summary refs log tree commit diff
diff options
context:
space:
mode:
authorDaniel Frank <git@danielfrank.net>2019-10-18 00:30:11 +0200
committerDaniel Frank <git@danielfrank.net>2020-02-08 12:29:13 +0100
commitd14ba1e1add6cca568515f87508ad5d00180bf16 (patch)
tree783b6b77b24c297efb0ee2ab8345ea888a8489e6
parent1ac86e14c746140a7fa9a6e81a3471739655366b (diff)
downloadnixpkgs-d14ba1e1add6cca568515f87508ad5d00180bf16.tar
nixpkgs-d14ba1e1add6cca568515f87508ad5d00180bf16.tar.gz
nixpkgs-d14ba1e1add6cca568515f87508ad5d00180bf16.tar.bz2
nixpkgs-d14ba1e1add6cca568515f87508ad5d00180bf16.tar.lz
nixpkgs-d14ba1e1add6cca568515f87508ad5d00180bf16.tar.xz
nixpkgs-d14ba1e1add6cca568515f87508ad5d00180bf16.tar.zst
nixpkgs-d14ba1e1add6cca568515f87508ad5d00180bf16.zip
security.rngd: start rngd during early boot to reduce entropy starvation due to encrypted swap and remove PrivateTmp to avoid a circular dependency
Diffstat
-rw-r--r--nixos/modules/security/rngd.nix5


1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix
index d9d6d9c9f25..5566c53897d 100644
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@@ -39,12 +39,15 @@ in
 
       description = "Hardware RNG Entropy Gatherer Daemon";
 
+      # rngd may have to start early to avoid entropy starvation during boot with encrypted swap
+      unitConfig.DefaultDependencies = false;
       serviceConfig = {
         ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
           + optionalString cfg.debug " -d";
+        # PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
+        # thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
         NoNewPrivileges = true;
         PrivateNetwork = true;
-        PrivateTmp = true;
         ProtectSystem = "full";
         ProtectHome = true;
       };

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-18 12:21:36 +0000