Commit 9d6cd347 authored by Oliver Richter's avatar Oliver Richter
Browse files

esdm: init at 0.6.0 



Signed-off-by: default avatarOliver Richter <richter-oliver@gmx.net>
parent 4d06b437

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -1108,6 +1108,7 @@ 
  ./services/security/clamav.nix

  ./services/security/endlessh-go.nix

  ./services/security/endlessh.nix

  ./services/security/esdm.nix

  ./services/security/fail2ban.nix

  ./services/security/fprintd.nix

  ./services/security/haka.nix

nixos/modules/services/security/esdm.nix

0 → 100644
+102 −0
Original line number Diff line number Diff line 
{ lib, config, pkgs, ... }:



let

  cfg = config.services.esdm;

in

{

  options.services.esdm = {

    enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration");

    package = lib.mkPackageOptionMD pkgs "esdm" { };

    serverEnable = lib.mkOption {

      type = lib.types.bool;

      default = true;

      description = lib.mdDoc ''

        Enable option for ESDM server service. If serverEnable == false, then the esdm-server

        will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom

        and esdm-proc will not start as these have the entry Want=esdm-server.service.

      '';

    };

    cuseRandomEnable = lib.mkOption {

      type = lib.types.bool;

      default = true;

      description = lib.mdDoc ''

        Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service

        is started.

      '';

    };

    cuseUrandomEnable = lib.mkOption {

      type = lib.types.bool;

      default = true;

      description = lib.mdDoc ''

        Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service

        is started.

      '';

    };

    procEnable = lib.mkOption {

      type = lib.types.bool;

      default = true;

      description = lib.mdDoc ''

        Enable option for ESDM proc service. Determines if the esdm-proc.service

        is started.

      '';

    };

    verbose = lib.mkOption {

      type = lib.types.bool;

      default = false;

      description = lib.mdDoc ''

        Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart"

        values of the 4 aforementioned services are overwritten with the option

        for the highest verbosity.

      '';

    };

  };



  config = lib.mkIf cfg.enable (

    lib.mkMerge [

      ({

        systemd.packages = [ cfg.package ];

      })

      # It is necessary to set those options for these services to be started by systemd in NixOS

      (lib.mkIf cfg.serverEnable {

        systemd.services."esdm-server".wantedBy = [ "basic.target" ];

        systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose {

          ExecStart = [

            " " # unset previous value defined in 'esdm-server.service'

            "${cfg.package}/bin/esdm-server -f -vvvvvv"

          ];

        };

      })



      (lib.mkIf cfg.cuseRandomEnable {

        systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ];

        systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose {

          ExecStart = [

            " " # unset previous value defined in 'esdm-cuse-random.service'

            "${cfg.package}/bin/esdm-cuse-random -f -v 6"

          ];

        };

      })



      (lib.mkIf cfg.cuseUrandomEnable {

        systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ];

        systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose {

          ExecStart = [

            " " # unset previous value defined in 'esdm-cuse-urandom.service'

            "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6"

          ];

        };

      })



      (lib.mkIf cfg.procEnable {

        systemd.services."esdm-proc".wantedBy = [ "basic.target" ];

        systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose {

          ExecStart = [

            " " # unset previous value defined in 'esdm-proc.service'

            "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6"

          ];

        };

      })

    ]);



  meta.maintainers = with lib.maintainers; [ orichter thillux ];

}

pkgs/os-specific/linux/esdm/default.nix

0 → 100644
+87 −0
Original line number Diff line number Diff line 
{ lib

, stdenv

, fetchFromGitHub

, fetchpatch

, protobufc

, pkg-config

, fuse3

, meson

, ninja

, libselinux

, jitterentropy

  # A more detailed explaination of the following meson build options can be found

  # in the source code of esdm.

  # A brief explanation is given:

, selinux ? false # enable selinux support

, drngHashDrbg ? true  # set the default drng callback

, drngChaCha20 ? false # set the default drng callback

, ais2031 ? false # set the seeding strategy to be compliant with AIS 20/31

, linuxDevFiles ? true # enable linux /dev/random and /dev/urandom support

, linuxGetRandom ? true # enable linux getrandom support

, esJitterRng ? true # enable support for the entropy source: jitter rng

, esCPU ? true # enable support for the entropy source: cpu-based entropy

, esKernel ? true # enable support for the entropy source: kernel-based entropy

, esIRQ ? false # enable support for the entropy source: interrupt-based entropy

, esSched ? false # enable support for the entropy source: scheduler-based entropy

, esHwrand ? true # enable support for the entropy source: /dev/hwrng

, hashSha512 ? false # set the conditioning hash: SHA2-512

, hashSha3_512 ? true # set the conditioning hash: SHA3-512

}:



assert drngHashDrbg != drngChaCha20;

assert hashSha512 != hashSha3_512;



stdenv.mkDerivation rec {

  pname = "esdm";

  version = "0.6.0";



  src = fetchFromGitHub {

    owner = "smuellerDD";

    repo = "esdm";

    rev = "v${version}";

    sha256 = "sha256-swBKVb5gnND76w2ULT+5hR/jVOqxEe4TAB1gyaLKE9Q=";

  };



  patches = [

    (fetchpatch {

      name = "arm64.patch";

      url = "https://github.com/smuellerDD/esdm/commit/86b93a0ddf684448aba152c8f1b3baf40a6d41c0.patch";

      sha256 = "sha256-gjp13AEsDNj23fcGanAAn2KCbYKA0cphhf4mCxek9Yg=";

    })

  ];



  nativeBuildInputs = [ meson pkg-config ninja ];

  buildInputs = [ protobufc fuse3 jitterentropy ]

    ++ lib.optional selinux libselinux;



  mesonFlags = [

    (lib.mesonBool "b_lto" false)

    (lib.mesonBool "ais2031" ais2031)

    (lib.mesonEnable "linux-devfiles" linuxDevFiles)

    (lib.mesonEnable "linux-getrandom" linuxGetRandom)

    (lib.mesonEnable "es_jent" esJitterRng)

    (lib.mesonEnable "es_cpu" esCPU)

    (lib.mesonEnable "es_kernel" esKernel)

    (lib.mesonEnable "es_irq" esIRQ)

    (lib.mesonEnable "es_sched" esSched)

    (lib.mesonEnable "es_hwrand" esHwrand)

    (lib.mesonEnable "hash_sha512" hashSha512)

    (lib.mesonEnable "hash_sha3_512" hashSha3_512)

    (lib.mesonEnable "selinux" selinux)

    (lib.mesonEnable "drng_hash_drbg" drngHashDrbg)

    (lib.mesonEnable "drng_chacha20" drngChaCha20)

  ];



  doCheck = true;



  strictDeps = true;

  mesonBuildType = "release";



  meta = {

    homepage = "https://www.chronox.de/esdm.html";

    description = "Entropy Source and DRNG Manager in user space";

    license = with lib.licenses; [ gpl2Only bsd3 ];

    platforms = lib.platforms.linux;

    maintainers = with lib.maintainers; [ orichter thillux ];

  };

}

pkgs/top-level/all-packages.nix

+2 −0
Original line number Diff line number Diff line
@@ -27254,6 +27254,8 @@ with pkgs; 














  dstat = callPackage ../os-specific/linux/dstat { };



























  esdm = callPackage ../os-specific/linux/esdm { };



























  evdev-proto = callPackage ../os-specific/bsd/freebsd/evdev-proto { };





























  fscryptctl = callPackage ../os-specific/linux/fscryptctl { };