+12

maintainers/maintainer-list.nix

··· 12401 12401 githubId = 75299; 12402 12402 name = "Malcolm Matalka"; 12403 12403 }; 12404 12404 + orichter = { 12405 12405 + email = "richter-oliver@gmx.net"; 12406 12406 + github = "RichterOliver"; 12407 12407 + githubId = 135209509; 12408 12408 + name = "Oliver Richter"; 12409 12409 + }; 12404 12410 orivej = { 12405 12411 email = "orivej@gmx.fr"; 12406 12412 github = "orivej"; ··· 16386 16392 email = "nix@henning-thielemann.de"; 16387 16393 github = "thielema"; 16388 16394 githubId = 898989; 16395 16395 + }; 16396 16396 + thillux = { 16397 16397 + name = "Markus Theil"; 16398 16398 + email = "theil.markus@gmail.com"; 16399 16399 + github = "thillux"; 16400 16400 + githubId = 2171995; 16389 16401 }; 16390 16402 thilobillerbeck = { 16391 16403 name = "Thilo Billerbeck";

+1

nixos/modules/module-list.nix

··· 1108 1108 ./services/security/clamav.nix 1109 1109 ./services/security/endlessh-go.nix 1110 1110 ./services/security/endlessh.nix 1111 1111 + ./services/security/esdm.nix 1111 1112 ./services/security/fail2ban.nix 1112 1113 ./services/security/fprintd.nix 1113 1114 ./services/security/haka.nix

+102

nixos/modules/services/security/esdm.nix

··· 1 1 + { lib, config, pkgs, ... }: 2 2 + 3 3 + let 4 4 + cfg = config.services.esdm; 5 5 + in 6 6 + { 7 7 + options.services.esdm = { 8 8 + enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); 9 9 + package = lib.mkPackageOptionMD pkgs "esdm" { }; 10 10 + serverEnable = lib.mkOption { 11 11 + type = lib.types.bool; 12 12 + default = true; 13 13 + description = lib.mdDoc '' 14 14 + Enable option for ESDM server service. If serverEnable == false, then the esdm-server 15 15 + will not start. Also the subsequent services esdm-cuse-random, esdm-cuse-urandom 16 16 + and esdm-proc will not start as these have the entry Want=esdm-server.service. 17 17 + ''; 18 18 + }; 19 19 + cuseRandomEnable = lib.mkOption { 20 20 + type = lib.types.bool; 21 21 + default = true; 22 22 + description = lib.mdDoc '' 23 23 + Enable option for ESDM cuse-random service. Determines if the esdm-cuse-random.service 24 24 + is started. 25 25 + ''; 26 26 + }; 27 27 + cuseUrandomEnable = lib.mkOption { 28 28 + type = lib.types.bool; 29 29 + default = true; 30 30 + description = lib.mdDoc '' 31 31 + Enable option for ESDM cuse-urandom service. Determines if the esdm-cuse-urandom.service 32 32 + is started. 33 33 + ''; 34 34 + }; 35 35 + procEnable = lib.mkOption { 36 36 + type = lib.types.bool; 37 37 + default = true; 38 38 + description = lib.mdDoc '' 39 39 + Enable option for ESDM proc service. Determines if the esdm-proc.service 40 40 + is started. 41 41 + ''; 42 42 + }; 43 43 + verbose = lib.mkOption { 44 44 + type = lib.types.bool; 45 45 + default = false; 46 46 + description = lib.mdDoc '' 47 47 + Enable verbose ExecStart for ESDM. If verbose == true, then the corresponding "ExecStart" 48 48 + values of the 4 aforementioned services are overwritten with the option 49 49 + for the highest verbosity. 50 50 + ''; 51 51 + }; 52 52 + }; 53 53 + 54 54 + config = lib.mkIf cfg.enable ( 55 55 + lib.mkMerge [ 56 56 + ({ 57 57 + systemd.packages = [ cfg.package ]; 58 58 + }) 59 59 + # It is necessary to set those options for these services to be started by systemd in NixOS 60 60 + (lib.mkIf cfg.serverEnable { 61 61 + systemd.services."esdm-server".wantedBy = [ "basic.target" ]; 62 62 + systemd.services."esdm-server".serviceConfig = lib.mkIf cfg.verbose { 63 63 + ExecStart = [ 64 64 + " " # unset previous value defined in 'esdm-server.service' 65 65 + "${cfg.package}/bin/esdm-server -f -vvvvvv" 66 66 + ]; 67 67 + }; 68 68 + }) 69 69 + 70 70 + (lib.mkIf cfg.cuseRandomEnable { 71 71 + systemd.services."esdm-cuse-random".wantedBy = [ "basic.target" ]; 72 72 + systemd.services."esdm-cuse-random".serviceConfig = lib.mkIf cfg.verbose { 73 73 + ExecStart = [ 74 74 + " " # unset previous value defined in 'esdm-cuse-random.service' 75 75 + "${cfg.package}/bin/esdm-cuse-random -f -v 6" 76 76 + ]; 77 77 + }; 78 78 + }) 79 79 + 80 80 + (lib.mkIf cfg.cuseUrandomEnable { 81 81 + systemd.services."esdm-cuse-urandom".wantedBy = [ "basic.target" ]; 82 82 + systemd.services."esdm-cuse-urandom".serviceConfig = lib.mkIf cfg.verbose { 83 83 + ExecStart = [ 84 84 + " " # unset previous value defined in 'esdm-cuse-urandom.service' 85 85 + "${config.services.esdm.package}/bin/esdm-cuse-urandom -f -v 6" 86 86 + ]; 87 87 + }; 88 88 + }) 89 89 + 90 90 + (lib.mkIf cfg.procEnable { 91 91 + systemd.services."esdm-proc".wantedBy = [ "basic.target" ]; 92 92 + systemd.services."esdm-proc".serviceConfig = lib.mkIf cfg.verbose { 93 93 + ExecStart = [ 94 94 + " " # unset previous value defined in 'esdm-proc.service' 95 95 + "${cfg.package}/bin/esdm-proc --relabel -f -o allow_other /proc/sys/kernel/random -v 6" 96 96 + ]; 97 97 + }; 98 98 + }) 99 99 + ]); 100 100 + 101 101 + meta.maintainers = with lib.maintainers; [ orichter thillux ]; 102 102 + }

