diff options
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2211.section.xml | 9 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2211.section.md | 3 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/security/infnoise.nix | 60 | ||||
| -rw-r--r-- | pkgs/misc/drivers/infnoise/default.nix | 43 | ||||
| -rw-r--r-- | pkgs/misc/drivers/infnoise/makefile.patch | 4 |
6 files changed, 104 insertions, 16 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 6181d2c3eeb75..4a7ef8b71686e 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -40,7 +40,7 @@ </section> <section xml:id="sec-release-22.11-new-services"> <title>New Services</title> - <itemizedlist spacing="compact"> + <itemizedlist> <listitem> <para> <link xlink:href="https://github.com/jollheef/appvm">appvm</link>, @@ -48,6 +48,13 @@ <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>, + a hardware True Random Number Generator dongle. Available as + <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.11-incompatibilities"> diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 145393d0debb2..89a799cafc507 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -25,6 +25,9 @@ In addition to numerous new and upgraded packages, this release has the followin - [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). +- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. + Available as [services.infnoise](options.html#opt-services.infnoise.enable). + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> ## Backward Incompatibilities {#sec-release-22.11-incompatibilities} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 902fffd60f9b9..d59d7bfe40d9f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -983,6 +983,7 @@ ./services/security/hologram-server.nix ./services/security/hologram-agent.nix ./services/security/kanidm.nix + ./services/security/infnoise.nix ./services/security/munge.nix ./services/security/nginx-sso.nix ./services/security/oauth2_proxy.nix diff --git a/nixos/modules/services/security/infnoise.nix b/nixos/modules/services/security/infnoise.nix new file mode 100644 index 0000000000000..4fb8adaf33f89 --- /dev/null +++ b/nixos/modules/services/security/infnoise.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.infnoise; +in { + options = { + services.infnoise = { + enable = mkEnableOption "the Infinite Noise TRNG driver"; + + fillDevRandom = mkOption { + description = '' + Whether to run the infnoise driver as a daemon to refill /dev/random. + + If disabled, you can use the `infnoise` command-line tool to + manually obtain randomness. + ''; + type = types.bool; + default = true; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.infnoise ]; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service" + ''; + + systemd.services.infnoise = mkIf cfg.fillDevRandom { + description = "Infinite Noise TRNG driver"; + + bindsTo = [ "dev-infnoise.device" ]; + after = [ "dev-infnoise.device" ]; + + serviceConfig = { + ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug"; + Restart = "always"; + User = "infnoise"; + DynamicUser = true; + SupplementaryGroups = [ "dialout" ]; + DeviceAllow = [ "/dev/infnoise" ]; + DevicePolicy = "closed"; + PrivateNetwork = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; # only reads entropy pool size and watermark + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + }; + }; + }; +} diff --git a/pkgs/misc/drivers/infnoise/default.nix b/pkgs/misc/drivers/infnoise/default.nix index b64cb56c40760..47ff00459923f 100644 --- a/pkgs/misc/drivers/infnoise/default.nix +++ b/pkgs/misc/drivers/infnoise/default.nix @@ -1,43 +1,60 @@ -{ lib, stdenv, fetchFromGitHub, libftdi }: +{ lib, stdenv, fetchFromGitHub, fetchpatch, libftdi +, infnoise, testers }: stdenv.mkDerivation rec { pname = "infnoise"; - version = "unstable-2019-08-12"; + version = "0.3.2"; src = fetchFromGitHub { - owner = "13-37-org"; + owner = "leetronics"; repo = "infnoise"; - rev = "132683d4b5ce0902468b666cba63baea36e97f0c"; - sha256 = "1dzfzinyvhyy9zj32kqkl19fyhih6sy8r5sa3qahbbr4c30k7flp"; + rev = "e80ddd78085abf3d06df2e0d8c08fd33dade78eb"; + sha256 = "sha256-9MKG1InkV+yrQPBTgi2gZJ3y9Fokb6WbxuAnM7n7FyA="; }; - # Patch makefile so we can set defines from the command line instead of it depending on .git - patches = [ ./makefile.patch ]; + patches = [ + # Patch makefile so we can set defines from the command line instead of it depending on .git + ./makefile.patch + + # Fix getc return type + (fetchpatch { + url = "https://github.com/leetronics/infnoise/commit/7ed7014e14253311c07e530c8f89f1c8f4705c2b.patch"; + sha256 = "sha256-seB/fJaxQ/rXJp5iPtnobXXOccQ2KUAk6HFx31dhOhs="; + }) + ]; + GIT_COMMIT = src.rev; GIT_VERSION = version; GIT_DATE = "2019-08-12"; buildInputs = [ libftdi ]; - sourceRoot = "source/software"; makefile = "Makefile.linux"; makeFlags = [ "PREFIX=$(out)" ]; postPatch = '' + cd software substituteInPlace init_scripts/infnoise.service --replace "/usr/local" "$out" ''; + postInstall = '' + make -C tools + find ./tools/ -executable -type f -exec \ + sh -c "install -Dm755 {} $out/bin/infnoise-\$(basename {})" \; + ''; + + passthru = { + tests.version = testers.testVersion { package = infnoise; }; + }; + meta = with lib; { - homepage = "https://github.com/13-37-org/infnoise"; + homepage = "https://github.com/leetronics/infnoise"; description = "Driver for the Infinite Noise TRNG"; longDescription = '' The Infinite Noise TRNG is a USB key hardware true random number generator. It can either provide rng for userland applications, or provide rng for the OS entropy. - Add the following to your system configuration for plug and play support, adding to the OS entropy: - systemd.packages = [ pkgs.infnoise ]; - services.udev.packages = [ pkgs.infnoise ]; ''; license = licenses.cc0; - maintainers = with maintainers; [ StijnDW ]; + maintainers = with maintainers; [ StijnDW zhaofengli ]; platforms = platforms.linux; }; } diff --git a/pkgs/misc/drivers/infnoise/makefile.patch b/pkgs/misc/drivers/infnoise/makefile.patch index b38519036d2c3..871a6c508ce65 100644 --- a/pkgs/misc/drivers/infnoise/makefile.patch +++ b/pkgs/misc/drivers/infnoise/makefile.patch @@ -1,7 +1,7 @@ diff --git a/software/Makefile.linux b/software/Makefile.linux index db48aa5..df8b3d2 100644 ---- a/Makefile.linux -+++ b/Makefile.linux +--- a/software/Makefile.linux ++++ b/software/Makefile.linux @@ -1,6 +1,6 @@ -GIT_VERSION := $(shell git --no-pager describe --tags --always) -GIT_COMMIT := $(shell git rev-parse --verify HEAD) |