1SYSTEMD-BOOT-RANDOM-SEEDs.ySsEtReVmIdC-Eb(o8o)t-random-sSeYeSdT.EsMeDr-vBiOcOeT-RANDOM-SEED.SERVICE(8)
2
3
4

NAME

6       systemd-boot-random-seed.service - Refresh boot loader random seed at
7       boot
8

SYNOPSIS

10       systemd-boot-random-seed.service
11

DESCRIPTION

13       systemd-boot-random-seed.service is a system service that automatically
14       refreshes the boot loader random seed stored in the EFI System
15       Partition (ESP), from the Linux kernel entropy pool. The boot loader
16       random seed is primarily consumed and updated by systemd-boot(7) from
17       the UEFI environment (or systemd-stub(7) if the former is not used, but
18       the latter is), and passed as initial RNG seed to the OS. It is an
19       effective way to ensure the OS comes up with a random pool that is
20       fully initialized.
21
22       The service also automatically generates a 'system token' to store in
23       an EFI variable in the system's NVRAM. The boot loader may then combine
24       the on-disk random seed and the system token by cryptographic hashing,
25       and pass it to the OS it boots as initialization seed for its entropy
26       pool. Note: the random seed stored in the ESP is refreshed on every
27       reboot ensuring that multiple subsequent boots will boot with different
28       seeds. On the other hand, the system token is generated randomly once,
29       and then persistently stored in the system's EFI variable storage,
30       ensuring the same disk image won't result in the same series of boot
31       loader seed values if used on multiple systems in parallel.
32
33       The systemd-boot-random-seed.service unit invokes the bootctl
34       random-seed command, which updates the random seed in the ESP, and
35       initializes the system token if it's not initialized yet. The service
36       is conditionalized so that it is run only when a boot loader is used
37       that implements the Boot Loader Interface[1].
38
39       For further details see bootctl(1), regarding the command this service
40       invokes.
41
42       Note the relationship between systemd-boot-random-seed.service and
43       systemd-random-seed(8). The former maintains the random seed consumed
44       and updated by the boot environment (i.e. by systemd-boot(7) or
45       systemd-stub(7)), the latter maintains a random seed consumed and
46       updated by the OS itself. The former ensures that the OS has a filled
47       entropy pool already during earliest boot when regular disk access is
48       not available yet (i.e. when the OS random seed cannot be loaded yet).
49       The latter is processed much later, once writable disk access is
50       available. Thus it cannot be used to seed the initial boot phase, but
51       typically has much higher quality of entropy. Both files are consumed
52       and updated at boot, but at different times. Specifically:
53
54        1. In UEFI mode, the systemd-boot(7) or systemd-stub(7) components
55           load the boot loader random seed from the ESP, hash it with
56           available entropy and the system token, and then update it on disk.
57           A derived seed is passed to the kernel which writes it to its
58           entropy pool.
59
60        2. In userspace the systemd-random-seed.service service loads the OS
61           random seed, writes it to the kernel entropy pool, and then updates
62           it on disk with a new value derived from the kernel entropy pool.
63
64        3. In userspace the systemd-boot-random-seed.service service updates
65           the boot loader random seed with a new value derived from the
66           kernel entropy pool.
67
68       This logic should ensure that the kernel's entropy pool is seeded
69       during earliest bool already, if possible, but the highest quality
70       entropy is propagated back to both on-disk seeds.
71

SEE ALSO

73       systemd(1), random(4), bootctl(1), systemd-boot(7), systemd-stub(7),
74       systemd-random-seed.service(8)
75

NOTES

77        1. Boot Loader Interface
78           https://systemd.io/BOOT_LOADER_INTERFACE
79
80
81
82systemd 253                                SYSTEMD-BOOT-RANDOM-SEED.SERVICE(8)