Thank you Berthold. I am running on a z13s but I am saving up for at z15! No special crypto express hardware either other than CPICF that is standard. I will look into your suggestions. I am seeing this only on SLES15 SP2 later kernel. They recently changed random number generation within the kernel.
Thanks, Aria -----Original Message----- From: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> On Behalf Of Berthold Gunreben Sent: Friday, December 18, 2020 12:26 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: SLES 15 SP2 kernel issue with random number generator (crng) Hi Aria, on what hardware do you operate? There is several possibilities to consider, the easiest would be if you got a z15, because there is a RNG in the CPU there. If you got an older machine with crypto express, there is also a RNG in there, but you would need a crypto domain to have that available to your guest. To the question, why there is no rng-tools, the reason is, that rng-tools would be a step backwards compared to what SUSE does. With rng-tools, you got a software RNG and a userland process that copies the produced random numbers to the entropy pool of the kernel. You might read more about this in https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Lin uxRNG/LinuxRNG_EN_V4_1.pdf especially "3.9.2 Hardware Random Number Generator Framework" With SUSE, the entropy pool of the kernel can be seeded by lots of different rngs. You even can give those RNGs a specific trust, and tell how many bits you would trust to be really random. It also overcomes the need for a userspace process like rngd, and uses a kernel thread instead. I would have to install SLES15 to reproduce (still have SLES12 running as well as Tumbleweed), but what you have to do to enable hardware RNGs is basically start the crypto services. This used to be z90crypt, with Tumbleweed, it is just the cryptsetup.target. You can of course also enable the haveged service to get more entropy, however that is software based entropy from within virtualization, and that obviously does not have the same amount of real entropy like hardware. One thing that I would check is, if there is a entropy seed available at /var/lib/systemd/random-seed. This is used to have more randomness at startup. Just for you to compare: On a z15, I get more than 300MB/s of entropy from the hardware RNG. You might try this as well: systemctl stop haveged dd if=/dev/random of=/dev/null bs=1k count=20000 Unfortunately it is hard to debug further or give more hints without more detail of the setup. Hope that helped a bit. Berthold Am Wed, 16 Dec 2020 10:30:09 -0500 schrieb Aria Bamdad <a...@bsc.gwu.edu>: > Thanks Neale. No, rng-tools is not an available package for SLES15. > That's why I tried haveged which was what was installed on SLES12 and > is still available for 15 but when you install 15 fresh, it does not > install haveged. SUSE support says that engineering is working on > the issue but that's been going on for a while. > > -----Original Message----- > From: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> On Behalf Of Neale > Ferguson Sent: Tuesday, December 15, 2020 11:19 PM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: SLES 15 SP2 kernel issue with random number generator > (crng) > > What happens in you install rng-tools and start the service (assuming > this is a package available on SLES15)? > > Neale > > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 > or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390 > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 > or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
