]>
Commit | Line | Data |
---|---|---|
39867bb9 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> | |
5 | ||
6 | <refentry id="systemd-boot-system-token.service" conditional='ENABLE_EFI' | |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> | |
8 | ||
9 | <refentryinfo> | |
10 | <title>systemd-boot-system-token.service</title> | |
11 | <productname>systemd</productname> | |
12 | </refentryinfo> | |
13 | ||
14 | <refmeta> | |
15 | <refentrytitle>systemd-boot-system-token.service</refentrytitle> | |
16 | <manvolnum>8</manvolnum> | |
17 | </refmeta> | |
18 | ||
19 | <refnamediv> | |
20 | <refname>systemd-boot-system-token.service</refname> | |
21 | <refpurpose>Generate an initial boot loader system token and random seed</refpurpose> | |
22 | </refnamediv> | |
23 | ||
24 | <refsynopsisdiv> | |
25 | <para><filename>systemd-boot-system-token.service</filename></para> | |
26 | </refsynopsisdiv> | |
27 | ||
28 | <refsect1> | |
29 | <title>Description</title> | |
30 | ||
31 | <para><filename>systemd-boot-system-token.service</filename> is a system service that automatically | |
32 | generates a 'system token' to store in an EFI variable in the system's NVRAM and a random seed to store | |
33 | on the EFI System Partition ESP on disk. The boot loader may then combine these two randomized data | |
34 | fields by cryptographic hashing, and pass it to the OS it boots as initialization seed for its entropy | |
35 | pool. The random seed stored in the ESP is refreshed on each reboot ensuring that multiple subsequent | |
36 | boots will boot with different seeds. The 'system token' is generated randomly once, and then | |
37 | persistently stored in the system's EFI variable storage.</para> | |
38 | ||
39 | <para>The <filename>systemd-boot-system-token.service</filename> unit invokes the <command>bootctl | |
40 | random-seed</command> command, which updates the random seed in the ESP, and initializes the 'system | |
41 | token' if it's not initialized yet. The service is conditionalized so that it is run only when all of the | |
42 | below apply:</para> | |
43 | ||
44 | <itemizedlist> | |
45 | <listitem><para>A boot loader is used that implements the <ulink | |
46 | url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink> (which defines the 'system | |
47 | token' concept).</para></listitem> | |
48 | ||
49 | <listitem><para>Either a 'system token' was not set yet, or the boot loader has not passed the OS a | |
50 | random seed yet (and thus most likely has been missing the random seed file in the | |
51 | ESP).</para></listitem> | |
52 | ||
53 | <listitem><para>The system is not running in a VM environment. This case is explicitly excluded since | |
54 | on VM environments the ESP backing storage and EFI variable storage is typically not physically | |
55 | separated and hence booting the same OS image in multiple instances would replicate both, thus reusing | |
56 | the same random seed and 'system token' among all instances, which defeats its purpose. Note that it's | |
57 | still possible to use boot loader random seed provisioning in this mode, but the automatic logic | |
58 | implemented by this service has no effect then, and the user instead has to manually invoke the | |
59 | <command>bootctl random-seed</command> acknowledging these restrictions.</para></listitem> | |
60 | </itemizedlist> | |
61 | ||
62 | <para>For further details see | |
63 | <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, regarding | |
64 | the command this service invokes.</para> | |
65 | </refsect1> | |
66 | ||
67 | <refsect1> | |
68 | <title>See Also</title> | |
69 | <para> | |
70 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
71 | <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
72 | <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
73 | </para> | |
74 | </refsect1> | |
75 | ||
76 | </refentry> |