From e64d3f60fbc77887534838de7208df853275fd01 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 23 Aug 2020 15:12:13 +0200 Subject: [PATCH 1/2] nixos/modules/security/rngd: Disable by default `rngd` seems to be the root cause for slow boot issues, and its functionality is redundant since kernel v3.17 (2014), which introduced a `krngd` task (in kernel space) that takes care of pulling in data from hardware RNGs: > commit be4000bc4644d027c519b6361f5ae3bbfc52c347 > Author: Torsten Duwe > Date: Sat Jun 14 23:46:03 2014 -0400 > > hwrng: create filler thread > > This can be viewed as the in-kernel equivalent of hwrngd; > like FUSE it is a good thing to have a mechanism in user land, > but for some reasons (simplicity, secrecy, integrity, speed) > it may be better to have it in kernel space. > > This patch creates a thread once a hwrng registers, and uses > the previously established add_hwgenerator_randomness() to feed > its data to the input pool as long as needed. A derating factor > is used to bias the entropy estimation and to disable this > mechanism entirely when set to zero. Closes: #96067 --- nixos/modules/security/rngd.nix | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index cffa1a5849f..cb885c4762d 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -10,11 +10,10 @@ in security.rngd = { enable = mkOption { type = types.bool; - default = true; + default = false; description = '' - Whether to enable the rng daemon, which adds entropy from - hardware sources of randomness to the kernel entropy pool when - available. + Whether to enable the rng daemon. Devices that the kernel recognises + as entropy sources are handled automatically by krngd. ''; }; debug = mkOption { @@ -26,12 +25,6 @@ in }; config = mkIf cfg.enable { - services.udev.extraRules = '' - KERNEL=="random", TAG+="systemd" - SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" - KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" - ''; - systemd.services.rngd = { bindsTo = [ "dev-random.device" ]; From ca674c176918f7b33407608b7894e32e6211dab9 Mon Sep 17 00:00:00 2001 From: worldofpeace Date: Wed, 9 Sep 2020 21:50:07 -0400 Subject: [PATCH 2/2] rl-2009: document rngd --- nixos/doc/manual/release-notes/rl-2009.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 8bc51c906ae..1b51fbd566d 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -815,6 +815,13 @@ CREATE ROLE postgres LOGIN SUPERUSER; the value of to pkgs.jellyfin_10_5. + + + The security.rngd service is now disabled by default. + This choice was made because there's krngd in the linux kernel space making it (for most usecases) + functionally redundent. + +