JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

kernel: enable RANDOM_TRUST_BOOTLOADER on >= 5.4

Browse Source 
> Some bootloaders can provide entropy to increase the kernel's initial device randomness.

This allows, for example, EFI to provide 64 bytes. In general my opinion is an attacker
who can manipulate the random seed sufficiently to cause problems likely has other,
more direct approaches at their disposal as well.
This commit is contained in:
Graham Christensen 2022-03-22 22:01:54 -04:00
parent 105c8d02d2
commit a5c28278f9
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkgs/os-specific/linux/kernel/common-config.nix
View File

@ -479,6 +479,7 @@ let
DEFAULT_SECURITY_APPARMOR = yes;
RANDOM_TRUST_CPU = whenAtLeast "4.19" yes; # allow RDRAND to seed the RNG
RANDOM_TRUST_BOOTLOADER = whenAtLeast "5.4" yes; # allow the bootloader to seed the RNG
MODULE_SIG = no; # r13y, generates a random key during build and bakes it in
# Depends on MODULE_SIG and only really helps when you sign your modules