tree adaa5b672850d94be07d149057ac3b4e9f4e48c1
parent e86ebe3e3ceac28e210c2720def1a85c16448ea6
author William A. Kennington III <wak@google.com> 1647301320 -0700
committer Willy Tu <wltu@google.com> 1647549320 +0000

meta-google: rng-tools: Only use jitter entropy if required

rngd will exit with a failure code if none of the provided entropy
schemes are present. This enables us to start a fallback service if the
hwrng is not present.

Tested:
```
$ cat /lib/systemd/system/rngd-nojitter.service
[Unit]
OnFailure=rngd.service
Conflicts=rngd.service
Description=Hardware RNG Entropy Gatherer Daemon
DefaultDependencies=no
After=systemd-udev-settle.service
Before=sysinit.target shutdown.target
Wants=systemd-udev-settle.service
Conflicts=shutdown.target

[Service]
EnvironmentFile=-/etc/default/rng-tools
ExecStart=/usr/sbin/rngd -f -x jitter $EXTRA_ARGS
CapabilityBoundingSet=CAP_SYS_ADMIN
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

[Install]
WantedBy=sysinit.target

$ cat /lib/systemd/system/rngd.service
[Unit]
Description=Hardware RNG Entropy Gatherer Daemon
DefaultDependencies=no
After=systemd-udev-settle.service
Before=sysinit.target shutdown.target
Wants=systemd-udev-settle.service
Conflicts=shutdown.target

[Service]
EnvironmentFile=-/etc/default/rng-tools
ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS
CapabilityBoundingSet=CAP_SYS_ADMIN
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

[Install]
```

Change-Id: I0ccc4ca88818b1944fe3c7914671550654980791
Signed-off-by: William A. Kennington III <wak@google.com>