Merge pull request #171778 from zhaofengli/infnoise-0.3.2

infnoise: unstable-2019-08-12 -> 0.3.2, nixos/infnoise: init
2022-06-05 17:30:34 +00:00 · 2022-06-05 17:30:34 +00:00 · 7548b71138
parent 4697dffd3c d7432b815d
commit 7548b71138
6 changed files with 104 additions and 16 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -40,7 +40,7 @@
  </section>
  <section xml:id="sec-release-22.11-new-services">
    <title>New Services</title>
-    <itemizedlist spacing="compact">
+    <itemizedlist>
      <listitem>
        <para>
          <link xlink:href="https://github.com/jollheef/appvm">appvm</link>,
@ -48,6 +48,13 @@
          <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>,
+          a hardware True Random Number Generator dongle. Available as
+          <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>.
+        </para>
+      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="sec-release-22.11-incompatibilities">
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -25,6 +25,9 @@ In addition to numerous new and upgraded packages, this release has the followin

 - [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).

+- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
+  Available as [services.infnoise](options.html#opt-services.infnoise.enable).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -983,6 +983,7 @@
  ./services/security/hologram-server.nix
  ./services/security/hologram-agent.nix
  ./services/security/kanidm.nix
+  ./services/security/infnoise.nix
  ./services/security/munge.nix
  ./services/security/nginx-sso.nix
  ./services/security/oauth2_proxy.nix
--- a/nixos/modules/services/security/infnoise.nix
+++ b/nixos/modules/services/security/infnoise.nix
@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.infnoise;
+in {
+  options = {
+    services.infnoise = {
+      enable = mkEnableOption "the Infinite Noise TRNG driver";
+
+      fillDevRandom = mkOption {
+        description = ''
+          Whether to run the infnoise driver as a daemon to refill /dev/random.
+
+          If disabled, you can use the `infnoise` command-line tool to
+          manually obtain randomness.
+        '';
+        type = types.bool;
+        default = true;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.infnoise ];
+
+    services.udev.extraRules = ''
+      SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
+    '';
+
+    systemd.services.infnoise = mkIf cfg.fillDevRandom {
+      description = "Infinite Noise TRNG driver";
+
+      bindsTo = [ "dev-infnoise.device" ];
+      after = [ "dev-infnoise.device" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug";
+        Restart = "always";
+        User = "infnoise";
+        DynamicUser = true;
+        SupplementaryGroups = [ "dialout" ];
+        DeviceAllow = [ "/dev/infnoise" ];
+        DevicePolicy = "closed";
+        PrivateNetwork = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true; # only reads entropy pool size and watermark
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+      };
+    };
+  };
+}
--- a/pkgs/misc/drivers/infnoise/default.nix
+++ b/pkgs/misc/drivers/infnoise/default.nix
@ -1,43 +1,60 @@
-{ lib, stdenv, fetchFromGitHub, libftdi }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, libftdi
+, infnoise, testers }:

 stdenv.mkDerivation rec {
  pname = "infnoise";
-  version = "unstable-2019-08-12";
+  version = "0.3.2";

  src = fetchFromGitHub {
-    owner = "13-37-org";
+    owner = "leetronics";
    repo = "infnoise";
-    rev = "132683d4b5ce0902468b666cba63baea36e97f0c";
-    sha256 = "1dzfzinyvhyy9zj32kqkl19fyhih6sy8r5sa3qahbbr4c30k7flp";
+    rev = "e80ddd78085abf3d06df2e0d8c08fd33dade78eb";
+    sha256 = "sha256-9MKG1InkV+yrQPBTgi2gZJ3y9Fokb6WbxuAnM7n7FyA=";
  };

-  # Patch makefile so we can set defines from the command line instead of it depending on .git
-  patches = [ ./makefile.patch ];
+  patches = [
+    # Patch makefile so we can set defines from the command line instead of it depending on .git
+    ./makefile.patch
+
+    # Fix getc return type
+    (fetchpatch {
+      url = "https://github.com/leetronics/infnoise/commit/7ed7014e14253311c07e530c8f89f1c8f4705c2b.patch";
+      sha256 = "sha256-seB/fJaxQ/rXJp5iPtnobXXOccQ2KUAk6HFx31dhOhs=";
+    })
+  ];
+
  GIT_COMMIT = src.rev;
  GIT_VERSION = version;
  GIT_DATE = "2019-08-12";

  buildInputs = [ libftdi ];

-  sourceRoot = "source/software";
  makefile = "Makefile.linux";
  makeFlags = [ "PREFIX=$(out)" ];
  postPatch = ''
+    cd software
    substituteInPlace init_scripts/infnoise.service --replace "/usr/local" "$out"
  '';

+  postInstall = ''
+    make -C tools
+    find ./tools/ -executable -type f -exec \
+      sh -c "install -Dm755 {} $out/bin/infnoise-\$(basename {})" \;
+  '';
+
+  passthru = {
+    tests.version = testers.testVersion { package = infnoise; };
+  };
+
  meta = with lib; {
-    homepage = "https://github.com/13-37-org/infnoise";
+    homepage = "https://github.com/leetronics/infnoise";
    description = "Driver for the Infinite Noise TRNG";
    longDescription = ''
      The Infinite Noise TRNG is a USB key hardware true random number generator.
      It can either provide rng for userland applications, or provide rng for the OS entropy.
-      Add the following to your system configuration for plug and play support, adding to the OS entropy:
-      systemd.packages = [ pkgs.infnoise ];
-      services.udev.packages = [ pkgs.infnoise ];
    '';
    license = licenses.cc0;
-    maintainers = with maintainers; [ StijnDW ];
+    maintainers = with maintainers; [ StijnDW zhaofengli ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/misc/drivers/infnoise/makefile.patch
+++ b/pkgs/misc/drivers/infnoise/makefile.patch
@ -1,7 +1,7 @@
 diff --git a/software/Makefile.linux b/software/Makefile.linux
 index db48aa5..df8b3d2 100644
--- a/Makefile.linux
-+++ b/Makefile.linux
+--- a/software/Makefile.linux
+++ b/software/Makefile.linux
@@ -1,6 +1,6 @@
 -GIT_VERSION := $(shell git --no-pager describe --tags --always)
 -GIT_COMMIT  := $(shell git rev-parse --verify HEAD)