2014-04-14 16:26:48 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
2012-11-22 08:07:25 +01:00
|
|
|
|
2014-04-14 16:26:48 +02:00
|
|
|
with lib;
|
2012-11-22 08:07:25 +01:00
|
|
|
|
2019-05-06 08:43:35 +02:00
|
|
|
let
|
|
|
|
cfg = config.security.rngd;
|
|
|
|
in
|
2012-11-22 08:07:25 +01:00
|
|
|
{
|
|
|
|
options = {
|
2019-05-06 08:43:35 +02:00
|
|
|
security.rngd = {
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether to enable the rng daemon, which adds entropy from
|
|
|
|
hardware sources of randomness to the kernel entropy pool when
|
|
|
|
available.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
debug = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = "Whether to enable debug output (-d).";
|
|
|
|
};
|
2012-11-22 08:07:25 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2019-05-06 08:43:35 +02:00
|
|
|
config = mkIf cfg.enable {
|
2012-11-26 14:45:23 +01:00
|
|
|
services.udev.extraRules = ''
|
|
|
|
KERNEL=="random", TAG+="systemd"
|
rngd: update modalias to match cpu type
It looks like the cpu type part of modalias might have changed, my
systems (4.4.20 and 4.7.2) show something like the following:
```
cpu:type:x86,ven0000fam0006mod003F:feature:,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,002B,0034,003B,003D,0068,006F,0070,0072,0074,0075,0076,007D,0080,0081,0089,008C,008D,0091,0093,0094,0095,0096,0097,0098,0099,009A,009B,009C,009D,009E,009F,00C0,00C5,0120,0123,0125,0127,0128,0129,012A,0140
```
Update the rngd modalias rule to match this so udev properly has
systemd start rngd.
2016-09-16 23:27:19 +02:00
|
|
|
SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
|
2012-11-26 14:45:23 +01:00
|
|
|
KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
|
|
|
|
'';
|
|
|
|
|
2013-01-16 12:33:18 +01:00
|
|
|
systemd.services.rngd = {
|
2012-11-26 14:45:23 +01:00
|
|
|
bindsTo = [ "dev-random.device" ];
|
|
|
|
|
|
|
|
after = [ "dev-random.device" ];
|
2012-11-22 08:07:25 +01:00
|
|
|
|
2020-02-24 00:53:52 +01:00
|
|
|
# Clean shutdown without DefaultDependencies
|
|
|
|
conflicts = [ "shutdown.target" ];
|
|
|
|
before = [
|
|
|
|
"sysinit.target"
|
|
|
|
"shutdown.target"
|
|
|
|
];
|
|
|
|
|
2012-11-22 08:07:25 +01:00
|
|
|
description = "Hardware RNG Entropy Gatherer Daemon";
|
|
|
|
|
2019-10-18 00:30:11 +02:00
|
|
|
# rngd may have to start early to avoid entropy starvation during boot with encrypted swap
|
|
|
|
unitConfig.DefaultDependencies = false;
|
2019-05-06 08:43:35 +02:00
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
|
|
|
|
+ optionalString cfg.debug " -d";
|
2019-10-18 00:30:11 +02:00
|
|
|
# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
|
|
|
|
# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
|
2019-05-08 05:53:09 +02:00
|
|
|
NoNewPrivileges = true;
|
|
|
|
PrivateNetwork = true;
|
|
|
|
ProtectSystem = "full";
|
|
|
|
ProtectHome = true;
|
2019-05-06 08:43:35 +02:00
|
|
|
};
|
2012-11-22 08:07:25 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|