Age | Commit message (Collapse) | Author | Files | Lines |
|
Upstream has changed the service name from `rngd.service` to
`rng-tools.service`. Change the name of the "nojitter" service
to match.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ie7cef3f0b9106db38e6a399494a85d7e5fc5e3eb
|
|
We want to remove wget from busybox so we need an alternate fetcher.
Tested: Ran locally against an installer URL to verify the behavior
Change-Id: Ib3a00002d7d2d02bd6b29e24f0dbe2c7c9243514
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
rngd will exit with a failure code if none of the provided entropy
schemes are present. This enables us to start a fallback service if the
hwrng is not present.
Tested:
```
$ cat /lib/systemd/system/rngd-nojitter.service
[Unit]
OnFailure=rngd.service
Conflicts=rngd.service
Description=Hardware RNG Entropy Gatherer Daemon
DefaultDependencies=no
After=systemd-udev-settle.service
Before=sysinit.target shutdown.target
Wants=systemd-udev-settle.service
Conflicts=shutdown.target
[Service]
EnvironmentFile=-/etc/default/rng-tools
ExecStart=/usr/sbin/rngd -f -x jitter $EXTRA_ARGS
CapabilityBoundingSet=CAP_SYS_ADMIN
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
[Install]
WantedBy=sysinit.target
$ cat /lib/systemd/system/rngd.service
[Unit]
Description=Hardware RNG Entropy Gatherer Daemon
DefaultDependencies=no
After=systemd-udev-settle.service
Before=sysinit.target shutdown.target
Wants=systemd-udev-settle.service
Conflicts=shutdown.target
[Service]
EnvironmentFile=-/etc/default/rng-tools
ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS
CapabilityBoundingSet=CAP_SYS_ADMIN
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
[Install]
```
Change-Id: I0ccc4ca88818b1944fe3c7914671550654980791
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Set jitter to use only single thread. gBMC systems will always at least
2 CPU, so it won't take up everything.
Change-Id: I43215a4ebca680d3d340062cc9f99a33ab36a60f
Signed-off-by: Willy Tu <wltu@google.com>
|
|
This saved 49152 bytes of compressed image space in our platform.
Signed-off-by: Josh Lehan <krellan@google.com>
Signed-off-by: Brandon Kim <brandonkim@google.com>
Change-Id: I4b5b4c7cd2bfffb9720bae02624519ee10ca73af
|
|
This saved 49152 bytes of compressed image space in our platform.
Signed-off-by: Josh Lehan <krellan@google.com>
Signed-off-by: Brandon Kim <brandonkim@google.com>
Change-Id: I40016cffd8586bbcda1cc45ec968efd35c8f4188
|