e64d3f60fb
`rngd` seems to be the root cause for slow boot issues, and its functionality is redundant since kernel v3.17 (2014), which introduced a `krngd` task (in kernel space) that takes care of pulling in data from hardware RNGs: > commit be4000bc4644d027c519b6361f5ae3bbfc52c347 > Author: Torsten Duwe <duwe@lst.de> > Date: Sat Jun 14 23:46:03 2014 -0400 > > hwrng: create filler thread > > This can be viewed as the in-kernel equivalent of hwrngd; > like FUSE it is a good thing to have a mechanism in user land, > but for some reasons (simplicity, secrecy, integrity, speed) > it may be better to have it in kernel space. > > This patch creates a thread once a hwrng registers, and uses > the previously established add_hwgenerator_randomness() to feed > its data to the input pool as long as needed. A derating factor > is used to bias the entropy estimation and to disable this > mechanism entirely when set to zero. Closes: #96067
57 lines
1.5 KiB
Nix
57 lines
1.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.security.rngd;
|
|
in
|
|
{
|
|
options = {
|
|
security.rngd = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to enable the rng daemon. Devices that the kernel recognises
|
|
as entropy sources are handled automatically by krngd.
|
|
'';
|
|
};
|
|
debug = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Whether to enable debug output (-d).";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.services.rngd = {
|
|
bindsTo = [ "dev-random.device" ];
|
|
|
|
after = [ "dev-random.device" ];
|
|
|
|
# Clean shutdown without DefaultDependencies
|
|
conflicts = [ "shutdown.target" ];
|
|
before = [
|
|
"sysinit.target"
|
|
"shutdown.target"
|
|
];
|
|
|
|
description = "Hardware RNG Entropy Gatherer Daemon";
|
|
|
|
# rngd may have to start early to avoid entropy starvation during boot with encrypted swap
|
|
unitConfig.DefaultDependencies = false;
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
|
|
+ optionalString cfg.debug " -d";
|
|
# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
|
|
# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
|
|
NoNewPrivileges = true;
|
|
PrivateNetwork = true;
|
|
ProtectSystem = "full";
|
|
ProtectHome = true;
|
|
};
|
|
};
|
|
};
|
|
}
|