diff options
| -rw-r--r-- | nixos/modules/config/swap.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/security/rngd.nix | 5 |
2 files changed, 6 insertions, 1 deletions
diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index d0fc0d4a3ea4..adb4e2294213 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -185,6 +185,8 @@ in { description = "Initialisation of swap device ${sw.device}"; wantedBy = [ "${realDevice'}.swap" ]; before = [ "${realDevice'}.swap" ]; + # If swap is encrypted, depending on rngd resolves a possible entropy starvation during boot + after = mkIf (config.security.rngd.enable && sw.randomEncryption.enable) [ "rngd.service" ]; path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup; script = diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index d9d6d9c9f253..5566c53897dc 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -39,12 +39,15 @@ in description = "Hardware RNG Entropy Gatherer Daemon"; + # rngd may have to start early to avoid entropy starvation during boot with encrypted swap + unitConfig.DefaultDependencies = false; serviceConfig = { ExecStart = "${pkgs.rng-tools}/sbin/rngd -f" + optionalString cfg.debug " -d"; + # PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted, + # thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation. NoNewPrivileges = true; PrivateNetwork = true; - PrivateTmp = true; ProtectSystem = "full"; ProtectHome = true; }; |