nixpkgs/nixos/modules/security/rngd.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.security.rngd;
in
{
  options = {
    security.rngd = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable the rng daemon.  Devices that the kernel recognises
          as entropy sources are handled automatically by krngd.
        '';
      };
      debug = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable debug output (-d).";
      };
    };
  };

  config = mkIf cfg.enable {
    systemd.services.rngd = {
      bindsTo = [ "dev-random.device" ];

      after = [ "dev-random.device" ];

      # Clean shutdown without DefaultDependencies
      conflicts = [ "shutdown.target" ];
      before = [
        "sysinit.target"
        "shutdown.target"
      ];

      description = "Hardware RNG Entropy Gatherer Daemon";

      # rngd may have to start early to avoid entropy starvation during boot with encrypted swap
      unitConfig.DefaultDependencies = false;
      serviceConfig = {
        ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
          + optionalString cfg.debug " -d";
        # PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
        # thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
        NoNewPrivileges = true;
        PrivateNetwork = true;
        ProtectSystem = "full";
        ProtectHome = true;
      };
    };
  };
}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 07:26:48 -07:00			`{ config, lib, pkgs, ... }:`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 07:26:48 -07:00			`with lib;`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-05 23:43:35 -07:00			`let`
			`cfg = config.security.rngd;`
			`in`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00			`{`
			`options = {`
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-05 23:43:35 -07:00			`security.rngd = {`
			`enable = mkOption {`
			`type = types.bool;`
nixos/modules/security/rngd: Disable by default `rngd` seems to be the root cause for slow boot issues, and its functionality is redundant since kernel v3.17 (2014), which introduced a `krngd` task (in kernel space) that takes care of pulling in data from hardware RNGs: > commit be4000bc4644d027c519b6361f5ae3bbfc52c347 > Author: Torsten Duwe <duwe@lst.de> > Date: Sat Jun 14 23:46:03 2014 -0400 > > hwrng: create filler thread > > This can be viewed as the in-kernel equivalent of hwrngd; > like FUSE it is a good thing to have a mechanism in user land, > but for some reasons (simplicity, secrecy, integrity, speed) > it may be better to have it in kernel space. > > This patch creates a thread once a hwrng registers, and uses > the previously established add_hwgenerator_randomness() to feed > its data to the input pool as long as needed. A derating factor > is used to bias the entropy estimation and to disable this > mechanism entirely when set to zero. Closes: #96067 2020-08-23 06:12:13 -07:00			`default = false;`
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-05 23:43:35 -07:00			`description = ''`
nixos/modules/security/rngd: Disable by default `rngd` seems to be the root cause for slow boot issues, and its functionality is redundant since kernel v3.17 (2014), which introduced a `krngd` task (in kernel space) that takes care of pulling in data from hardware RNGs: > commit be4000bc4644d027c519b6361f5ae3bbfc52c347 > Author: Torsten Duwe <duwe@lst.de> > Date: Sat Jun 14 23:46:03 2014 -0400 > > hwrng: create filler thread > > This can be viewed as the in-kernel equivalent of hwrngd; > like FUSE it is a good thing to have a mechanism in user land, > but for some reasons (simplicity, secrecy, integrity, speed) > it may be better to have it in kernel space. > > This patch creates a thread once a hwrng registers, and uses > the previously established add_hwgenerator_randomness() to feed > its data to the input pool as long as needed. A derating factor > is used to bias the entropy estimation and to disable this > mechanism entirely when set to zero. Closes: #96067 2020-08-23 06:12:13 -07:00			`Whether to enable the rng daemon. Devices that the kernel recognises`
			`as entropy sources are handled automatically by krngd.`
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-05 23:43:35 -07:00			`'';`
			`};`
			`debug = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Whether to enable debug output (-d).";`
			`};`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00			`};`
			`};`

rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-05 23:43:35 -07:00			`config = mkIf cfg.enable {`
Rename ‘boot.systemd’ to ‘systemd’ Suggested by Mathijs Kwik. ‘boot.systemd’ is a misnomer because systemd affects more than just booting. And it saves some typing. 2013-01-16 03:33:18 -08:00			`systemd.services.rngd = {`
rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 05:45:23 -08:00			`bindsTo = [ "dev-random.device" ];`

			`after = [ "dev-random.device" ];`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00
nixos/rngd: fix clean shutdown It seems disabling DefaultDependencies removes these implicit dependencies [0] that we needed for shutdown to happen cleanly. Fixes #80871 [0]: https://www.freedesktop.org/software/systemd/man/systemd.service.html#Default%20Dependencies 2020-02-23 15:53:52 -08:00			`# Clean shutdown without DefaultDependencies`
			`conflicts = [ "shutdown.target" ];`
			`before = [`
			`"sysinit.target"`
			`"shutdown.target"`
			`];`

Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00			`description = "Hardware RNG Entropy Gatherer Daemon";`

security.rngd: start rngd during early boot to reduce entropy starvation due to encrypted swap and remove PrivateTmp to avoid a circular dependency 2019-10-17 15:30:11 -07:00			`# rngd may have to start early to avoid entropy starvation during boot with encrypted swap`
			`unitConfig.DefaultDependencies = false;`
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-05 23:43:35 -07:00			`serviceConfig = {`
			`ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"`
			`+ optionalString cfg.debug " -d";`
security.rngd: start rngd during early boot to reduce entropy starvation due to encrypted swap and remove PrivateTmp to avoid a circular dependency 2019-10-17 15:30:11 -07:00			`# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,`
			`# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.`
rngd: harden service config, from arch 2019-05-07 20:53:09 -07:00			`NoNewPrivileges = true;`
			`PrivateNetwork = true;`
			`ProtectSystem = "full";`
			`ProtectHome = true;`
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-05 23:43:35 -07:00			`};`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-21 23:07:25 -08:00			`};`
			`};`
			`}`