From 18d9cee002fdbce61cadc85ade57af7bca176509 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 11 Jun 2020 10:04:41 +0200 Subject: man: document systemd.random-seed= --- man/kernel-command-line.xml | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) (limited to 'man/kernel-command-line.xml') diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml index 52939deec0..4e431aaefd 100644 --- a/man/kernel-command-line.xml +++ b/man/kernel-command-line.xml @@ -468,8 +468,32 @@ systemd.clock-usec= Takes a decimal, numeric timestamp in µs since January 1st 1970, 00:00am, to set the - system clock to. The system time is set to the specified timestamp early during - boot. It is not propagated to the hardware clock (RTC). + system clock to. The system time is set to the specified timestamp early during boot. It is not + propagated to the hardware clock (RTC). + + + + systemd.random-seed= + + Takes a base64 encoded random seed value to credit with full entropy to the kernel's + random pool during early service manager initialization. This option is useful in testing + environments where delays due to random pool initialization in entropy starved virtual machines shall + be avoided. + + Note that if this option is used the seed is accessible to unprivileged programs from + /proc/cmdline. This option is hence a security risk when used outside of test + systems, since the (possibly) only seed used for initialization of the kernel's entropy pool might be + easily acquired by unprivileged programs. + + It is recommended to pass 512 bytes of randomized data (as that matches the Linux kernel pool + size), which may be generated with a command like the following: + + dd if=/dev/urandom bs=512 count=1 status=none | base64 -w 0 + + Again: do not use this option outside of testing environments, it's a security risk elsewhere, + as secret key material derived from the entropy pool can possibly be reconstructed by unprivileged + programs. + -- cgit v1.2.1