systemd-boot-system-token.service(8) — Linux manual page



NAME         top

       systemd-boot-system-token.service - Generate an initial boot loader
       system token and random seed

SYNOPSIS         top


DESCRIPTION         top

       systemd-boot-system-token.service is a system service that
       automatically generates a 'system token' to store in an EFI variable
       in the system's NVRAM and a random seed to store on the EFI System
       Partition ESP on disk. The boot loader may then combine these two
       randomized data fields by cryptographic hashing, and pass it to the
       OS it boots as initialization seed for its entropy pool. The random
       seed stored in the ESP is refreshed on each reboot ensuring that
       multiple subsequent boots will boot with different seeds. The 'system
       token' is generated randomly once, and then persistently stored in
       the system's EFI variable storage.

       The systemd-boot-system-token.service unit invokes the bootctl
       random-seed command, which updates the random seed in the ESP, and
       initializes the 'system token' if it's not initialized yet. The
       service is conditionalized so that it is run only when all of the
       below apply:

       ·   A boot loader is used that implements the Boot Loader
           Interface[1] (which defines the 'system token' concept).

       ·   Either a 'system token' was not set yet, or the boot loader has
           not passed the OS a random seed yet (and thus most likely has
           been missing the random seed file in the ESP).

       ·   The system is not running in a VM environment. This case is
           explicitly excluded since on VM environments the ESP backing
           storage and EFI variable storage is typically not physically
           separated and hence booting the same OS image in multiple
           instances would replicate both, thus reusing the same random seed
           and 'system token' among all instances, which defeats its
           purpose. Note that it's still possible to use boot loader random
           seed provisioning in this mode, but the automatic logic
           implemented by this service has no effect then, and the user
           instead has to manually invoke the bootctl random-seed
           acknowledging these restrictions.

       For further details see bootctl(1), regarding the command this
       service invokes.

SEE ALSO         top

       systemd(1), bootctl(1), systemd-boot(7)

NOTES         top

        1. Boot Loader Interface

COLOPHON         top

       This page is part of the systemd (systemd system and service manager)
       project.  Information about the project can be found at 
       ⟨⟩.  If you have a bug
       report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-06-09.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-06-09.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to

systemd 245                             SYSTEMD-BOOT-SYSTEM-TOKEN.SERVICE(8)

Pages that refer to this page: bootctl(1)30-systemd-environment-d-generator(7)sd-boot(7)systemd-boot(7)systemd.directives(7)systemd.index(7)