git.ipfire.org Git - thirdparty/systemd.git/commit - units/systemd-boot-system-token.service

author	Jason A. Donenfeld <Jason@zx2c4.com>
	Thu, 17 Nov 2022 15:11:44 +0000 (16:11 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 21 Nov 2022 14:13:26 +0000 (15:13 +0100)
commit	a4eea6038c1c7f88adc6d6584d18ea60ea11b08f
tree	e11ce9f24d8ddccb94854735f7f4321d5b9081df	tree \| snapshot
parent	261b14be76de64da62faaa31ce838dda04935f1b	commit \| diff

bootctl: install system token on virtualized systems

Removing the virtualization check might not be the worst thing in the
world, and would potentially get many, many more systems properly seeded
rather than not seeded. There are a few reasons to consider this:

- In most QEMU setups and most guides on how to setup QEMU, a separate
  pflash file is used for nvram variables, and this generally isn't
  copied around.

- We're now hashing in a timestamp, which should provide some level of
  differentiation, given that EFI_TIME has a nanoseconds field.

- The kernel itself will additionally hash in: a high resolution time
  stamp, a cycle counter, RDRAND output, the VMGENID uniquely
  identifying the virtual machine, any other seeds from the hypervisor
  (like from FDT or setup_data).

- During early boot, the RNG is reseeded quite frequently to account for
  the importance of early differentiation.

So maybe the mitigating factors make the actual feared problem
significantly less likely and therefore the pros of having file-based
seeding might outweigh the cons of weird misconfigured setups having a
hypothetical problem on first boot.

docs/RANDOM_SEEDS.md		diff \| blob \| blame \| history
src/boot/bootctl.c		diff \| blob \| blame \| history
units/systemd-boot-system-token.service		diff \| blob \| blame \| history