ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2025-01-01 16:34:15 +03:00
Code Issues Projects Releases Wiki Activity

security.rngd: start rngd during early boot to reduce entropy starvation due to encrypted swap and remove PrivateTmp to avoid a circular dependency

Browse Source
This commit is contained in:
Daniel Frank 2019-10-18 00:30:11 +02:00
parent 1ac86e14c7
commit d14ba1e1ad
No known key found for this signature in database
GPG Key ID: 063CCCAD04182D32
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/modules/security/rngd.nix
View File

@ -39,12 +39,15 @@ in
description = "Hardware RNG Entropy Gatherer Daemon"; description = "Hardware RNG Entropy Gatherer Daemon";
# rngd may have to start early to avoid entropy starvation during boot with encrypted swap
unitConfig.DefaultDependencies = false;
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f" ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
+ optionalString cfg.debug " -d"; + optionalString cfg.debug " -d";
# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateNetwork = true; PrivateNetwork = true;
PrivateTmp = true;
ProtectSystem = "full"; ProtectSystem = "full";
ProtectHome = true; ProtectHome = true;
}; };