From 35741e488bdd3a530469679df3c584f6c50ead46 Mon Sep 17 00:00:00 2001
From: Huang Xin <xajhuang@163.com>
Date: Thu, 7 Jul 2022 06:21:01 -0700
Subject: [PATCH] Support rng-tools for security options

---
 .../libjitterentropy_3.4.0.bb                 | 30 +++++++++
 .../rng-tools/rng-tools/default               |  1 +
 .../recipes-support/rng-tools/rng-tools/init  | 42 +++++++++++++
 .../rng-tools/rng-tools/rngd.service          | 33 ++++++++++
 .../rng-tools/rng-tools_6.15.bb               | 62 +++++++++++++++++++
 .../images/mtk-image-aud-8516.bb              |  1 +
 src/apps/aud-base/service/appmainprog.sh      |  2 +
 7 files changed, 171 insertions(+)
 create mode 100644 meta/meta-mediatek-aud/recipes-support/libjitterentropy/libjitterentropy_3.4.0.bb
 create mode 100644 meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/default
 create mode 100644 meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/init
 create mode 100644 meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/rngd.service
 create mode 100644 meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools_6.15.bb

diff --git a/meta/meta-mediatek-aud/recipes-support/libjitterentropy/libjitterentropy_3.4.0.bb b/meta/meta-mediatek-aud/recipes-support/libjitterentropy/libjitterentropy_3.4.0.bb
new file mode 100644
index 000000000..1d291cc35
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/libjitterentropy/libjitterentropy_3.4.0.bb
@@ -0,0 +1,30 @@
+SUMMARY = "Hardware RNG based on CPU timing jitter"
+DESCRIPTION = "The Jitter RNG provides a noise source using the CPU execution timing jitter. \
+It does not depend on any system resource other than a high-resolution time \
+stamp. It is a small-scale, yet fast entropy source that is viable in almost \
+all environments and on a lot of CPU architectures."
+HOMEPAGE = "http://www.chronox.de/jent.html"
+LICENSE = "GPL-2.0-or-later | BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=64a87180908540620ce364b5e69b3b03 \
+                    file://LICENSE.gplv2;md5=eb723b61539feef013de476e68b5c50a \
+                    file://LICENSE.bsd;md5=66a5cedaf62c4b2637025f049f9b826f \
+                    "
+SRC_URI = "git://github.com/smuellerDD/jitterentropy-library.git;branch=master;protocol=https"
+SRCREV = "2e5019cfe63038faaa405ce53715effe4ea580e4"
+S = "${WORKDIR}/git"
+
+# remove at next version upgrade or when output changes
+HASHEQUIV_HASH_VERSION .= ".2"
+
+do_configure[noexec] = "1"
+
+LDFLAGS += "-Wl,-O0"
+
+do_install () {
+    oe_runmake install INCDIR="/include" \
+                       DESTDIR="${D}" \
+                       PREFIX="${exec_prefix}" \
+                       LIBDIR="${baselib}" \
+                       INSTALL_STRIP="install"
+}
+
diff --git a/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/default b/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/default
new file mode 100644
index 000000000..b9f8e0363
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/default
@@ -0,0 +1 @@
+EXTRA_ARGS="-r /dev/hwrng"
diff --git a/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/init b/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/init
new file mode 100644
index 000000000..13f0ecd37
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/init
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+# This is an init script for openembedded
+# Copy it to @SYSCONFDIR@/init.d/rng-tools and type
+# > update-rc.d rng-tools defaults 60
+#
+
+rngd=@SBINDIR@/rngd
+test -x "$rngd" || exit 1
+
+[ -r @SYSCONFDIR@/default/rng-tools ] && . "@SYSCONFDIR@/default/rng-tools"
+
+case "$1" in
+  start)
+    echo -n "Starting random number generator daemon"
+    start-stop-daemon -S -q -x $rngd -- $EXTRA_ARGS
+    echo "."
+    ;;
+  stop)
+    echo -n "Stopping random number generator daemon"
+    start-stop-daemon -K -q -n rngd
+    echo "."
+    ;;
+  reload|force-reload)
+    echo -n "Signalling rng daemon restart"
+    start-stop-daemon -K -q -s 1 -x $rngd
+    start-stop-daemon -K -q -s 1 -x $rngd
+    ;;
+  restart)
+    echo -n "Stopping random number generator daemon"
+    start-stop-daemon -K -q -n rngd
+    echo "."
+    echo -n "Starting random number generator daemon"
+    start-stop-daemon -S -q -x $rngd -- $EXTRA_ARGS
+    echo "."
+    ;;
