meta-google: rng-tools: Only use jitter entropy if required

rngd will exit with a failure code if none of the provided entropy schemes are present. This enables us to start a fallback service if the hwrng is not present. Tested: ``` $ cat /lib/systemd/system/rngd-nojitter.service [Unit] OnFailure=rngd.service Conflicts=rngd.service Description=Hardware RNG Entropy Gatherer Daemon DefaultDependencies=no After=systemd-udev-settle.service Before=sysinit.target shutdown.target Wants=systemd-udev-settle.service Conflicts=shutdown.target [Service] EnvironmentFile=-/etc/default/rng-tools ExecStart=/usr/sbin/rngd -f -x jitter $EXTRA_ARGS CapabilityBoundingSet=CAP_SYS_ADMIN IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectSystem=strict RestrictAddressFamilies=AF_UNIX RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service [Install] WantedBy=sysinit.target $ cat /lib/systemd/system/rngd.service [Unit] Description=Hardware RNG Entropy Gatherer Daemon DefaultDependencies=no After=systemd-udev-settle.service Before=sysinit.target shutdown.target Wants=systemd-udev-settle.service Conflicts=shutdown.target [Service] EnvironmentFile=-/etc/default/rng-tools ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS CapabilityBoundingSet=CAP_SYS_ADMIN IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectSystem=strict RestrictAddressFamilies=AF_UNIX RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service [Install] ``` Change-Id: I0ccc4ca88818b1944fe3c7914671550654980791 Signed-off-by: William A. Kennington III <wak@google.com>
author: William A. Kennington III <wak@google.com> 2022-03-15 02:42:00 +0300
committer: Willy Tu <wltu@google.com> 2022-03-17 23:35:20 +0300
commit: 24f6d997ed5271f8e6506b6ece197a248c2307ad (patch)
tree: adaa5b672850d94be07d149057ac3b4e9f4e48c1 /meta-google/recipes-support
parent: e86ebe3e3ceac28e210c2720def1a85c16448ea6 (diff)
download: openbmc-24f6d997ed5271f8e6506b6ece197a248c2307ad.tar.xz
1 files changed, 16 insertions, 0 deletions
diff --git a/meta-google/recipes-support/rng-tools/rng-tools_%.bbappend b/meta-google/recipes-support/rng-tools/rng-tools_%.bbappend
index cf51f85b55..b5347901b6 100644
--- a/meta-google/recipes-support/rng-tools/rng-tools_%.bbappend
+++ b/meta-google/recipes-support/rng-tools/rng-tools_%.bbappend
@@ -1,3 +1,19 @@
 FILESEXTRAPATHS:prepend:gbmc := "${THISDIR}/${PN}:"
 
 SRC_URI:append:gbmc = " file://default"
+
+SYSTEMD_SERVICE:${PN}:append:gbmc = " rngd-nojitter.service"
+
+do_install:append:gbmc() {
+  install -m 0644 ${D}${systemd_system_unitdir}/rngd.service \
+    ${D}${systemd_system_unitdir}/rngd-nojitter.service
+  # Don't enable jitter in rngd-nojitter
+  sed -i 's,\$EXTRA_ARGS,-x jitter \$EXTRA_ARGS,' \
+    ${D}${systemd_system_unitdir}/rngd-nojitter.service
+  # Run the jitter enabled service if this one fails
+  sed -i '/^\[Unit\]$/aOnFailure=rngd.service\nConflicts=rngd.service' \
+    ${D}${systemd_system_unitdir}/rngd-nojitter.service
+
+  # Don't run the jitter service by default
+  sed -i '/^WantedBy=/d' ${D}${systemd_system_unitdir}/rngd.service
+}
author	William A. Kennington III <wak@google.com>	2022-03-15 02:42:00 +0300
committer	Willy Tu <wltu@google.com>	2022-03-17 23:35:20 +0300
commit	24f6d997ed5271f8e6506b6ece197a248c2307ad (patch)
tree	adaa5b672850d94be07d149057ac3b4e9f4e48c1 /meta-google/recipes-support
parent	e86ebe3e3ceac28e210c2720def1a85c16448ea6 (diff)
download	openbmc-24f6d997ed5271f8e6506b6ece197a248c2307ad.tar.xz