too), which should be safe even with FAT file system drivers built into
low-quality EFI firmwares.
- If the system token is not desired but this seeding mechanism still is, OS
- builders that know that they are not going to replicate the built image on
- multiple systems may opt to turn off the 'system token' concept by setting
- `random-seed-mode always` in the ESP's
- [`/loader/loader.conf`](https://www.freedesktop.org/software/systemd/man/loader.conf.html)
- file. If done, `systemd-boot` will use the random seed file even if no
- system token is found in EFI variables.
-
4. A kernel command line option `systemd.random_seed=` may be used to pass in a
base64 encoded seed to initialize the kernel's entropy pool from during
early service manager initialization. This option is only safe in testing
encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed
up booting into Windows.</para></listitem>
</varlistentry>
-
- <varlistentry>
- <term>random-seed-mode</term>
-
- <listitem><para>Takes one of <literal>off</literal>, <literal>with-system-token</literal> and
- <literal>always</literal>. If <literal>off</literal> no random seed data is read off the ESP, nor
- passed to the OS. If <literal>with-system-token</literal> (the default)
- <command>systemd-boot</command> will read a random seed from the ESP (from the file
- <filename>/loader/random-seed</filename>) only if the <varname>LoaderSystemToken</varname> EFI
- variable is set, and then derive the random seed to pass to the OS from the combination. If
- <literal>always</literal> the boot loader will do so even if <varname>LoaderSystemToken</varname> is
- not set. This mode is useful in environments where protection against OS image reuse is not a
- concern, and the random seed shall be used even with no further setup in place. Use <command>bootctl
- random-seed</command> to initialize both the random seed file in the ESP and the system token EFI
- variable.</para>
-
- <para>See <ulink url="https://systemd.io/RANDOM_SEEDS">Random Seeds</ulink> for further
- information.</para></listitem>
- </varlistentry>
</variablelist>
</refsect1>
bool beep;
int64_t console_mode;
int64_t console_mode_efivar;
- RandomSeedMode random_seed_mode;
} Config;
/* These values have been chosen so that the transitions the user sees could
ps_bool(L" auto-firmware: %s\n", config->auto_firmware);
ps_bool(L" beep: %s\n", config->beep);
ps_bool(L" reboot-for-bitlocker: %s\n", config->reboot_for_bitlocker);
- ps_string(L" random-seed-mode: %s\n", random_seed_modes_table[config->random_seed_mode]);
switch (config->secure_boot_enroll) {
case ENROLL_OFF:
}
continue;
}
-
- if (streq8(key, "random-seed-mode")) {
- if (streq8(value, "off"))
- config->random_seed_mode = RANDOM_SEED_OFF;
- else if (streq8(value, "with-system-token"))
- config->random_seed_mode = RANDOM_SEED_WITH_SYSTEM_TOKEN;
- else if (streq8(value, "always"))
- config->random_seed_mode = RANDOM_SEED_ALWAYS;
- else {
- bool on;
-
- err = parse_boolean(value, &on);
- if (err != EFI_SUCCESS) {
- log_error_stall(L"Error parsing 'random-seed-mode' config option: %a", value);
- continue;
- }
-
- config->random_seed_mode = on ? RANDOM_SEED_ALWAYS : RANDOM_SEED_OFF;
- }
- continue;
- }
}
}
.auto_firmware = true,
.reboot_for_bitlocker = false,
.secure_boot_enroll = ENROLL_MANUAL,
- .random_seed_mode = RANDOM_SEED_WITH_SYSTEM_TOKEN,
.idx_default_efivar = IDX_INVALID,
.console_mode = CONSOLE_MODE_KEEP,
.console_mode_efivar = CONSOLE_MODE_KEEP,
save_selected_entry(&config, entry);
/* Optionally, read a random seed off the ESP and pass it to the OS */
- (void) process_random_seed(root_dir, config.random_seed_mode);
+ (void) process_random_seed(root_dir);
err = image_start(image, entry);
if (err != EFI_SUCCESS)
#endif
}
-EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) {
+EFI_STATUS process_random_seed(EFI_FILE *root_dir) {
_cleanup_erase_ uint8_t random_bytes[DESIRED_SEED_SIZE], hash_key[HASH_VALUE_SIZE];
_cleanup_free_ struct linux_efi_random_seed *new_seed_table = NULL;
struct linux_efi_random_seed *previous_seed_table = NULL;
validate_sha256();
- if (mode == RANDOM_SEED_OFF)
- return EFI_NOT_FOUND;
-
/* hash = LABEL || sizeof(input1) || input1 || ... || sizeof(inputN) || inputN */
sha256_init_ctx(&hash);
* system, even when disk images are duplicated or swapped out. */
size = 0;
err = acquire_system_token(&system_token, &size);
- if (mode != RANDOM_SEED_ALWAYS && (err != EFI_SUCCESS || size < DESIRED_SEED_SIZE) && !seeded_by_efi)
+ if ((err != EFI_SUCCESS || size < DESIRED_SEED_SIZE) && !seeded_by_efi)
return err;
sha256_process_bytes(&size, sizeof(size), &hash);
if (system_token) {
#pragma once
#include <efi.h>
-#include <errno.h>
-#include <uchar.h>
-typedef enum RandomSeedMode {
- RANDOM_SEED_OFF,
- RANDOM_SEED_WITH_SYSTEM_TOKEN,
- RANDOM_SEED_ALWAYS,
- _RANDOM_SEED_MODE_MAX,
- _RANDOM_SEED_MODE_INVALID = -EINVAL,
-} RandomSeedMode;
-
-static const char16_t * const random_seed_modes_table[_RANDOM_SEED_MODE_MAX] = {
- [RANDOM_SEED_OFF] = L"off",
- [RANDOM_SEED_WITH_SYSTEM_TOKEN] = L"with-system-token",
- [RANDOM_SEED_ALWAYS] = L"always",
-};
-
-EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode);
+EFI_STATUS process_random_seed(EFI_FILE *root_dir);
free(config->auto_entries);
free(config->auto_firmware);
free(config->console_mode);
- free(config->random_seed_mode);
free(config->beep);
free(config->entry_oneshot);
else if (streq(field, "console-mode"))
r = free_and_strdup(&config->console_mode, p);
else if (streq(field, "random-seed-mode"))
- r = free_and_strdup(&config->random_seed_mode, p);
+ log_syntax(NULL, LOG_WARNING, path, line, 0, "'random-seed-mode' has been deprecated, ignoring.");
else if (streq(field, "beep"))
r = free_and_strdup(&config->beep, p);
else {
char *auto_entries;
char *auto_firmware;
char *console_mode;
- char *random_seed_mode;
char *beep;
char *entry_oneshot;
projects / thirdparty / systemd.git / commitdiff
