diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1bdeb126fc36..48cbc404a815 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1108,6 +1108,7 @@ ./services/security/clamav.nix ./services/security/endlessh-go.nix ./services/security/endlessh.nix + ./services/security/esdm.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix ./services/security/haka.nix diff --git a/nixos/modules/services/security/esdm.nix b/nixos/modules/services/security/esdm.nix new file mode 100644 index 000000000000..2b246fff7e96 --- /dev/null +++ b/nixos/modules/services/security/esdm.nix @@ -0,0 +1,102 @@ +{ lib, config, pkgs, ... }: + +let + cfg = config.services.esdm; +in +{ + options.services.esdm = { + enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); + package = lib.mkPackageOptionMD pkgs "esdm" { }; + serverEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM server service. If serverEnable == false, then the esdm-server + will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom + and esdm-proc will not start as these have the entry Want=esdm-server.service. + ''; + }; + cuseRandomEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service + is started. + ''; + }; + cuseUrandomEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service + is started. + ''; + }; + procEnable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Enable option for ESDM proc service. Determines if the esdm-proc.service + is started. + ''; + }; + verbose = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart" + values of the 4 aforementioned services are overwritten with the option + for the highest verbosity. + ''; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + ({ + systemd.packages = [ cfg.package ]; + }) + # It is necessary to set those options for these services to be started by systemd in NixOS + (lib.mkIf cfg.serverEnable { + systemd.services."esdm-server".wantedBy = [ "basic.target" ]; + systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-server.service' + "${cfg.package}/bin/esdm-server -f -vvvvvv" + ]; + }; + }) + + (lib.mkIf cfg.cuseRandomEnable { + systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ]; + systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-cuse-random.service' + "${cfg.package}/bin/esdm-cuse-random -f -v 6" + ]; + }; + }) + + (lib.mkIf cfg.cuseUrandomEnable { + systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ]; + systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-cuse-urandom.service' + "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6" + ]; + }; + }) + + (lib.mkIf cfg.procEnable { + systemd.services."esdm-proc".wantedBy = [ "basic.target" ]; + systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose { + ExecStart = [ + " " # unset previous value defined in 'esdm-proc.service' + "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6" + ]; + }; + }) + ]); + + meta.maintainers = with lib.maintainers; [ orichter thillux ]; +} diff --git a/pkgs/os-specific/linux/esdm/default.nix b/pkgs/os-specific/linux/esdm/default.nix new file mode 100644 index 000000000000..42e20981872f --- /dev/null +++ b/pkgs/os-specific/linux/esdm/default.nix @@ -0,0 +1,87 @@ +{ lib +, stdenv +, fetchFromGitHub +, fetchpatch +, protobufc +, pkg-config +, fuse3 +, meson +, ninja +, libselinux +, jitterentropy + # A more detailed explaination of the following meson build options can be found + # in the source code of esdm. + # A brief explanation is given: +, selinux ? false # enable selinux support +, drngHashDrbg ? true # set the default drng callback +, drngChaCha20 ? false # set the default drng callback +, ais2031 ? false # set the seeding strategy to be compliant with AIS 20/31 +, linuxDevFiles ? true # enable linux /dev/random and /dev/urandom support +, linuxGetRandom ? true # enable linux getrandom support +, esJitterRng ? true # enable support for the entropy source: jitter rng +, esCPU ? true # enable support for the entropy source: cpu-based entropy +, esKernel ? true # enable support for the entropy source: kernel-based entropy +, esIRQ ? false # enable support for the entropy source: interrupt-based entropy +, esSched ? false # enable support for the entropy source: scheduler-based entropy +, esHwrand ? true # enable support for the entropy source: /dev/hwrng +, hashSha512 ? false # set the conditioning hash: SHA2-512 +, hashSha3_512 ? true # set the conditioning hash: SHA3-512 +}: + +assert drngHashDrbg != drngChaCha20; +assert hashSha512 != hashSha3_512; + +stdenv.mkDerivation rec { + pname = "esdm"; + version = "0.6.0"; + + src = fetchFromGitHub { + owner = "smuellerDD"; + repo = "esdm"; + rev = "v${version}"; + sha256 = "sha256-swBKVb5gnND76w2ULT+5hR/jVOqxEe4TAB1gyaLKE9Q="; + }; + + patches = [ + (fetchpatch { + name = "arm64.patch"; + url = "https://github.com/smuellerDD/esdm/commit/86b93a0ddf684448aba152c8f1b3baf40a6d41c0.patch"; + sha256 = "sha256-gjp13AEsDNj23fcGanAAn2KCbYKA0cphhf4mCxek9Yg="; + }) + ]; + + nativeBuildInputs = [ meson pkg-config ninja ]; + buildInputs = [ protobufc fuse3 jitterentropy ] + ++ lib.optional selinux libselinux; + + mesonFlags = [ + (lib.mesonBool "b_lto" false) + (lib.mesonBool "ais2031" ais2031) + (lib.mesonEnable "linux-devfiles" linuxDevFiles) + (lib.mesonEnable "linux-getrandom" linuxGetRandom) + (lib.mesonEnable "es_jent" esJitterRng) + (lib.mesonEnable "es_cpu" esCPU) + (lib.mesonEnable "es_kernel" esKernel) + (lib.mesonEnable "es_irq" esIRQ) + (lib.mesonEnable "es_sched" esSched) + (lib.mesonEnable "es_hwrand" esHwrand) + (lib.mesonEnable "hash_sha512" hashSha512) + (lib.mesonEnable "hash_sha3_512" hashSha3_512) + (lib.mesonEnable "selinux" selinux) + (lib.mesonEnable "drng_hash_drbg" drngHashDrbg) + (lib.mesonEnable "drng_chacha20" drngChaCha20) + ]; + + doCheck = true; + + strictDeps = true; + mesonBuildType = "release"; + + meta = { + homepage = "https://www.chronox.de/esdm.html"; + description = "Entropy Source and DRNG Manager in user space"; + license = with lib.licenses; [ gpl2Only bsd3 ]; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ orichter thillux ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f23ca4524ab5..7ef00197d81b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -27254,6 +27254,8 @@ with pkgs; dstat = callPackage ../os-specific/linux/dstat { }; + esdm = callPackage ../os-specific/linux/esdm { }; + evdev-proto = callPackage ../os-specific/bsd/freebsd/evdev-proto { }; fscryptctl = callPackage ../os-specific/linux/fscryptctl { };