this as a bad thing.
(https://wiki.archlinux.org/index.php/Rng-tools has a section in red which
agrees with the above, "this is a really bad idea, since you are simple
filling the kernel entropy pool with entropy coming from the kernel itself!")
(From OE-Core rev: f1dc9ac46710814c27cae2d22e79c84a9522993a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This adds or fixes the Upstream-Status for all remaining patches missing it
in OE-Core.
(From OE-Core rev: 563cab8e823c3fde8ae4785ceaf4d68a5d3e25df)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix a variety of spelling and format mistakes to improve the ease of reading the
tags programatically.
(From OE-Core rev: 6e1aaf80b0d951b48cd25cb7161ec19448295094)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
uclibc support was removed a while ago and musl works much better. Start to
remove the various overrides and patches related to uclibc which are no longer
needed.
uclibc support in a layer would still be possible. I have strong reasons to
believe nobody is still using uclibc since patches are missing and I doubt
the metadata even parses anymore.
(From OE-Core rev: 653704e9cf325cb494eb23facca19e9f05132ffd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When testing core-image-sato with hardening flags, it fails with
SIGSEGV in libc.so during relocation time
This is due to relocations in .text [textrel]
build QA points it out clearly during qemux86 build as well
AssertionError: 2 != 0 : Log: /mnt/a/oe/build/tmp/work/qemux86-bec-linux-musl/core-image-sato/1.0-r0/dmesg_output.log
-----------------------
Central error: [ 19.043597] rngd[525]: segfault at 80098bb7 ip b77b14fc sp bfe9b380 error 7 in libc.so[b774c000+97000]
(From OE-Core rev: 5770cd5bee1c9ad3025435426361f0e407d43ef8)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When using systemd as init rng-tools is causing a circular dependency
between units,
[ 7.706250] systemd[1]: basic.target: Found ordering cycle on
basic.target/start
[ 7.706934] systemd[1]: basic.target: Found dependency on
sysinit.target/start
[ 7.707795] systemd[1]: basic.target: Found dependency on
rng-tools.service/start
[ 7.708692] systemd[1]: basic.target: Found dependency on
basic.target/start
[ 7.709461] systemd[1]: basic.target: Breaking ordering cycle by
deleting job rng-tools.service/start
[ 7.710404] systemd[1]: rng-tools.service: Job rng-tools.service/start
deleted to break ordering cycle starting with basic.target/start
The problem is related to systemd running sysvinit scripts by default
add dependency of basic.target for sysvinit script so when sysvscript
is at rcS is added also as dependency of sysinit.target causing a
cirular dependency in this case: basic.target -> sysinit.target ->
rng-tools.service -> basic.target.
(From OE-Core rev: e3fc8ef152494e9b7cff8de110a784150295f17e)
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
