diff --git a/backport-rng-tools-6.17-intel-cet-ibt-instrumentation.patch b/backport-rng-tools-6.17-intel-cet-ibt-instrumentation.patch new file mode 100644 index 0000000000000000000000000000000000000000..b745d8f7ab8957e85a18e951a221b3c592f1b7fb --- /dev/null +++ b/backport-rng-tools-6.17-intel-cet-ibt-instrumentation.patch @@ -0,0 +1,89 @@ +From 33a6f962cd9a03a2741017a6b8eb5cd75a2ca13b Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Mon, 17 Jun 2024 20:34:31 +0200 +Subject: [PATCH] Add Intel CET IBT instrumentation to assembly code + +Add endbr64/endbr32 instruction to a function prologue. This enables +IBT (Indirect Branch Tracking) feature of the Intel CET (Control-flow +Enforcement Technology). All the calls and jumps in this assembly code +are direct. Only functions can potentially be called indirectly. So +adjusting a function prologue is enough. Add a section to indicate +that this code supports IBT to linkers and security analysers. +--- + rdrand_asm.S | 55 +++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 50 insertions(+), 5 deletions(-) + +diff --git a/rdrand_asm.S b/rdrand_asm.S +index 7811cf2..d84433d 100644 +--- a/rdrand_asm.S ++++ b/rdrand_asm.S +@@ -19,10 +19,27 @@ + * + */ + +-#define ENTRY(x) \ +- .balign 64 ; \ +- .globl x ; \ +-x: ++/* Add Intel CET IBT instrumentation */ ++#if defined __CET__ && (__CET__ & 1) ++#ifdef __x86_64__ ++ #define ENTRY(x) \ ++ .balign 64 ; \ ++ .globl x ; \ ++ x: \ ++ endbr64 ++#elif defined(__i386__) ++ #define ENTRY(x) \ ++ .balign 64 ; \ ++ .globl x ; \ ++ x: \ ++ endbr32 ++#endif /* __x86_64__ */ ++#else /* __CET__ */ ++ #define ENTRY(x) \ ++ .balign 64 ; \ ++ .globl x ; \ ++ x: ++#endif /* __CET__ */ + + #define ENDPROC(x) \ + .size x, .-x ; \ +@@ -374,8 +391,36 @@ aes_round_keys: + .space 11*16 + .size aes_round_keys, .-aes_round_keys + ++/* ++ * This is necessary to inform a linker that this code has IBT (Indirect ++ * Branch Tracking) feature of the Intel CET (Control-flow Enforcement ++ * Technology) enabled. ++ * See: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fcf-protection ++ */ ++#if defined __CET__ && (__CET__ & 1) ++ .section .note.gnu.property,"a" ++ .align 8 ++ .long 1f - 0f /* name length */ ++ .long 4f - 1f /* data length */ ++ /* NT_GNU_PROPERTY_TYPE_0 */ ++ .long 5 /* note type */ ++0: ++ .string "GNU" /* vendor name */ ++1: ++ .align 8 ++ /* GNU_PROPERTY_X86_FEATURE_1_AND */ ++ .long 0xc0000002 /* pr_type */ ++ .long 3f - 2f /* pr_datasz */ ++2: ++ /* GNU_PROPERTY_X86_FEATURE_1_XXX */ ++ .long 0x3 ++3: ++ .align 8 ++4: ++#endif ++ + /* + * This is necessary to keep the whole executable + * from needing a writable stack. + */ +- .section .note.GNU-stack,"",%progbits ++ .section .note.GNU-stack,"",%progbits diff --git a/rng-tools-service-harden.patch b/rng-tools-service-harden.patch new file mode 100644 index 0000000000000000000000000000000000000000..35a88bae98167b67a70158db76c9281d5f4d7f92 --- /dev/null +++ b/rng-tools-service-harden.patch @@ -0,0 +1,28 @@ +--- rng-tools-6.17/rngd.service.orig 2024-10-05 07:37:16.071162500 +0800 ++++ rng-tools-6.17/rngd.service 2024-10-05 07:41:25.726337400 +0800 +@@ -1,11 +1,24 @@ + [Unit] + Description=Hardware RNG Entropy Gatherer Daemon + ConditionVirtualization=!container ++ConditionKernelCommandLine=!fips=1 + + # The "-f" option is required for the systemd service rngd to work with Type=simple + [Service] + Type=simple +-ExecStart=/usr/sbin/rngd -f ++EnvironmentFile=/etc/sysconfig/rngd ++ExecStart=/usr/sbin/rngd -f $RNGD_ARGS ++NoNewPrivileges=true ++PrivateNetwork=true ++PrivateTmp=true ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true + + [Install] + WantedBy=multi-user.target diff --git a/rng-tools.spec b/rng-tools.spec index 71883838fa3f670753d315a705a0a93929a46e8e..481f713ef0a87e8efdc2e8acec7eccc6bb5569d5 100644 --- a/rng-tools.spec +++ b/rng-tools.spec @@ -1,23 +1,35 @@ Name: rng-tools -Version: 6.16 -Release: 3 +Version: 6.17 +Release: 1 Summary: Random number generator daemon -License: GPLv2+ +License: GPL-2.0-or-later URL: https://github.com/nhorman/rng-tools Source0: https://github.com/nhorman/rng-tools/archive/v%{version}.tar.gz -Source1: rngd.service