Warning when creating new systemd-boot installation,

Gene_S · October 29, 2023, 9:36pm

On my last installation using systemd-boot, I got this warning:

Mount point '/efi' which backs the random seed file is world accessible, which is a security hole!
Random seed file '/efi/loader/random-seed' is world accessible, which is a security hole!

I found this archlinux post, so I thought I’d pass it on. In addition to adding the mount options to /etc/fstab, I also unmounted /efi and ran chmod to remove all permissions for group and other, then remounted it.

# grep vfat /etc/fstab
UUID=9541-A20B         /efi       vfat  utf8,dmask=0077,fmask=0077  0  2
# ll -d /efi
drwx------ 5 root root 4096 Dec 31  1969 /efi

One other thing I’ve been doing is following the Boot Loader Specification and mounting the ESP at /efi instead of /boot/efi in /etc/fstab. While working on that, I discovered that grub2 will boot successfully with the ESP mounted at /efi instead of /boot/efi.

Gene

hcvv · October 30, 2023, 8:00pm

As long as Grub is running, the system isn’t. And as long as the system isn’t running, nothing will be mounted on the system. So yes, Grub is indifferent to where any file system will be mounted in the operating system it will start.