units: automatically initialize the system token if that makes sense

2025-01-10 05:18:17 +03:00 · 2019-07-19 18:06:00 +02:00 · 2019-07-19 18:06:00 +02:00 · d985064a8b
commit d985064a8b
parent d6e9a347a5
2 changed files with 36 additions and 0 deletions
--- a/units/meson.build
+++ b/units/meson.build
@ -135,6 +135,8 @@ in_units = [
         'sysinit.target.wants/'],
        ['systemd-bless-boot.service',           'ENABLE_EFI HAVE_BLKID'],
        ['systemd-boot-check-no-failures.service', ''],
+        ['systemd-boot-system-token.service',    'ENABLE_EFI',
+         'sysinit.target.wants/'],
        ['systemd-coredump@.service',            'ENABLE_COREDUMP'],
        ['systemd-pstore.service',               'ENABLE_PSTORE'],
        ['systemd-firstboot.service',            'ENABLE_FIRSTBOOT',
--- a/units/systemd-boot-system-token.service.in
+++ b/units/systemd-boot-system-token.service.in
@ -0,0 +1,34 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Store a System Token in an EFI Variable
+Documentation=man:systemd-boot-system-token.service(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=local-fs.target systemd-random-seed.service
+Before=shutdown.target
+
+# Don't run this in a VM environment, because there EFI variables are not
+# actually stored in NVRAM, independent of regular storage.
+ConditionVirtualization=no
+
+# Only run this if the boot loader can support random seed initialization.
+ConditionPathExists=/sys/firmware/efi/efivars/LoaderFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
+
+# Only run this if there is no system token defined yet, or …
+ConditionPathExists=|!/sys/firmware/efi/efivars/LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
+
+# … if the boot loader didn't pass the OS a random seed (and thus probably was missing the random seed file)
+ConditionPathExists=|!/sys/firmware/efi/efivars/LoaderRandomSeed-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@bindir@/bootctl random-seed