I have a server that I want to use to test Libreswan VPN software. This requires a lot of entropy (for random number generation).
Unfortunately, the box, a Dell, has a processor with no RdRand instruction. But it does have a TPM 1.2 module, and that is supposed to be able to generate entropy.
I don't know how to get the TPM to feed entropy to the Linux kernel RNG.
Is there a cookbook explaining how to do this?
I installed Trousers to handle the TPM device. That provides "tcsd" the daemon that manages "Trusted Computing resources" (including TPM).
I installed tpm_tools.
I initialized the TPM with tpm_takeownership -y -z
rngd is the daemon that is supposed to feed hardware entropy to the kernel RNG. It is part of the rng-tools package. I would have thought that enabling the TPM would allow rngd to harvest entropy from the TPM. That does not seem to be the case.
rngd can open /dev/tpm0 but cannot read from it. (This isn't obvious since rngd's diagnostics are not very specific.)
I think that the problem is that only one thing is allowed to open the TPM at once, and that one thing is currently something else. Probably tcsd.
Here's a closed bugzilla against RHEL7 that seems relevant: https://bugzilla.redhat.com/show_bug.cgi?id=921122
My problem certainly isn't the same. tcsd seems to be running and happy. Compare this with what Steve Grubb said in Comment 5.
[build@bluebird ~]$ systemctl status tcsd ● tcsd.service - TCG Core Services Daemon Loaded: loaded (/usr/lib/systemd/system/tcsd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2016-05-17 13:09:28 EDT; 1h 13min ago Process: 798 ExecStart=/sbin/tcsd (code=exited, status=0/SUCCESS) Main PID: 838 (tcsd) CGroup: /system.slice/tcsd.service └─838 /sbin/tcsd
May 17 13:09:27 bluebird.mimosa.com systemd[1]: Starting TCG Core Services Daemon... May 17 13:09:28 bluebird.mimosa.com tcsd[798]: TCSD TDDL[798]: TrouSerS ioctl: (25) Inappropriate ioctl for device May 17 13:09:28 bluebird.mimosa.com tcsd[798]: TCSD TDDL[798]: TrouSerS Falling back to Read/Write device support. May 17 13:09:28 bluebird.mimosa.com systemd[1]: Started TCG Core Services Daemon. May 17 13:09:28 bluebird.mimosa.com TCSD[838]: TrouSerS trousers 0.3.13: TCSD up and running. [build@bluebird ~]$
But rngd is neither running nor happy:
[build@bluebird ~]$ systemctl status rngd ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Tue 2016-05-17 13:09:28 EDT; 1h 17min ago Process: 751 ExecStart=/sbin/rngd -f (code=exited, status=0/SUCCESS) Main PID: 751 (code=exited, status=0/SUCCESS)
May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: read error May 17 13:09:28 bluebird.mimosa.com rngd[751]: No entropy sources working, exiting rngd [build@bluebird ~]$
(The read errors are from trying to read /dev/hwrng. The error code is for "No such device".)
Here's a run of a version of rngd that I instrumented: [build@bluebird ~]$ sudo ./rngd -f -v -r /dev/NOTHING Unable to open file /dev/tpm0: Device or resource busy can't open any entropy source Maybe RNG device modules are not loaded [build@bluebird ~]$
-f: don't daemonize -v: verbose -r /dev/NOTHING: replace /dev/hwrng with a meaningless path to preven using it.
According to this old page https://fedoraproject.org/wiki/Features/rngd_default_on
Note that when using TPM, rngd currently conflicts with tcsd from TrouSerS. The solution to that is a kernel module which is probably going to be merged upstream in the 3.7 kernel, as it unfortunately missed the 3.6 merge window; however, it is a small patchset and it can be trivially backported. It should be in James Morris' linux-security git tree shortly; otherwise search for Kent Yoder on LKML.
I don't know what that module is, whether my system has it, and if so, is it actually loaded. There are two loaded modules with tpm in their name:
tpm_tis 20480 0 - Live 0xffffffffa033b000 tpm 40960 2 tpm_tis, Live 0xffffffffa0104000
It is even possible that the TPM is being used now. Monitoring /proc/sys/kernel/random/entropy_avail seems to show more entropy that I observed yesterday. But it isn't enough for what I'm trying to do.