From fbccb980e5b48375047114777d203401a9e33c6c Mon Sep 17 00:00:00 2001
From: Kyle Huey <khuey@kylehuey.com>
Date: Wed, 23 Sep 2020 14:19:09 -0700
Subject: random-util: Add an environment variable to disable RDRAND.

SYSTEMD_RDRAND=0 will prevent using RDRAND even on systems whose CPUID claims
to support it. All other values have no effect.

Fixes: #17112
---
 src/basic/random-util.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'src/basic/random-util.c')

diff --git a/src/basic/random-util.c b/src/basic/random-util.c
index 6eeed9af34..2031262389 100644
--- a/src/basic/random-util.c
+++ b/src/basic/random-util.c
@@ -21,6 +21,7 @@
 #endif
 
 #include "alloc-util.h"
+#include "env-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
@@ -116,6 +117,15 @@ int rdrand(unsigned long *ret) {
 #endif
 
                 have_rdrand = !!(ecx & bit_RDRND);
+
+                if (have_rdrand > 0) {
+                        /* Allow disabling use of RDRAND with SYSTEMD_RDRAND=0
+                           If it is unset getenv_bool_secure will return a negative value. */
+                        if (getenv_bool_secure("SYSTEMD_RDRAND") == 0) {
+                                have_rdrand = false;
+                                return -EOPNOTSUPP;
+                        }
+                }
         }
 
         if (have_rdrand == 0)
-- 
cgit v1.2.3