View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005380 | Cloud | General | public | 2024-01-16 14:56 | 2024-01-16 14:56 |
| Reporter | David T | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Summary | 0005380: rngd.service fails on general purpose Graviton instances | ||||
| Description | Due to lack of RNDR instruction and insufficient entropy in the early boot stage, rngd fails to generate random bits required to set up the CPRNG engine. AWS Linux solves this issue by restarting rngd.service again. Interesting thing is, rngd starts after systemd-random-seed.service finish starting up. There's still no entropy for rngd to use even after the device is fed up with the saved entropy from the last boot(plot attached). Without a HW RNG, the random device depends entirely on system jitter anyways. So ideally, AWS should expose RNDR on general purpose instances like RDRAND is exposed for Intel or AMD general purpose instances. In the meantime, what could be done on our end? | ||||
| Steps To Reproduce | Fire up a general purpose instance e.g. t4g.small. rngd fails to start. | ||||
| Additional Information | t4g ``` × rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; preset: enabled) Active: failed (Result: exit-code) since Tue 2024-01-16 13:50:43 UTC; 21s ago Duration: 4.216s Process: 622 ExecStart=/usr/sbin/rngd -f $RNGD_ARGS (code=exited, status=1/FAILURE) Main PID: 622 (code=exited, status=1/FAILURE) CPU: 5.284s Jan 16 13:50:38 ec2imds.d.snart.me rngd[622]: [rndr ]: Initialization Failed Jan 16 13:50:38 ec2imds.d.snart.me rngd[622]: [jitter]: JITTER timeout set to 5 sec Jan 16 13:50:38 ec2imds.d.snart.me rngd[622]: [jitter]: Initializing AES buffer Jan 16 13:50:43 ec2imds.d.snart.me rngd[622]: [jitter]: Unable to obtain AES key, disabling JITTER source Jan 16 13:50:43 ec2imds.d.snart.me rngd[622]: [jitter]: Initialization Failed Jan 16 13:50:43 ec2imds.d.snart.me rngd[622]: Can't open any entropy source Jan 16 13:50:43 ec2imds.d.snart.me rngd[622]: Maybe RNG device modules are not loaded Jan 16 13:50:43 ec2imds.d.snart.me systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE Jan 16 13:50:43 ec2imds.d.snart.me systemd[1]: rngd.service: Failed with result 'exit-code'. Jan 16 13:50:43 ec2imds.d.snart.me systemd[1]: rngd.service: Consumed 5.284s CPU time. ``` c7g for reference. No complaints with RNDR. ``` ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; preset: enabled) Active: active (running) since Tue 2024-01-16 13:31:49 UTC; 29s ago Main PID: 715 (rngd) Tasks: 1 (limit: 9749) Memory: 1.9M CPU: 2.397s CGroup: /system.slice/rngd.service └─715 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon Jan 16 13:31:49 localhost rngd[715]: Disabling 9: Qrypt quantum entropy beacon (qrypt) Jan 16 13:31:49 localhost rngd[715]: Initializing available sources Jan 16 13:31:49 localhost rngd[715]: [hwrng ]: Initialization Failed Jan 16 13:31:49 localhost rngd[715]: [rndr ]: Enabling aarch64 RNDR rng support Jan 16 13:31:49 localhost rngd[715]: [rndr ]: Initialized Jan 16 13:31:49 localhost rngd[715]: [jitter]: JITTER timeout set to 5 sec Jan 16 13:31:49 localhost rngd[715]: [jitter]: Initializing AES buffer Jan 16 13:31:54 ip-10-128-77-230.ap-northeast-2.compute.internal rngd[715]: [jitter]: Unable to obtain > Jan 16 13:31:54 ip-10-128-77-230.ap-northeast-2.compute.internal rngd[715]: [jitter]: Initialization Fa> Jan 16 13:31:54 ip-10-128-77-230.ap-northeast-2.compute.internal rngd[715]: Process privileges have bee> ``` Amazon Linux on t4g. Sneakily starts rngd twice. ``` Jan 16 13:35:57 localhost rngd[320]: Initializing available sources Jan 16 13:35:57 localhost rngd[320]: [hwrng ]: Initialization Failed Jan 16 13:35:57 localhost rngd[320]: [rndr ]: No HW SUPPORT Jan 16 13:35:57 localhost rngd[320]: [rndr ]: Initialization Failed Jan 16 13:35:57 localhost rngd[320]: [jitter]: Initializing AES buffer Jan 16 13:35:58 localhost systemd[1]: Stopping rngd.service - Hardware RNG Entropy Gatherer Daemon... Jan 16 13:35:58 localhost systemd[1]: rngd.service: Deactivated successfully. Jan 16 13:35:58 localhost systemd[1]: Stopped rngd.service - Hardware RNG Entropy Gatherer Daemon. Jan 16 13:35:58 localhost systemd[1]: rngd.service: Consumed 1.400s CPU time. Jan 16 13:36:01 localhost systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon. Jan 16 13:36:02 localhost rngd[1430]: Disabling 7: PKCS11 Entropy generator (pkcs11) Jan 16 13:36:02 localhost rngd[1430]: Disabling 5: NIST Network Entropy Beacon (nist) Jan 16 13:36:02 localhost rngd[1430]: Initializing available sources Jan 16 13:36:02 localhost rngd[1430]: [hwrng ]: Initialization Failed Jan 16 13:36:02 localhost rngd[1430]: [rndr ]: No HW SUPPORT Jan 16 13:36:02 localhost rngd[1430]: [rndr ]: Initialization Failed Jan 16 13:36:02 localhost rngd[1430]: [jitter]: Initializing AES buffer Jan 16 13:36:07 ip-10-128-96-35.ap-northeast-2.compute.internal rngd[1430]: [jitter]: Enabling JITTER rng support Jan 16 13:36:07 ip-10-128-96-35.ap-northeast-2.compute.internal rngd[1430]: [jitter]: Initialized ``` t4g CPU flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp ssbs c7g CPU flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm ssbs dcpodp svei8mm svebf16 i8mm bf16 dgh rng rng is not exposed! | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-01-16 14:56 | David T | New Issue |
