diff options
author | William A. Kennington III <wak@google.com> | 2022-03-15 02:42:00 +0300 |
---|---|---|
committer | Willy Tu <wltu@google.com> | 2022-03-17 23:35:20 +0300 |
commit | 24f6d997ed5271f8e6506b6ece197a248c2307ad (patch) | |
tree | adaa5b672850d94be07d149057ac3b4e9f4e48c1 /meta-google | |
parent | e86ebe3e3ceac28e210c2720def1a85c16448ea6 (diff) | |
download | openbmc-24f6d997ed5271f8e6506b6ece197a248c2307ad.tar.xz |
meta-google: rng-tools: Only use jitter entropy if required
rngd will exit with a failure code if none of the provided entropy
schemes are present. This enables us to start a fallback service if the
hwrng is not present.
Tested:
```
$ cat /lib/systemd/system/rngd-nojitter.service
[Unit]
OnFailure=rngd.service
Conflicts=rngd.service
Description=Hardware RNG Entropy Gatherer Daemon
DefaultDependencies=no
After=systemd-udev-settle.service
Before=sysinit.target shutdown.target
Wants=systemd-udev-settle.service
Conflicts=shutdown.target
[Service]
EnvironmentFile=-/etc/default/rng-tools
ExecStart=/usr/sbin/rngd -f -x jitter $EXTRA_ARGS
CapabilityBoundingSet=CAP_SYS_ADMIN
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
[Install]
WantedBy=sysinit.target
$ cat /lib/systemd/system/rngd.service
[Unit]
Description=Hardware RNG Entropy Gatherer Daemon
DefaultDependencies=no
After=systemd-udev-settle.service
Before=sysinit.target shutdown.target
Wants=systemd-udev-settle.service
Conflicts=shutdown.target
[Service]
EnvironmentFile=-/etc/default/rng-tools
ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS
CapabilityBoundingSet=CAP_SYS_ADMIN
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
[Install]
```
Change-Id: I0ccc4ca88818b1944fe3c7914671550654980791
Signed-off-by: William A. Kennington III <wak@google.com>
Diffstat (limited to 'meta-google')
-rw-r--r-- | meta-google/recipes-support/rng-tools/rng-tools_%.bbappend | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/meta-google/recipes-support/rng-tools/rng-tools_%.bbappend b/meta-google/recipes-support/rng-tools/rng-tools_%.bbappend index cf51f85b55..b5347901b6 100644 --- a/meta-google/recipes-support/rng-tools/rng-tools_%.bbappend +++ b/meta-google/recipes-support/rng-tools/rng-tools_%.bbappend @@ -1,3 +1,19 @@ FILESEXTRAPATHS:prepend:gbmc := "${THISDIR}/${PN}:" SRC_URI:append:gbmc = " file://default" + +SYSTEMD_SERVICE:${PN}:append:gbmc = " rngd-nojitter.service" + +do_install:append:gbmc() { + install -m 0644 ${D}${systemd_system_unitdir}/rngd.service \ + ${D}${systemd_system_unitdir}/rngd-nojitter.service + # Don't enable jitter in rngd-nojitter + sed -i 's,\$EXTRA_ARGS,-x jitter \$EXTRA_ARGS,' \ + ${D}${systemd_system_unitdir}/rngd-nojitter.service + # Run the jitter enabled service if this one fails + sed -i '/^\[Unit\]$/aOnFailure=rngd.service\nConflicts=rngd.service' \ + ${D}${systemd_system_unitdir}/rngd-nojitter.service + + # Don't run the jitter service by default + sed -i '/^WantedBy=/d' ${D}${systemd_system_unitdir}/rngd.service +} |