public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #113850 from nbraud/rngd

Browse Source 
nixos/rngd: Remove module entirely, leave an explanation
This commit is contained in:
WORLDofPEACE 2021-02-21 07:11:04 -05:00 committed by GitHub
commit 4efb432e72
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 22 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/doc/manual/installation/installing-virtualbox-guest.xml
View File

@ -83,17 +83,12 @@
VirtualBox settings (Machine / Settings / Shared Folders, then click on the VirtualBox settings (Machine / Settings / Shared Folders, then click on the
"Add" icon). Add the following to the "Add" icon). Add the following to the
<literal>/etc/nixos/configuration.nix</literal> to auto-mount them. If you do <literal>/etc/nixos/configuration.nix</literal> to auto-mount them. If you do
not add <literal>"nofail"</literal>, the system will not boot properly. The not add <literal>"nofail"</literal>, the system will not boot properly.
same goes for disabling <literal>rngd</literal> which is normally used to get
randomness but this does not work in virtual machines.
</para> </para>
<programlisting> <programlisting>
{ config, pkgs, ...} : { config, pkgs, ...} :
{ {
security.rngd.enable = false; // otherwise vm will not boot
...
fileSystems."/virtualboxshare" = { fileSystems."/virtualboxshare" = {
fsType = "vboxsf"; fsType = "vboxsf";
device = "nameofthesharedfolder"; device = "nameofthesharedfolder";

9
nixos/doc/manual/release-notes/rl-2105.xml
View File

@ -509,6 +509,15 @@ self: super:
<varname>services.flashpolicyd</varname> module. <varname>services.flashpolicyd</varname> module.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>security.rngd</literal> module has been removed.
It was disabled by default in 20.09 as it was functionally redundent
with krngd in the linux kernel. It is not necessary for any device that the kernel recognises
as an hardware RNG, as it will automatically run the krngd task to periodically collect random
data from the device and mix it into the kernel's RNG.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

2
nixos/modules/config/swap.nix
View File

@ -185,8 +185,6 @@ in
{ description = "Initialisation of swap device ${sw.device}"; { description = "Initialisation of swap device ${sw.device}";
wantedBy = [ "${realDevice'}.swap" ]; wantedBy = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" ]; before = [ "${realDevice'}.swap" ];
# If swap is encrypted, depending on rngd resolves a possible entropy starvation during boot
after = mkIf (config.security.rngd.enable && sw.randomEncryption.enable) [ "rngd.service" ];
path = [ pkgs.util-linux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup; path = [ pkgs.util-linux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
script = script =

64
nixos/modules/security/rngd.nix
View File

@ -1,56 +1,16 @@
{ config, lib, pkgs, ... }: { lib, ... }:
with lib;
let let
cfg = config.security.rngd; removed = k: lib.mkRemovedOptionModule [ "security" "rngd" k ];
in in
{ {
options = { imports = [
security.rngd = { (removed "enable" ''
enable = mkOption { rngd is not necessary for any device that the kernel recognises
type = types.bool; as an hardware RNG, as it will automatically run the krngd task
default = false; to periodically collect random data from the device and mix it
description = '' into the kernel's RNG.
Whether to enable the rng daemon. Devices that the kernel recognises '')
as entropy sources are handled automatically by krngd. (removed "debug"
''; "The rngd module was removed, so its debug option does nothing.")
}; ];
debug = mkOption {
type = types.bool;
default = false;
description = "Whether to enable debug output (-d).";
};
};
};
config = mkIf cfg.enable {
systemd.services.rngd = {
bindsTo = [ "dev-random.device" ];
after = [ "dev-random.device" ];
# Clean shutdown without DefaultDependencies
conflicts = [ "shutdown.target" ];
before = [
"sysinit.target"
"shutdown.target"
];
description = "Hardware RNG Entropy Gatherer Daemon";
# rngd may have to start early to avoid entropy starvation during boot with encrypted swap
unitConfig.DefaultDependencies = false;
serviceConfig = {
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
+ optionalString cfg.debug " -d";
# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
NoNewPrivileges = true;
PrivateNetwork = true;
ProtectSystem = "full";
ProtectHome = true;
};
};
};
} }

2
nixos/modules/virtualisation/hyperv-guest.nix
View File

@ -40,8 +40,6 @@ in {
environment.systemPackages = [ config.boot.kernelPackages.hyperv-daemons.bin ]; environment.systemPackages = [ config.boot.kernelPackages.hyperv-daemons.bin ];
security.rngd.enable = false;
# enable hotadding cpu/memory # enable hotadding cpu/memory
services.udev.packages = lib.singleton (pkgs.writeTextFile { services.udev.packages = lib.singleton (pkgs.writeTextFile {
name = "hyperv-cpu-and-memory-hotadd-udev-rules"; name = "hyperv-cpu-and-memory-hotadd-udev-rules";