nixpkgs/nixos/modules/security/rngd.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.security.rngd;
in
{
  options = {
    security.rngd = {
      enable = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Whether to enable the rng daemon, which adds entropy from
          hardware sources of randomness to the kernel entropy pool when
          available.
        '';
      };
      debug = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable debug output (-d).";
      };
    };
  };

  config = mkIf cfg.enable {
    services.udev.extraRules = ''
      KERNEL=="random", TAG+="systemd"
      SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
      KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
    '';

    systemd.services.rngd = {
      bindsTo = [ "dev-random.device" ];

      after = [ "dev-random.device" ];

      description = "Hardware RNG Entropy Gatherer Daemon";

      # rngd may have to start early to avoid entropy starvation during boot with encrypted swap
      unitConfig.DefaultDependencies = false;
      serviceConfig = {
        ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
          + optionalString cfg.debug " -d";
        # PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
        # thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
        NoNewPrivileges = true;
        PrivateNetwork = true;
        ProtectSystem = "full";
        ProtectHome = true;
      };
    };
  };
}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-22 02:07:25 -05:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-22 02:07:25 -05:00
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-06 01:43:35 -05:00			`let`
			`cfg = config.security.rngd;`
			`in`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-22 02:07:25 -05:00			`{`
			`options = {`
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-06 01:43:35 -05:00			`security.rngd = {`
			`enable = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = ''`
			`Whether to enable the rng daemon, which adds entropy from`
			`hardware sources of randomness to the kernel entropy pool when`
			`available.`
			`'';`
			`};`
			`debug = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Whether to enable debug output (-d).";`
			`};`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-22 02:07:25 -05:00			`};`
			`};`

rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-06 01:43:35 -05:00			`config = mkIf cfg.enable {`
rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 08:45:23 -05:00			`services.udev.extraRules = ''`
			`KERNEL=="random", TAG+="systemd"`
rngd: update modalias to match cpu type It looks like the cpu type part of modalias might have changed, my systems (4.4.20 and 4.7.2) show something like the following: ``` cpu:type:x86,ven0000fam0006mod003F:feature:,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,002B,0034,003B,003D,0068,006F,0070,0072,0074,0075,0076,007D,0080,0081,0089,008C,008D,0091,0093,0094,0095,0096,0097,0098,0099,009A,009B,009C,009D,009E,009F,00C0,00C5,0120,0123,0125,0127,0128,0129,012A,0140 ``` Update the rngd modalias rule to match this so udev properly has systemd start rngd. 2016-09-16 14:27:19 -07:00			`SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,feature:009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"`
rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 08:45:23 -05:00			`KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"`
			`'';`

Rename ‘boot.systemd’ to ‘systemd’ Suggested by Mathijs Kwik. ‘boot.systemd’ is a misnomer because systemd affects more than just booting. And it saves some typing. 2013-01-16 12:33:18 +01:00			`systemd.services.rngd = {`
rngd: Require /dev/random, only start when a hardware randomness source becomes available 2012-11-26 08:45:23 -05:00			`bindsTo = [ "dev-random.device" ];`

			`after = [ "dev-random.device" ];`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-22 02:07:25 -05:00
			`description = "Hardware RNG Entropy Gatherer Daemon";`

security.rngd: start rngd during early boot to reduce entropy starvation due to encrypted swap and remove PrivateTmp to avoid a circular dependency 2019-10-18 00:30:11 +02:00			`# rngd may have to start early to avoid entropy starvation during boot with encrypted swap`
			`unitConfig.DefaultDependencies = false;`
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-06 01:43:35 -05:00			`serviceConfig = {`
			`ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"`
			`+ optionalString cfg.debug " -d";`
security.rngd: start rngd during early boot to reduce entropy starvation due to encrypted swap and remove PrivateTmp to avoid a circular dependency 2019-10-18 00:30:11 +02:00			`# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,`
			`# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.`
rngd: harden service config, from arch 2019-05-07 22:53:09 -05:00			`NoNewPrivileges = true;`
			`PrivateNetwork = true;`
			`ProtectSystem = "full";`
			`ProtectHome = true;`
rngd: add option to run w/debug flag Added while testing if adding hardening directives to the service blocked access to various sources, might be useful in the future. 2019-05-06 01:43:35 -05:00			`};`
Add rngd service. Inspired by http://pkgs.fedoraproject.org/cgit/rng-tools.git/tree/rngd.service?id=27b1912b2d9659b6934fd4c887e46c13958e7e3c 2012-11-22 02:07:25 -05:00			`};`
			`};`
			`}`