Leap 15.6 HAVEGED algorithm and systemd sys-devices-virtual-mem-random

Given that, since the Linux Kernel version 5.4, the HAVEGED inspired algorithm has been included in the Linux kernel, at least with Leap 15.6 systemd quietly still demands the thing – my experience is that, if the haveged package is not installed, the system’s running status is “degraded”.
<Torvalds: random: try to actively add entropy rather than passively wait for it>
<Torvalds: random: make /dev/random be almost like /dev/urandom>


I reinstalled the haveged package to resolve the issue – didn’t enable the systemd haveged.service – and then went hunting for the thing which was starting the systemd service – found the answer as follows –

  • systemd Journal entry –
[    1.383126] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
  • CLI investigation –
 # systemctl show haveged.service
 .
 .
WantedBy=sys-devices-virtual-mem-random.device
 .
 .
 # 
 # systemctl status sys-devices-virtual-mem-random.device
● sys-devices-virtual-mem-random.device - /sys/devices/virtual/mem/random
     Loaded: loaded
     Active: active (plugged) since Wed 2024-09-18 09:03:05 CEST; 49min ago
     Device: /sys/devices/virtual/mem/random
 # 
 # systemctl list-dependencies sys-devices-virtual-mem-random.device
sys-devices-virtual-mem-random.device
● └─haveged.service
 # 

Don’t bother looking further in the systemd Journal – AFAICS, there ain’t nothing there related to the virtual memory device “random” issue …


Has anyone else noticed this?


BTW, there’s another little systemd service related to “random” – “systemd-random-seed.service” – for people trying to mirror systems, this is quite relevant … :smiling_imp:

Every openSUSE Leap installation needs a running haveged or rng-tools service. Check your random source generator:

# cat /proc/sys/kernel/random/entropy_avail
   => random numbers in stock > 1000

# dd if=/dev/random of=/dev/null bs=1024 count=1 iflag=fullblock 
   => > 40 kB/s

# rngtest -c 2000 </dev/random      (rngtest from rpm rng-tools)
   => FIPS 140-2 failures: < 10

https://wiki.archlinux.org/title/Haveged

https://packagehub.suse.com/packages/rng-tools/

Mask haveged service:

# systemctl disable haveged.service
# systemctl mask haveged.service

https://wiki.archlinux.org/title/Systemd

And read this:

@GrandDixence2:

Yes, I am aware of the HAVEGED project’s GitHub notice – which is why I removed the haveged package and, noticed the system’s behaviour.


 # cat /proc/sys/kernel/random/entropy_avail
256
 #

Which is apparently OK because, this /proc/sys/ entry isn’t actually indicating the available entropy – rather the number of bits the random number generator is capable of generating – needed for encryption keys …

Fill the entropy pool with haveged or rng-tools until at least 2048 bits of entropy are available. Source:
https://wiki.archlinux.org/title/Rng-tools#Configuration

@GrandDixence2:

ArchWiki –

You really didn’t notice the Note in the ArchWiki article?

Leap 15.6 began with Kernel version 6.4.0 –

# 2024-06-16 14:38:31 kernel-default-6.4.0-150600.21.2.x86_64.rpm installed ok
2024-06-16 14:38:31|install|kernel-default|6.4.0-150600.21.2|x86_64||repo-oss|6d571c0b11f0a0e1ac5bfb65e9f12d51fd94f211a5dd91be8dab77e711def12828ee9877b045c298ce1b4e2062e6eb8e1c8a0a14cf7c513e444f8ace13d1bbf6|

Currently –

 # uname -a
Linux eck001 6.4.0-150600.23.17-default #1 SMP PREEMPT_DYNAMIC Tue Jul 30 06:37:32 UTC 2024 (9c450d7) x86_64 x86_64 x86_64 GNU/Linux
 #

Therefore, theoretically, Leap 15.6 never, ever, needed neither the haveged package nor, the rng-tools package –

  • Except for, the systemd Virtual Memory random device dependency.

And, that dependency, AFAICS, isn’t being dealt with by any Leap 15.6 package – currently …

Personally, I’m trying to figure out the purpose of this thread. Seems as though this should be in “chat”.

And isn’t this subject applicable to other openSUSE distros (?) - why just 15.6 ?

I’ve spent 2-3 hours reading one referenced link to another. I appreciate the knowledge that @GrandDixence2 :+1: has provided in this thread , and all the other threads and links I’ve read so far.

But, ultimately, I still don’t understand the purpose of this thread.

This document describe the random number generator in newer linux kernels:

An entropy pool size of 256 is a clear sign for a linux kernel with ChaCha20 DRNG. Hardware random number generators may provide true random data via the add_hwgenerator_randomness API to feed this ChaCha20 DRNG. Check for available hardware random number generators:

# cat /sys/devices/virtual/misc/hw_random/rng_available

This ChaCha20 DRNG do not need haveged or rngd (rng-tools).

BSI TR-02102-1, chaptre “8.5.1 - GNU/Linux” describe the difference between /dev/random and dev/urandom.

What means " the system’s running status is “degraded”?

 > systemctl is-system-running 
running
 >

Then suggest to move it through the report button.

Do we need a Bug Report to include a dependency for the “haveged” package or, not?

Do we need a Bug Report suggesting that, the upstream “systemd” team rethink their requirement for the haveged service?


I’ve searched for the systemd “sys-devices-virtual-mem-random.device” but, can’t find it anywhere.

  • Does anyone happen to know if, the thing is to be found somewhere in the systemd code?
1 Like
 # cat /sys/devices/virtual/misc/hw_random/rng_available
ccp-1-rng 
 #

Reading the BSI documents, it seems that with Leap 15.6 – Kernel version 6.4 – and, suitable hardware – hardware which supports ChaCha20 DRNG – needs neither the haveged package nor the rng-tools package.


To Bug Report or, not to Bug Report? – That’s the question …

There are already bugreports which explains that the service got disabled and haveged is no longer installed by default nor a recommended package.
https://bugzilla.opensuse.org/show_bug.cgi?id=1190024

There are plans to drop the package completely
https://bugzilla.opensuse.org/show_bug.cgi?id=1219910

List of haveged bugreports

@hui:

Thanks – the issue is almost resolved – except for an extremely tiny “but” –

  • No one seems to have picked up the systemd Virtual Memory random device dependency … :smiling_imp:

Adding a comment to an existing (old) Bug Report is possibly not so productive but, I’ll drop something onto the Bug Report #1190024 and, include the BSI information supplied by GrandDixence2.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.