Source2: rngd.sysconfig -#Dependency -BuildRequires: gcc make gettext systemd autoconf automake -BuildRequires: libgcrypt-devel libcurl-devel libxml2-devel openssl-devel -BuildRequires: libp11-devel jitterentropy-library-devel jansson-devel libcap-devel - -#Provide the command: killall used by test cases. -BuildRequires: psmisc - -Requires: libgcrypt libsysfs openssl libxml2 libcurl jitterentropy-library openssl-pkcs11 -Requires: opensc +# Modified according to openSUSE and archlinux +Patch0: rng-tools-service-harden.patch + +# upstream patches +Patch1001: backport-rng-tools-6.17-intel-cet-ibt-instrumentation.patch + +# Dependency +BuildRequires: gcc make +BuildRequires: autoconf automake libtool +BuildRequires: pkgconfig(jansson) +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(libp11) +BuildRequires: pkgconfig(libxml-2.0) +BuildRequires: pkgconfig(openssl) +BuildRequires: jitterentropy-library-devel + +# Provide the command: killall used by test cases. +BuildRequires: /usr/bin/killall +BuildRequires: opensc + +Requires: opensc %{?systemd_requires} %description @@ -31,22 +43,22 @@ and supplies entropy from them to the system kernel's /dev/random machinery. %build ./autogen.sh +# a dirty hack so libdarn_impl_a_CFLAGS overrides common CFLAGS +sed -i -e 's/$(libdarn_impl_a_CFLAGS) $(CFLAGS)/$(CFLAGS) $(libdarn_impl_a_CFLAGS)/' Makefile.in %configure --without-rtlsdr %make_build %install %make_install -install -D -t $RPM_BUILD_ROOT%{_unitdir} -m 0644 %{SOURCE1} +install -D -m 0644 rngd.service %{buildroot}%{_unitdir}/rngd.service # install sysconfig file -install -D %{SOURCE2} -m0644 %{buildroot}%{_sysconfdir}/sysconfig/rngd +install -D %{S:2} -m0644 %{buildroot}%{_sysconfdir}/sysconfig/rngd %check export RNGD_JITTER_TIMEOUT=10 #Enseur that the AES can be generated. %make_build check -%pre - %post %systemd_post rngd.service @@ -57,20 +69,23 @@ export RNGD_JITTER_TIMEOUT=10 #Enseur that the AES can be generated. %systemd_postun_with_restart rngd.service %files -%defattr(-,root,root) %license COPYING %doc AUTHORS NEWS README %{_bindir}/rngtest %{_bindir}/randstat %{_sbindir}/rngd -%attr(0644,root,root) %{_unitdir}/rngd.service -%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/sysconfig/rngd +%{_unitdir}/rngd.service +%config(noreplace) %{_sysconfdir}/sysconfig/rngd %files help %{_mandir}/man1/rngtest.1.* %{_mandir}/man8/rngd.8.* %changelog +* Sat Oct 05 2024 Funda Wang - 6.17-1 +- update to 6.17 +- drop unused dependencies + * Mon Apr 24 2023 zhangruifang - 6.16-3 - Update the rngd.service file - Add the config file for rngd service diff --git a/rng-tools.yaml b/rng-tools.yaml index d7b9e6d20cd4d627ea69a3c9cf02f72f10a53a87..4515dcf07ea807754163d2658e8a522fcbc7d428 100644 --- a/rng-tools.yaml +++ b/rng-tools.yaml @@ -1,4 +1,4 @@ version_control: github src_repo: "nhorman/rng-tools" tag_prefix: "^v" -seperator: +separator: . diff --git a/rngd.service b/rngd.service deleted file mode 100644 index 189b34c1acd1dfbb0eabdc1fc9466b3017f114b5..0000000000000000000000000000000000000000 --- a/rngd.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Hardware RNG Entropy Gatherer Daemon - -# The "-f" option is required for the systemd service rngd to work with Type=simple -[Service] -Type=simple -EnvironmentFile=/etc/sysconfig/rngd -ExecStart=/usr/sbin/rngd -f $RNGD_ARGS - -[Install] -WantedBy=multi-user.target diff --git a/rngd.sysconfig b/rngd.sysconfig index cf18656c465fffb86ff98433831e1878be566117..798f166d8a972853cb6b4aa5c77a831567bb1f8d 100644 --- a/rngd.sysconfig +++ b/rngd.sysconfig @@ -1,3 +1,3 @@ # Optional arguments passed to rngd. See rngd(8) and # https://bugzilla.redhat.com/show_bug.cgi?id=1252175#c21 -RNGD_ARGS="-O jitter:timeout:10" +RNGD_ARGS="-x pkcs11 -x nist -x qrypt -x namedpipe -D daemon:daemon" diff --git a/v6.16.tar.gz b/v6.16.tar.gz deleted file mode 100644 index b00338cbe4dff894dd2b2eb97a75e67ac05b5099..0000000000000000000000000000000000000000 Binary files a/v6.16.tar.gz and /dev/null differ diff --git a/v6.17.tar.gz b/v6.17.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..7e999d2305af58c27dcd4eb9e399456f39011de0 Binary files /dev/null and b/v6.17.tar.gz differ