+87

pkgs/os-specific/linux/esdm/default.nix

··· 1 1 + { lib 2 2 + , stdenv 3 3 + , fetchFromGitHub 4 4 + , fetchpatch 5 5 + , protobufc 6 6 + , pkg-config 7 7 + , fuse3 8 8 + , meson 9 9 + , ninja 10 10 + , libselinux 11 11 + , jitterentropy 12 12 + # A more detailed explaination of the following meson build options can be found 13 13 + # in the source code of esdm. 14 14 + # A brief explanation is given: 15 15 + , selinux ? false # enable selinux support 16 16 + , drngHashDrbg ? true # set the default drng callback 17 17 + , drngChaCha20 ? false # set the default drng callback 18 18 + , ais2031 ? false # set the seeding strategy to be compliant with AIS 20/31 19 19 + , linuxDevFiles ? true # enable linux /dev/random and /dev/urandom support 20 20 + , linuxGetRandom ? true # enable linux getrandom support 21 21 + , esJitterRng ? true # enable support for the entropy source: jitter rng 22 22 + , esCPU ? true # enable support for the entropy source: cpu-based entropy 23 23 + , esKernel ? true # enable support for the entropy source: kernel-based entropy 24 24 + , esIRQ ? false # enable support for the entropy source: interrupt-based entropy 25 25 + , esSched ? false # enable support for the entropy source: scheduler-based entropy 26 26 + , esHwrand ? true # enable support for the entropy source: /dev/hwrng 27 27 + , hashSha512 ? false # set the conditioning hash: SHA2-512 28 28 + , hashSha3_512 ? true # set the conditioning hash: SHA3-512 29 29 + }: 30 30 + 31 31 + assert drngHashDrbg != drngChaCha20; 32 32 + assert hashSha512 != hashSha3_512; 33 33 + 34 34 + stdenv.mkDerivation rec { 35 35 + pname = "esdm"; 36 36 + version = "0.6.0"; 37 37 + 38 38 + src = fetchFromGitHub { 39 39 + owner = "smuellerDD"; 40 40 + repo = "esdm"; 41 41 + rev = "v${version}"; 42 42 + sha256 = "sha256-swBKVb5gnND76w2ULT+5hR/jVOqxEe4TAB1gyaLKE9Q="; 43 43 + }; 44 44 + 45 45 + patches = [ 46 46 + (fetchpatch { 47 47 + name = "arm64.patch"; 48 48 + url = "https://github.com/smuellerDD/esdm/commit/86b93a0ddf684448aba152c8f1b3baf40a6d41c0.patch"; 49 49 + sha256 = "sha256-gjp13AEsDNj23fcGanAAn2KCbYKA0cphhf4mCxek9Yg="; 50 50 + }) 51 51 + ]; 52 52 + 53 53 + nativeBuildInputs = [ meson pkg-config ninja ]; 54 54 + buildInputs = [ protobufc fuse3 jitterentropy ] 55 55 + ++ lib.optional selinux libselinux; 56 56 + 57 57 + mesonFlags = [ 58 58 + (lib.mesonBool "b_lto" false) 59 59 + (lib.mesonBool "ais2031" ais2031) 60 60 + (lib.mesonEnable "linux-devfiles" linuxDevFiles) 61 61 + (lib.mesonEnable "linux-getrandom" linuxGetRandom) 62 62 + (lib.mesonEnable "es_jent" esJitterRng) 63 63 + (lib.mesonEnable "es_cpu" esCPU) 64 64 + (lib.mesonEnable "es_kernel" esKernel) 65 65 + (lib.mesonEnable "es_irq" esIRQ) 66 66 + (lib.mesonEnable "es_sched" esSched) 67 67 + (lib.mesonEnable "es_hwrand" esHwrand) 68 68 + (lib.mesonEnable "hash_sha512" hashSha512) 69 69 + (lib.mesonEnable "hash_sha3_512" hashSha3_512) 70 70 + (lib.mesonEnable "selinux" selinux) 71 71 + (lib.mesonEnable "drng_hash_drbg" drngHashDrbg) 72 72 + (lib.mesonEnable "drng_chacha20" drngChaCha20) 73 73 + ]; 74 74 + 75 75 + doCheck = true; 76 76 + 77 77 + strictDeps = true; 78 78 + mesonBuildType = "release"; 79 79 + 80 80 + meta = { 81 81 + homepage = "https://www.chronox.de/esdm.html"; 82 82 + description = "Entropy Source and DRNG Manager in user space"; 83 83 + license = with lib.licenses; [ gpl2Only bsd3 ]; 84 84 + platforms = lib.platforms.linux; 85 85 + maintainers = with lib.maintainers; [ orichter thillux ]; 86 86 + }; 87 87 + }

+2

pkgs/top-level/all-packages.nix

··· 27258 27258 27259 27259 dstat = callPackage ../os-specific/linux/dstat { }; 27260 27260 27261 27261 + esdm = callPackage ../os-specific/linux/esdm { }; 27262 27262 + 27261 27263 evdev-proto = callPackage ../os-specific/bsd/freebsd/evdev-proto { }; 27262 27264 27263 27265 fscryptctl = callPackage ../os-specific/linux/fscryptctl { };