From a4eea6038c1c7f88adc6d6584d18ea60ea11b08f Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Thu, 17 Nov 2022 16:11:44 +0100 Subject: bootctl: install system token on virtualized systems Removing the virtualization check might not be the worst thing in the world, and would potentially get many, many more systems properly seeded rather than not seeded. There are a few reasons to consider this: - In most QEMU setups and most guides on how to setup QEMU, a separate pflash file is used for nvram variables, and this generally isn't copied around. - We're now hashing in a timestamp, which should provide some level of differentiation, given that EFI_TIME has a nanoseconds field. - The kernel itself will additionally hash in: a high resolution time stamp, a cycle counter, RDRAND output, the VMGENID uniquely identifying the virtual machine, any other seeds from the hypervisor (like from FDT or setup_data). - During early boot, the RNG is reseeded quite frequently to account for the importance of early differentiation. So maybe the mitigating factors make the actual feared problem significantly less likely and therefore the pros of having file-based seeding might outweigh the cons of weird misconfigured setups having a hypothetical problem on first boot. --- units/systemd-boot-system-token.service | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'units') diff --git a/units/systemd-boot-system-token.service b/units/systemd-boot-system-token.service index 5a56d7c331..689b902000 100644 --- a/units/systemd-boot-system-token.service +++ b/units/systemd-boot-system-token.service @@ -16,15 +16,11 @@ After=local-fs.target systemd-random-seed.service Conflicts=shutdown.target initrd-switch-root.target Before=shutdown.target initrd-switch-root.target -# Don't run this in a VM environment, because there EFI variables are not -# actually stored in NVRAM, independent of regular storage. -ConditionVirtualization=no - # Only run this if the boot loader can support random seed initialization. ConditionPathExists=/sys/firmware/efi/efivars/LoaderFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f -# Only run this if there is no system token defined yet, or … -ConditionPathExists=|!/sys/firmware/efi/efivars/LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f +# Only run this if there is no system token defined yet +ConditionPathExists=!/sys/firmware/efi/efivars/LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f [Service] Type=oneshot -- cgit v1.2.1