diff options
Diffstat (limited to 'pkgs/os-specific/linux/esdm/default.nix')
-rw-r--r-- | pkgs/os-specific/linux/esdm/default.nix | 78 |
1 files changed, 60 insertions, 18 deletions
diff --git a/pkgs/os-specific/linux/esdm/default.nix b/pkgs/os-specific/linux/esdm/default.nix index 42e20981872..150e3b95b4f 100644 --- a/pkgs/os-specific/linux/esdm/default.nix +++ b/pkgs/os-specific/linux/esdm/default.nix @@ -9,67 +9,109 @@ , ninja , libselinux , jitterentropy - # A more detailed explaination of the following meson build options can be found - # in the source code of esdm. - # A brief explanation is given: +, botan3 +, openssl +, libkcapi + +# A more detailed explaination of the following meson build options can be found +# in the source code of esdm. +# A brief explanation is given. + +# general options , selinux ? false # enable selinux support , drngHashDrbg ? true # set the default drng callback , drngChaCha20 ? false # set the default drng callback , ais2031 ? false # set the seeding strategy to be compliant with AIS 20/31 +, sp80090c ? false # set compliance with NIST SP800-90C +, cryptoBackend ? "botan" # set backend for hash and drbg operations , linuxDevFiles ? true # enable linux /dev/random and /dev/urandom support , linuxGetRandom ? true # enable linux getrandom support -, esJitterRng ? true # enable support for the entropy source: jitter rng +, hashSha512 ? false # set the conditioning hash: SHA2-512 +, hashSha3_512 ? true # set the conditioning hash: SHA3-512 +, openSSLRandProvider ? true # build ESDM provider for OpenSSL 3.x +, botanRng ? true # build ESDM class for Botan 3.x + +# client-related options (handle with care, consult source code and meson options) +# leave as is if in doubt +, connectTimeoutExponent ? 28 # (1 << EXPONENT nanoseconds) +, rxTxTimeoutExponent ? 28 # (1 << EXPONENT nanoseconds) +, reconnectAttempts ? 10 # how often to attempt unix socket connection before giving up + +# entropy sources +, esJitterRng ? true # enable support for the entropy source: jitter rng (running in user space) +, esJitterRngEntropyRate ? 256 # amount of entropy to account for jitter rng source +, esJitterRngKernel ? true # enable support for the entropy source: jitter rng (running in kernel space) +, esJitterRngKernelEntropyRate ? 256 # amount of entropy to account for kernel jitter rng source , esCPU ? true # enable support for the entropy source: cpu-based entropy +, esCPUEntropyRate ? 8 # amount of entropy to account for cpu rng source , esKernel ? true # enable support for the entropy source: kernel-based entropy +, esKernelEntropyRate ? 128 # amount of entropy to account for kernel-based source , esIRQ ? false # enable support for the entropy source: interrupt-based entropy +, esIRQEntropyRate ? 256 # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0) , esSched ? false # enable support for the entropy source: scheduler-based entropy +, esSchedEntropyRate ? 0 # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0) , esHwrand ? true # enable support for the entropy source: /dev/hwrng -, hashSha512 ? false # set the conditioning hash: SHA2-512 -, hashSha3_512 ? true # set the conditioning hash: SHA3-512 +, esHwrandEntropyRate ? 128 # amount of entropy to account for /dev/hwrng-based sources }: assert drngHashDrbg != drngChaCha20; assert hashSha512 != hashSha3_512; +assert cryptoBackend == "openssl" || cryptoBackend == "botan" || cryptoBackend == "builtin" "Unsupported ESDM crypto backend"; stdenv.mkDerivation rec { pname = "esdm"; - version = "0.6.0"; + version = "1.0.0"; src = fetchFromGitHub { owner = "smuellerDD"; repo = "esdm"; rev = "v${version}"; - sha256 = "sha256-swBKVb5gnND76w2ULT+5hR/jVOqxEe4TAB1gyaLKE9Q="; + sha256 = "sha256-q6TGL1agltV9CFfcA6hZszVwGIBBngs22ZqhQgc9FeM="; }; - patches = [ - (fetchpatch { - name = "arm64.patch"; - url = "https://github.com/smuellerDD/esdm/commit/86b93a0ddf684448aba152c8f1b3baf40a6d41c0.patch"; - sha256 = "sha256-gjp13AEsDNj23fcGanAAn2KCbYKA0cphhf4mCxek9Yg="; - }) - ]; - nativeBuildInputs = [ meson pkg-config ninja ]; - buildInputs = [ protobufc fuse3 jitterentropy ] - ++ lib.optional selinux libselinux; + buildInputs = [ protobufc ] + ++ lib.optional (cryptoBackend == "botan" || botanRng) botan3 + ++ lib.optional (cryptoBackend == "openssl" || openSSLRandProvider) openssl + ++ lib.optional selinux libselinux + ++ lib.optional esJitterRng jitterentropy + ++ lib.optional linuxDevFiles fuse3 + ++ lib.optional esJitterRngKernel libkcapi; mesonFlags = [ (lib.mesonBool "b_lto" false) + (lib.mesonBool "fips140" false) (lib.mesonBool "ais2031" ais2031) + (lib.mesonBool "sp80090c" sp80090c) + (lib.mesonEnable "node" true) # multiple DRNGs + (lib.mesonOption "threading_max_threads" (toString 64)) + (lib.mesonOption "crypto_backend" cryptoBackend) (lib.mesonEnable "linux-devfiles" linuxDevFiles) (lib.mesonEnable "linux-getrandom" linuxGetRandom) + (lib.mesonOption "client-connect-timeout-exponent" (toString connectTimeoutExponent)) + (lib.mesonOption "client-rx-tx-timeout-exponent" (toString rxTxTimeoutExponent)) + (lib.mesonOption "client-reconnect-attempts" (toString reconnectAttempts)) (lib.mesonEnable "es_jent" esJitterRng) + (lib.mesonOption "es_jent_entropy_rate" (toString esJitterRngEntropyRate)) + (lib.mesonEnable "es_jent_kernel" esJitterRngKernel) + (lib.mesonOption "es_jent_kernel_entropy_rate" (toString esJitterRngKernelEntropyRate)) (lib.mesonEnable "es_cpu" esCPU) + (lib.mesonOption "es_cpu_entropy_rate" (toString esCPUEntropyRate)) (lib.mesonEnable "es_kernel" esKernel) + (lib.mesonOption "es_kernel_entropy_rate" (toString esKernelEntropyRate)) (lib.mesonEnable "es_irq" esIRQ) + (lib.mesonOption "es_irq_entropy_rate" (toString esIRQEntropyRate)) (lib.mesonEnable "es_sched" esSched) + (lib.mesonOption "es_sched_entropy_rate" (toString esSchedEntropyRate)) (lib.mesonEnable "es_hwrand" esHwrand) + (lib.mesonOption "es_hwrand_entropy_rate" (toString esHwrandEntropyRate)) (lib.mesonEnable "hash_sha512" hashSha512) (lib.mesonEnable "hash_sha3_512" hashSha3_512) (lib.mesonEnable "selinux" selinux) (lib.mesonEnable "drng_hash_drbg" drngHashDrbg) (lib.mesonEnable "drng_chacha20" drngChaCha20) + (lib.mesonEnable "openssl-rand-provider" openSSLRandProvider) + (lib.mesonEnable "botan-rng" botanRng) ]; doCheck = true; |