Yes, thank you Marcy. You are correct that SLES 12 had haveged and I see the same with upgraded SLES12 servers to SLES15. However a fresh install of SLES15 does not install haveged. This is fine until you upgrade to SP2.
I see that it seems that the new kernel crng expects to see a hardware TPM. The bottom of this page: https://wiki.archlinux.org/index.php/Random_number_generation seems to imply that haveged is not sufficient for 'generation of long-term cryptographic keys'. Discussions here: https://lwn.net/Articles/760121/ and here https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.19-Boot-Time-RNG -Trust seem to indicate you can use a kernel boot parameter to trust the CPU, RANDOM_TRUST_CPU or random.trust_cpu={on,off} but I am unable to get this to make a difference. -----Original Message----- From: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> On Behalf Of Marcy Cortes Sent: Tuesday, December 15, 2020 2:31 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: SLES 15 SP2 kernel issue with random number generator (crng) We have haveged on our sles 15 SP2 servers. We didn't consciously put it there :) All of ours were upgrades from SP1, though. So maybe that had it? We've not had any issues. -----Original Message----- From: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> On Behalf Of Aria Bamdad Sent: Tuesday, December 15, 2020 10:53 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] SLES 15 SP2 kernel issue with random number generator (crng) Hi, At a point during SLES15 SP2 release, an update to the kernel switched to the new crng random number generator. This is causing the random number generator to take 2 minutes on my system to generate enough entropy, causing the message: "kernel: random: crng init done" to appear about 2 minutes after boot completes. This results in anything that depends on random number generation such as OpenSSL to fail at boot. This includes the SSH, Apache, etc. Once the message is displayed, then you can manually start the services that failed. I have confirmed that this is related to random number entropy by manually installing the 'haveged' daemon. On SLES12, this daemon was installed by default but is not on SLES15. With haveged installed, the problem goes away. I am running on a z13s and z/VM. I can find similar complaints for the same problem on some other architectures. I reported the problem to SUSE the end of October but no resolution so far. Is anyone else having this problem? Is it safe to use havegd? Thanks, Aria ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
