use TPM if /dev/hwrng is present but empty about rng-tools HOT 12 CLOSED

rngd -l -d perhaps? debug info is always useful.

though I can tell you right now, that if you are on a more recent kernel, the tpm device is going to be disabled by default, because the kernel exports tpm entropy through /dev/hwrng. the tpm device is just there for older/legacy kernels. If you do have an older kernel, then you will want to run with the -n tpm option to expressly enable the tpm entropy source

As for why your hwrng failed to init, you want to dump out the debug information. If I had to guess, I would predict that you are running on a kernel for which /sys/devices/virtual/misc/hw_random/rng_available is reporting zero rngs as backing entropy sources

from rng-tools.

Well, I had indeed just to select few additional TPM config options in the kernel to get the TPM now working.
I was just curious that TPM was reported as unused (and /dev/tpm was not present at that time and hwrng was not used too).
BTW I do run here 5.12.13.

from rng-tools.

did you select CONFIG_HW_RANDOM_TPM=y in your config? If not, then the tpm won't export entropy via /dev/hwrng, and rngd won't be able to initialize it.

from rng-tools.

no, this is a rather recent zen3 Hetzner server and these configd were missing:

mr-fox /usr/src/linux # diff .config .config.old 
1610,1612c1610,1611
< CONFIG_TCG_TIS_CORE=y
< CONFIG_TCG_TIS=y
< CONFIG_TCG_TIS_I2C_CR50=y
---
> # CONFIG_TCG_TIS is not set
> # CONFIG_TCG_TIS_I2C_CR50 is not set
1619c1618
< CONFIG_TCG_CRB=y
---
> # CONFIG_TCG_CRB is not set

from rng-tools.

so, is that a no to CONFIG_HW_RANDOM_TPM=y being set? If so, that explains your issue

from rng-tools.

so, is that a no to CONFIG_HW_RANDOM_TPM=y being set? If so, that explains your issue

Oh no, those were set before, but weren't enough:

mr-fox ~ # grep _TPM /usr/src/linux/.config
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y

from rng-tools.

ok, then you need to run rngd -f -d -l and provide the debug output here for us to understand whats going on

from rng-tools.

mr-fox ~ # uname -a
Linux mr-fox 5.12.12 #11 SMP Fri Jun 18 11:15:40 CEST 2021 x86_64 AMD Ryzen 9 5950X 16-Core Processor AuthenticAMD GNU/Linux
mr-fox ~ # rngd -f -l -f
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
6: JITTER Entropy generator (jitter)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)
mr-fox ~ # ls -l /dev/hwrng
crw------- 1 root root 10, 183 Jun 24 19:16 /dev/hwrng
mr-fox ~ # tail -v /sys/devices/virtual/misc/hw_random/*
==> /sys/devices/virtual/misc/hw_random/dev <==
10:183

==> /sys/devices/virtual/misc/hw_random/power <==
tail: error reading '/sys/devices/virtual/misc/hw_random/power': Is a directory

==> /sys/devices/virtual/misc/hw_random/rng_available <==


==> /sys/devices/virtual/misc/hw_random/rng_current <==
none

==> /sys/devices/virtual/misc/hw_random/rng_selected <==
0

==> /sys/devices/virtual/misc/hw_random/subsystem <==
tail: error reading '/sys/devices/virtual/misc/hw_random/subsystem': Is a directory

==> /sys/devices/virtual/misc/hw_random/uevent <==
MAJOR=10
MINOR=183
DEVNAME=hwrng

from rng-tools.

you didn't include the -d option, and as such you didn't get any debug output.

The tail output of rng_avail tells the story though. You don't have a rng backing the /dev/hwrng device, so it won't produce any entropy, and as such, rng-tools fails to initialize it, as to why thats happening, I can't say. your config should have added the tpm as an entropy source to the hwrng backing stores, but it appears to not have. The logic that does that is in the kernel function tpm_add_hwrng. I expect you can add a printf there or just trace the function to see if its getting called.

But from rngd's standpoint, this appears to be working as designed

from rng-tools.

-d seems to have no effect:

# rngd -f -d -l 
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
6: JITTER Entropy generator (jitter)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)

But the question is; what about enabling TPM if hwrng initialization fails ?

from rng-tools.

oh, thats a bug, I turn off message loging so the output of -l is pretty, but I should likely override that if debug is enabled.

As for enabling tpm, thats up to you. As I noted above, this is working as designed. Because sysfs doesn't report any backing sources for /dev/hwrng, rngd is doing what its supposed to, in that it fails init of the hwrng source. It wouldn't make any sense to just fall back and automatically try the tpm source, because we have no visibility into what the kernel config is, and don't know if the tpm even supports entropy extraction via that path. That said, theres no reason you can't enable it at run time with the -n tpm command line option. This is all documented in the man page

from rng-tools.

ok, fair enough.
So just -d is left for you ;)

from rng-tools.