boot: implement kernel EFI RNG seed protocol with proper hashing

Rather than passing seeds up to userspace via EFI variables, pass seeds
directly to the kernel's EFI stub loader, via LINUX_EFI_RANDOM_SEED_TABLE_GUID.
EFI variables can potentially leak and suffer from forward secrecy
issues, and processing these with userspace means that they are
initialized much too late in boot to be useful. In contrast,
LINUX_EFI_RANDOM_SEED_TABLE_GUID uses EFI configuration tables, and so
is hidden from userspace entirely, and is parsed extremely early on by
the kernel, so that every single call to get_random_bytes() by the
kernel is seeded.

In order to do this properly, we use a bit more robust hashing scheme,
and make sure that each input is properly memzeroed out after use. The
scheme is:

    key = HASH(LABEL || sizeof(input1) || input1 || ... || sizeof(inputN) || inputN)
    new_disk_seed = HASH(key || 0)
    seed_for_linux = HASH(key || 1)

The various inputs are:
- LINUX_EFI_RANDOM_SEED_TABLE_GUID from prior bootloaders
- 256 bits of seed from EFI's RNG
- The (immutable) system token, from its EFI variable
- The prior on-disk seed
- The UEFI monotonic counter
- A timestamp

This also adjusts the secure boot semantics, so that the operation is
only aborted if it's not possible to get random bytes from EFI's RNG or
a prior boot stage. With the proper hashing scheme, this should make
boot seeds safe even on secure boot.

There is currently a bug in Linux's EFI stub in which if the EFI stub
manages to generate random bytes on its own using EFI's RNG, it will
ignore what the bootloader passes. That's annoying, but it means that
either way, via systemd-boot or via EFI stub's mechanism, the RNG *does*
get initialized in a good safe way. And this bug is now fixed in the
efi.git tree, and will hopefully be backported to older kernels.

As the kernel recommends, the resultant seeds are 256 bits and are
allocated using pool memory of type EfiACPIReclaimMemory, so that it
gets freed at the right moment in boot.

1 files changed, 0 insertions, 22 deletions

diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml
index 0eee532f90..081deb8d6c 100644
--- a/man/systemd-boot.xml
+++ b/man/systemd-boot.xml
@@ -436,28 +436,6 @@
       </varlistentry>
 
       <varlistentry>
-        <term><varname>LoaderRandomSeed</varname></term>
-
-        <listitem><para>A binary random seed <command>systemd-boot</command> may optionally pass to the
-        OS. This is a volatile EFI variable that is hashed at boot from the combination of a random seed
-        stored in the ESP (in <filename>/loader/random-seed</filename>) and a "system token" persistently
-        stored in the EFI variable <varname>LoaderSystemToken</varname> (see below). During early OS boot the
-        system manager reads this variable and passes it to the OS kernel's random pool, crediting the full
-        entropy it contains. This is an efficient way to ensure the system starts up with a fully initialized
-        kernel random pool — as early as the initrd phase. <command>systemd-boot</command> reads
-        the random seed from the ESP, combines it with the "system token", and both derives a new random seed
-        to update in-place the seed stored in the ESP, and the random seed to pass to the OS from it via
-        SHA256 hashing in counter mode. This ensures that different physical systems that boot the same
-        "golden" OS image — i.e. containing the same random seed file in the ESP — will still pass a
-        different random seed to the OS. It is made sure the random seed stored in the ESP is fully
-        overwritten before the OS is booted, to ensure different random seed data is used between subsequent
-        boots.</para>
-
-        <para>See <ulink url="https://systemd.io/RANDOM_SEEDS">Random Seeds</ulink> for
-        further information.</para></listitem>
-      </varlistentry>
-
-      <varlistentry>
         <term><varname>LoaderSystemToken</varname></term>
 
         <listitem><para>A binary random data field, that is used for generating the random seed to pass to