Issue

Description of problem: rngd.service fails to start with fips enabled Version-Release number of selected component (if applicable): RHEL8.8 rng-tools 6.15-3.el8 How reproducible: fips-mode-setup --check FIPS mode is enabled. systemctl restart rngd.service systemctl status rngd.service ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Wed 2023-05-17 19:22:15 UTC; 6min ago Condition: start condition failed at Wed 2023-05-17 19:28:26 UTC; 2s ago └─ ConditionKernelCommandLine=!fips=1 was not met Main PID: 231 (code=exited, status=0/SUCCESS) May 17 19:22:05 localhost rngd[231]: [rdrand]: Enabling RDRAND rng support May 17 19:22:05 localhost rngd[231]: [rdrand]: Initialized May 17 19:22:05 localhost rngd[231]: [jitter]: JITTER timeout set to 5 sec May 17 19:22:05 localhost rngd[231]: [jitter]: Initializing AES buffer May 17 19:22:09 localhost rngd[231]: [jitter]: Unable to obtain AES key, disabling JITTER source May 17 19:22:09 localhost rngd[231]: [jitter]: Initialization Failed May 17 19:22:15 localhost rngd[231]: [rdrand]: Shutting down May 17 19:22:15 localhost systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon... May 17 19:22:15 localhost systemd[1]: rngd.service: Succeeded. May 17 19:22:15 localhost systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon. Steps to Reproduce: 1. check and enable fips and reboot fips-mode-setup --check Installation of FIPS modules is not completed. FIPS mode is disabled. fips-mode-setup --enable Kernel initramdisks are being regenerated. This might take some time. Setting system policy to FIPS Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be enabled. Please reboot the system for the setting to take effect. shutdown -r now 2. check the fips mode is enabled after the reboot fips-mode-setup --check FIPS mode is enabled. 3. install rng-tools dnf install rng-tools 4. start rngd.service systemctl start rngd.service 5. check the status of rngd.service systemctl status rngd.service ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Wed 2023-05-17 19:22:15 UTC; 6min ago Condition: start condition failed at Wed 2023-05-17 19:28:26 UTC; 2s ago └─ ConditionKernelCommandLine=!fips=1 was not met Main PID: 231 (code=exited, status=0/SUCCESS) May 17 19:22:05 localhost rngd[231]: [rdrand]: Enabling RDRAND rng support May 17 19:22:05 localhost rngd[231]: [rdrand]: Initialized May 17 19:22:05 localhost rngd[231]: [jitter]: JITTER timeout set to 5 sec May 17 19:22:05 localhost rngd[231]: [jitter]: Initializing AES buffer May 17 19:22:09 localhost rngd[231]: [jitter]: Unable to obtain AES key, disabling JITTER source May 17 19:22:09 localhost rngd[231]: [jitter]: Initialization Failed May 17 19:22:15 localhost rngd[231]: [rdrand]: Shutting down May 17 19:22:15 localhost systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon... May 17 19:22:15 localhost systemd[1]: rngd.service: Succeeded. May 17 19:22:15 localhost systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon. Actual results: rngd.service fails to start when fips enabled Expected results: rngd.service starts normally with fips enabled Additional info: I've noticed a new condition, "ConditionKernelCommandLine=!fips=1", added to "/usr/lib/systemd/system/rngd.service" file. If I remove that line from the file then the service starts normally. Is there a reason that this condition was added for fips?

Release Notes

No. of Comments

Resolution

Done-Errata