New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
beef up random seed logic, add boot loader entropy privisioning, improve docs about it #13137
Merged
Merged
Changes from 1 commit
Commits
Show all changes
26 commits
Select commit
Hold shift + click to select a range
63d59b8
fs-util: add fsync_full() helper
poettering 5373172
xattr-util: document that we NUL suffix
poettering 1aaabb1
efi: modernize file_read() a bit
poettering b19fa81
efi: add log_oom() helper
poettering c242a08
efivars: modernize efi_get_variable() a bit
poettering 5509f91
bootctl: use the fact that startswith() returns the suffix
poettering b461576
bootctl: drop const from non-pointer function argument
poettering 7c122df
bootctl: shortcut configuration file parsing
poettering 22c5ff5
bootctl: add new feature flag for indicating random seed management s…
poettering 073220b
efi: steal glibc sha256 implementation
poettering e4dcf7a
sd-boot: read random seed from ESP and pass it to OS
poettering c18ecf0
core: take random seed from boot loader and credit it to kernel entro…
poettering 3e155eb
random-seed: move pool size determination to random-util.[ch]
poettering e44c322
bootctl: add new verb for initializing a random seed in the ESP
poettering d6e9a34
bootctl: show random seed state
poettering d985064
units: automatically initialize the system token if that makes sense
poettering 15d961b
random-seed: reduce scope of variable
poettering c6127c3
random-seed: drop falling back to O_WRONLY if O_RDWR on /dev/urandom …
poettering 26ded55
random-seed: rework systemd-random-seed.service substantially
poettering c7bb4df
docs: document new random seed EFI vars as part of the boot loader in…
poettering 39867bb
man: document the systemd-random-seed rework
poettering a2aa605
bootctl: add is-installed verb
poettering 7fb0c61
man: extend on the --print-boot-path description a bit
poettering 93f5910
docs: add longer document about systemd and random number seeds
poettering 341fd87
TODO: remove apparently fixed issue from TODO
poettering 312dc15
update TODO
poettering File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
<?xml version='1.0'?> <!--*-nxml-*--> | ||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | ||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | ||
<!-- SPDX-License-Identifier: LGPL-2.1+ --> | ||
|
||
<refentry id="systemd-boot-system-token.service" conditional='ENABLE_EFI' | ||
xmlns:xi="http://www.w3.org/2001/XInclude"> | ||
|
||
<refentryinfo> | ||
<title>systemd-boot-system-token.service</title> | ||
<productname>systemd</productname> | ||
</refentryinfo> | ||
|
||
<refmeta> | ||
<refentrytitle>systemd-boot-system-token.service</refentrytitle> | ||
<manvolnum>8</manvolnum> | ||
</refmeta> | ||
|
||
<refnamediv> | ||
<refname>systemd-boot-system-token.service</refname> | ||
<refpurpose>Generate an initial boot loader system token and random seed</refpurpose> | ||
</refnamediv> | ||
|
||
<refsynopsisdiv> | ||
<para><filename>systemd-boot-system-token.service</filename></para> | ||
</refsynopsisdiv> | ||
|
||
<refsect1> | ||
<title>Description</title> | ||
|
||
<para><filename>systemd-boot-system-token.service</filename> is a system service that automatically | ||
generates a 'system token' to store in an EFI variable in the system's NVRAM and a random seed to store | ||
on the EFI System Partition ESP on disk. The boot loader may then combine these two randomized data | ||
fields by cryptographic hashing, and pass it to the OS it boots as initialization seed for its entropy | ||
pool. The random seed stored in the ESP is refreshed on each reboot ensuring that multiple subsequent | ||
boots will boot with different seeds. The 'system token' is generated randomly once, and then | ||
persistently stored in the system's EFI variable storage.</para> | ||
|
||
<para>The <filename>systemd-boot-system-token.service</filename> unit invokes the <command>bootctl | ||
random-seed</command> command, which updates the random seed in the ESP, and initializes the 'system | ||
token' if it's not initialized yet. The service is conditionalized so that it is run only when all of the | ||
below apply:</para> | ||
|
||
<itemizedlist> | ||
<listitem><para>A boot loader is used that implements the <ulink | ||
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink> (which defines the 'system | ||
token' concept).</para></listitem> | ||
|
||
<listitem><para>Either a 'system token' was not set yet, or the boot loader has not passed the OS a | ||
random seed yet (and thus most likely has been missing the random seed file in the | ||
ESP).</para></listitem> | ||
|
||
<listitem><para>The system is not running in a VM environment. This case is explicitly excluded since | ||
on VM environments the ESP backing storage and EFI variable storage is typically not physically | ||
separated and hence booting the same OS image in multiple instances would replicate both, thus reusing | ||
the same random seed and 'system token' among all instances, which defeats its purpose. Note that it's | ||
still possible to use boot loader random seed provisioning in this mode, but the automatic logic | ||
implemented by this service has no effect then, and the user instead has to manually invoke the | ||
<command>bootctl random-seed</command> acknowledging these restrictions.</para></listitem> | ||
</itemizedlist> | ||
|
||
<para>For further details see | ||
<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, regarding | ||
the command this service invokes.</para> | ||
</refsect1> | ||
|
||
<refsect1> | ||
<title>See Also</title> | ||
<para> | ||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | ||
<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | ||
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> | ||
</para> | ||
</refsect1> | ||
|
||
</refentry> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if the time has come to relax this, and accept that everybody mounts it on /boot/efi...