+  *)
+    echo "Usage: @SYSCONFDIR@/init.d/rng-tools {start|stop|reload|restart|force-reload}"
+    exit 1
+esac
+
+exit 0
diff --git a/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/rngd.service b/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/rngd.service
new file mode 100644
index 000000000..568686e80
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools/rngd.service
@@ -0,0 +1,33 @@
+[Unit]
+Description=Hardware RNG Entropy Gatherer Daemon
+DefaultDependencies=no
+After=systemd-udev-settle.service
+Before=sysinit.target shutdown.target
+Wants=systemd-udev-settle.service
+Conflicts=shutdown.target
+
+[Service]
+EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
+ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
+CapabilityBoundingSet=CAP_SYS_ADMIN
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools_6.15.bb b/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools_6.15.bb
new file mode 100644
index 000000000..f5a745f04
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/rng-tools/rng-tools_6.15.bb
@@ -0,0 +1,62 @@
+SUMMARY = "Random number generator daemon"
+DESCRIPTION = "Check and feed random data from hardware device to kernel"
+AUTHOR = "Philipp Rumpf, Jeff Garzik <jgarzik@pobox.com>, \
+          Henrique de Moraes Holschuh <hmh@debian.org>"
+HOMEPAGE = "https://github.com/nhorman/rng-tools"
+BUGTRACKER = "https://github.com/nhorman/rng-tools/issues"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+DEPENDS = "sysfsutils openssl"
+
+SRC_URI = "git://github.com/nhorman/rng-tools.git;branch=master;protocol=https \
+           file://init \
+           file://default \
+           file://rngd.service \
+           "
+SRCREV = "381f69828b782afda574f259c1b7549f48f9bb77"
+
+S = "${WORKDIR}/git"
+
+inherit autotools update-rc.d systemd pkgconfig
+
+EXTRA_OECONF = "--without-rtlsdr"
+
+PACKAGECONFIG ??= "libjitterentropy"
+PACKAGECONFIG_libc-musl = "libargp libjitterentropy"
+
+PACKAGECONFIG[libargp] = "--with-libargp,--without-libargp,argp-standalone,"
+PACKAGECONFIG[libjitterentropy] = "--enable-jitterentropy,--disable-jitterentropy,libjitterentropy"
+PACKAGECONFIG[libp11] = "--with-pkcs11,--without-pkcs11,libp11 openssl"
+PACKAGECONFIG[nistbeacon] = "--with-nistbeacon,--without-nistbeacon,curl libxml2 openssl"
+
+INITSCRIPT_NAME = "rng-tools"
+INITSCRIPT_PARAMS = "start 03 2 3 4 5 . stop 30 0 6 1 ."
+
+SYSTEMD_SERVICE_${PN} = "rngd.service"
+SYSTEMD_AUTO_ENABLE_${PN} = "enable"
+
+CFLAGS += " -DJENT_CONF_ENABLE_INTERNAL_TIMER "
+
+# Refer autogen.sh in rng-tools
+do_configure_prepend() {
+    cp ${S}/README.md ${S}/README
+}
+
+do_install_append() {
+    install -Dm 0644 ${WORKDIR}/default ${D}${sysconfdir}/default/rng-tools
+    install -Dm 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/rng-tools
+    install -Dm 0644 ${WORKDIR}/rngd.service \
+                     ${D}${systemd_system_unitdir}/rngd.service
+    sed -i \
+        -e 's,@SYSCONFDIR@,${sysconfdir},g' \
+        -e 's,@SBINDIR@,${sbindir},g' \
+        ${D}${sysconfdir}/init.d/rng-tools \
+        ${D}${systemd_system_unitdir}/rngd.service
+
+    if [ "${@bb.utils.contains('PACKAGECONFIG', 'nistbeacon', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i \
+            -e '/^IPAddressDeny=any/d' \
+            -e '/^RestrictAddressFamilies=/ s/$/ AF_INET AF_INET6/' \
+            ${D}${systemd_system_unitdir}/rngd.service
+    fi
+}
diff --git a/meta/meta-mediatek-mt8516/recipes-audio/images/mtk-image-aud-8516.bb b/meta/meta-mediatek-mt8516/recipes-audio/images/mtk-image-aud-8516.bb
index 272c14d3c..370177862 100755
--- a/meta/meta-mediatek-mt8516/recipes-audio/images/mtk-image-aud-8516.bb
+++ b/meta/meta-mediatek-mt8516/recipes-audio/images/mtk-image-aud-8516.bb
@@ -61,6 +61,7 @@ IMAGE_INSTALL_append = " \
     nghttp2 \
     opensc \
     sqlite3 \
+    rng-tools \
     gstreamer1.0 \
     gstreamer1.0-plugins-base \
     gstreamer1.0-plugins-good \
diff --git a/src/apps/aud-base/service/appmainprog.sh b/src/apps/aud-base/service/appmainprog.sh
index 59938e602..a8e1e17a0 100644
--- a/src/apps/aud-base/service/appmainprog.sh
+++ b/src/apps/aud-base/service/appmainprog.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+/usr/sbin/rngd -b
+
 hwclock -w
 
 # start appmainprog