Bug 1190024 - haveged service has become obsolete with recent kernels (>= 5.6)
Summary: haveged service has become obsolete with recent kernels (>= 5.6)
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-31 15:42 UTC by Franck Bui
Modified: 2024-02-15 15:06 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Franck Bui 2021-08-31 15:42:38 UTC 
According to  https://github.com/jirka-h/haveged/commit/297bdf1fc52fc6f59d0495f911d4e594b4d29190, starting from Linux kernel v5.6, the HAVEGED *service* has become obsolete.

So it might make sense:

 - drop the unit file from the package

 - not install haveged by default
Comment 1 Franck Bui 2022-06-01 12:11:21 UTC 
Secteam, can you please reconsider this bug ?
Comment 2 OBSbugzilla Bot 2022-06-01 14:40:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1190024) was mentioned in
https://build.opensuse.org/request/show/980343 Factory / patterns-base
Comment 3 Marcus Meissner 2022-06-01 15:43:23 UTC 
we reverted it i think on feedback from darix:

r141 | msmeissn | 2021-11-02 08:19:20 | b15b4981794dc7c2d3e6d63e7a4ffd85 | unknown | 

- revert last change, e.g. for VMs where we are not being fed entropy
  from the host or similar setups.
--------------------------------------------------------------------
- Improvements on the linux kernel random subsystem have made 
  the haveged service/daemon obsolete, remove the service files,
  initrd modules and udev rules, the other components
  are still useful.
Comment 4 Franck Bui 2022-06-01 15:51:00 UTC 
(In reply to Marcus Meissner from comment #3)
> we reverted it i think on feedback from darix:
> 
> r141 | msmeissn | 2021-11-02 08:19:20 | b15b4981794dc7c2d3e6d63e7a4ffd85 |
> unknown | 
> 
> - revert last change, e.g. for VMs where we are not being fed entropy
>   from the host or similar setups.

From my understanding, kernel >= 5.6 got support for HAVEGED algorithm which should replace haveged completely. Unless those VMs ran an older kernel, I'm not sure to understand why this needed to be reverted.

Can you provide more details ?
Comment 5 Marcus Rückert 2022-06-02 13:02:11 UTC 
We can just speak from our production VMs that we still saw stalls without haveged when waiting for entropy.
Comment 6 Marcus Rückert 2022-06-02 13:18:01 UTC 
TBH as long as we ship the haveged binary we should have the service file. if you want to reduce the package to just the shared library, then we could drop the service file too.
Comment 8 Marcus Rückert 2022-06-03 12:02:37 UTC 
I am just curious ... what would be the motivation to still ship the binaries but not the service files anymore?
Comment 9 Franck Bui 2022-06-07 10:25:34 UTC 
We could also drop the binary haveged and ship the library only if we were sure that the support added in kernel 5.6 is enough.

But you reported some issues with some VMs of yours without haveged in initrd so it would be interesting to figure out why HAVEGE implementation in the kernel is not working as good as haveged.