1SYSTEMD-BOOT-SYSTEM-TOKEsNy.sStEeRmVdI-CbEo(o8t)-system-StYoSkTeEnM.Ds-eBrOvOiTc-eSYSTEM-TOKEN.SERVICE(8)
2
3
4

NAME

6       systemd-boot-system-token.service - Generate an initial boot loader
7       system token and random seed
8

SYNOPSIS

10       systemd-boot-system-token.service
11

DESCRIPTION

13       systemd-boot-system-token.service is a system service that
14       automatically generates a 'system token' to store in an EFI variable in
15       the system's NVRAM and a random seed to store on the EFI System
16       Partition ESP on disk. The boot loader may then combine these two
17       randomized data fields by cryptographic hashing, and pass it to the OS
18       it boots as initialization seed for its entropy pool. The random seed
19       stored in the ESP is refreshed on each reboot ensuring that multiple
20       subsequent boots will boot with different seeds. The 'system token' is
21       generated randomly once, and then persistently stored in the system's
22       EFI variable storage.
23
24       The systemd-boot-system-token.service unit invokes the bootctl
25       random-seed command, which updates the random seed in the ESP, and
26       initializes the 'system token' if it's not initialized yet. The service
27       is conditionalized so that it is run only when all of the below apply:
28
29       •   A boot loader is used that implements the Boot Loader Interface[1]
30           (which defines the 'system token' concept).
31
32       •   Either a 'system token' was not set yet, or the boot loader has not
33           passed the OS a random seed yet (and thus most likely has been
34           missing the random seed file in the ESP).
35
36       •   The system is not running in a VM environment. This case is
37           explicitly excluded since on VM environments the ESP backing
38           storage and EFI variable storage is typically not physically
39           separated and hence booting the same OS image in multiple instances
40           would replicate both, thus reusing the same random seed and 'system
41           token' among all instances, which defeats its purpose. Note that
42           it's still possible to use boot loader random seed provisioning in
43           this mode, but the automatic logic implemented by this service has
44           no effect then, and the user instead has to manually invoke the
45           bootctl random-seed acknowledging these restrictions.
46
47       For further details see bootctl(1), regarding the command this service
48       invokes.
49

SEE ALSO

51       systemd(1), bootctl(1), systemd-boot(7)
52

NOTES

54        1. Boot Loader Interface
55           https://systemd.io/BOOT_LOADER_INTERFACE
56
57
58
59systemd 248                               SYSTEMD-BOOT-SYSTEM-TOKEN.SERVICE(8)
Impressum