diff --git a/nixos/doc/manual/installation/installing-virtualbox-guest.xml b/nixos/doc/manual/installation/installing-virtualbox-guest.xml
index 4957b700946..019e5098a8e 100644
--- a/nixos/doc/manual/installation/installing-virtualbox-guest.xml
+++ b/nixos/doc/manual/installation/installing-virtualbox-guest.xml
@@ -83,17 +83,12 @@
VirtualBox settings (Machine / Settings / Shared Folders, then click on the
"Add" icon). Add the following to the
/etc/nixos/configuration.nix to auto-mount them. If you do
- not add "nofail", the system will not boot properly. The
- same goes for disabling rngd which is normally used to get
- randomness but this does not work in virtual machines.
+ not add "nofail", the system will not boot properly.
{ config, pkgs, ...} :
{
- security.rngd.enable = false; // otherwise vm will not boot
- ...
-
fileSystems."/virtualboxshare" = {
fsType = "vboxsf";
device = "nameofthesharedfolder";
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml
index 9894ab02500..9e7ea70b9e7 100644
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ b/nixos/doc/manual/release-notes/rl-2105.xml
@@ -509,6 +509,15 @@ self: super:
services.flashpolicyd module.
+
+
+ The security.rngd module has been removed.
+ It was disabled by default in 20.09 as it was functionally redundent
+ with krngd in the linux kernel. It is not necessary for any device that the kernel recognises
+ as an hardware RNG, as it will automatically run the krngd task to periodically collect random
+ data from the device and mix it into the kernel's RNG.
+
+
diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix
index 4bb66e9b514..59bc9e9d11e 100644
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@@ -185,8 +185,6 @@ in
{ description = "Initialisation of swap device ${sw.device}";
wantedBy = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" ];
- # If swap is encrypted, depending on rngd resolves a possible entropy starvation during boot
- after = mkIf (config.security.rngd.enable && sw.randomEncryption.enable) [ "rngd.service" ];
path = [ pkgs.util-linux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
script =
diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix
index cb885c4762d..8cca1c26d68 100644
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@@ -1,56 +1,16 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
+{ lib, ... }:
let
- cfg = config.security.rngd;
+ removed = k: lib.mkRemovedOptionModule [ "security" "rngd" k ];
in
{
- options = {
- security.rngd = {
- enable = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Whether to enable the rng daemon. Devices that the kernel recognises
- as entropy sources are handled automatically by krngd.
- '';
- };
- debug = mkOption {
- type = types.bool;
- default = false;
- description = "Whether to enable debug output (-d).";
- };
- };
- };
-
- config = mkIf cfg.enable {
- systemd.services.rngd = {
- bindsTo = [ "dev-random.device" ];
-
- after = [ "dev-random.device" ];
-
- # Clean shutdown without DefaultDependencies
- conflicts = [ "shutdown.target" ];
- before = [
- "sysinit.target"
- "shutdown.target"
- ];
-
- description = "Hardware RNG Entropy Gatherer Daemon";
-
- # rngd may have to start early to avoid entropy starvation during boot with encrypted swap
- unitConfig.DefaultDependencies = false;
- serviceConfig = {
- ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
- + optionalString cfg.debug " -d";
- # PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
- # thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
- NoNewPrivileges = true;
- PrivateNetwork = true;
- ProtectSystem = "full";
- ProtectHome = true;
- };
- };
- };
+ imports = [
+ (removed "enable" ''
+ rngd is not necessary for any device that the kernel recognises
+ as an hardware RNG, as it will automatically run the krngd task
+ to periodically collect random data from the device and mix it
+ into the kernel's RNG.
+ '')
+ (removed "debug"
+ "The rngd module was removed, so its debug option does nothing.")
+ ];
}
diff --git a/nixos/modules/virtualisation/hyperv-guest.nix b/nixos/modules/virtualisation/hyperv-guest.nix
index 105224b8964..a3656c307f9 100644
--- a/nixos/modules/virtualisation/hyperv-guest.nix
+++ b/nixos/modules/virtualisation/hyperv-guest.nix
@@ -40,8 +40,6 @@ in {
environment.systemPackages = [ config.boot.kernelPackages.hyperv-daemons.bin ];
- security.rngd.enable = false;
-
# enable hotadding cpu/memory
services.udev.packages = lib.singleton (pkgs.writeTextFile {
name = "hyperv-cpu-and-memory-hotadd-udev-rules";