SYSTEMD_RDRAND=0 will prevent using RDRAND even on systems whose CPUID claims
to support it. All other values have no effect.
Fixes: #17112
honoured on systems built with libxcrypt and is ignored on systems using
glibc's original, internal crypt() implementation.)
+* `$SYSTEMD_RDRAND=0` — if set, the RDRAND instruction will never be used,
+ even if the CPU supports it.
+
systemctl:
* `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID1's private D-Bus
#endif
#include "alloc-util.h"
+#include "env-util.h"
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#endif
have_rdrand = !!(ecx & bit_RDRND);
+
+ if (have_rdrand > 0) {
+ /* Allow disabling use of RDRAND with SYSTEMD_RDRAND=0
+ If it is unset getenv_bool_secure will return a negative value. */
+ if (getenv_bool_secure("SYSTEMD_RDRAND") == 0) {
+ have_rdrand = false;
+ return -EOPNOTSUPP;
+ }
+ }
}
if (have_rdrand == 0)