AWS: out of entropy on Graviton 2 instances types (mg6.*)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-aws (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Andrea Righi |
Bug Description
[Impact]
AWS Graviton 2 instances do not have enough entropy available at boot, so any task that require entropy (even reading few bytes from /dev/random) will be stuck forever.
[Fix]
The proper fix for this problem is to correctly refill the entropy pool with some real random data using some hardware-generated randomness.
In the meantime a reasonable workaround can be to apply the following upstream commits:
30c08efec888 random: make /dev/random be almost like /dev/urandom
48446f198f9a random: ignore GRND_RANDOM in getentropy(2)
75551dbf112c random: add GRND_INSECURE to return best-effort non-cryptographic bytes
c6f1deb15878 random: Add a urandom_
4c8d062186d9 random: Don't wake crng_init_wait when crng_init == 1
In this way the system will not run out of entropy and will be able to provide best-effort randomness in any case, preventing the out of entropy issue on the AWS Gravion 2 instances.
[Test plan]
Execute the following command on any m6g instance:
dd bs=32 count=1 if=/dev/random of=/dev/null
This should return quickly, if not it means that the system does not have enough entropy available. When the problem happens this command hangs forever.
[Where problems could occur]
This changes affect the read semantics of /dev/random to be the same as /dev/urandom except that reads will block until the CRNG is ready. This should not materially break any API. Any code that worked without these changes should work at least as well as before. However, applications that have strict randomness requirements might be affected by the provided best-effort randomness, so we may need to apply more commits/changes to introduce a proper hardware entropy support on Graviton 2 instances to provide a better quality of randomness. In the meantime these upstream changes consist a reasonable workaround to prevent applications from hanging forever on the mg6.* instances.
[Other Info]
SF: #00310204
summary: |
- out of entropy on Graviton 2 instances types (mg6.*) + AWS: out of entropy on Graviton 2 instances types (mg6.*) |
description: | updated |
Changed in linux-aws (Ubuntu): | |
status: | New → Fix Released |
Changed in linux-aws (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux-aws (Ubuntu Focal): | |
assignee: | nobody → Andrea Righi (arighi) |
description: | updated |
Changed in linux-aws (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!