diff options
| author | Jason A. Donenfeld <Jason@zx2c4.com> | 2022-11-17 16:11:44 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-11-21 15:13:26 +0100 |
| commit | a4eea6038c1c7f88adc6d6584d18ea60ea11b08f (patch) | |
| tree | e11ce9f24d8ddccb94854735f7f4321d5b9081df /docs/RANDOM_SEEDS.md | |
| parent | 261b14be76de64da62faaa31ce838dda04935f1b (diff) | |
| download | systemd-a4eea6038c1c7f88adc6d6584d18ea60ea11b08f.tar.gz | |
bootctl: install system token on virtualized systems
Removing the virtualization check might not be the worst thing in the
world, and would potentially get many, many more systems properly seeded
rather than not seeded. There are a few reasons to consider this:
- In most QEMU setups and most guides on how to setup QEMU, a separate
pflash file is used for nvram variables, and this generally isn't
copied around.
- We're now hashing in a timestamp, which should provide some level of
differentiation, given that EFI_TIME has a nanoseconds field.
- The kernel itself will additionally hash in: a high resolution time
stamp, a cycle counter, RDRAND output, the VMGENID uniquely
identifying the virtual machine, any other seeds from the hypervisor
(like from FDT or setup_data).
- During early boot, the RNG is reseeded quite frequently to account for
the importance of early differentiation.
So maybe the mitigating factors make the actual feared problem
significantly less likely and therefore the pros of having file-based
seeding might outweigh the cons of weird misconfigured setups having a
hypothetical problem on first boot.
Diffstat (limited to 'docs/RANDOM_SEEDS.md')
| -rw-r--r-- | docs/RANDOM_SEEDS.md | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/docs/RANDOM_SEEDS.md b/docs/RANDOM_SEEDS.md index b7240f0d89..a1134d6417 100644 --- a/docs/RANDOM_SEEDS.md +++ b/docs/RANDOM_SEEDS.md @@ -232,17 +232,10 @@ boot, in order to ensure the entropy pool is filled up quickly. too), which should be safe even with FAT file system drivers built into low-quality EFI firmwares. - As a special restriction: in virtualized environments PID 1 will refrain - from using this mechanism, for safety reasons. This is because on VM - environments the EFI variable space and the disk space is generally not - maintained physically separate (for example, `qemu` in EFI mode stores the - variables in the ESP itself). The robustness towards sloppy OS image - generation is the main purpose of maintaining the 'system token' however, - and if the EFI variable storage is not kept physically separate from the OS - image there's no point in it. That said, OS builders that know that they are - not going to replicate the built image on multiple systems may opt to turn - off the 'system token' concept by setting `random-seed-mode always` in the - ESP's + If the system token is not desired but this seeding mechanism still is, OS + builders that know that they are not going to replicate the built image on + multiple systems may opt to turn off the 'system token' concept by setting + `random-seed-mode always` in the ESP's [`/loader/loader.conf`](https://www.freedesktop.org/software/systemd/man/loader.conf.html) file. If done, `systemd-boot` will use the random seed file even if no system token is found in EFI variables. |