chore: add ability to rewrite uuids and set unique tokens for Talos

This PR does those things:
- It allows API calls `MetaWrite` and `MetaRead` in maintenance mode.
- SystemInformation resource now waits for available META
- SystemInformation resource now overwrites UUID from META if there is an override
- META now supports "UUID override" and "unique token" keys
- ProvisionRequest now includes unique token and Talos version

For #7694

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>

api/resource/definitions/runtime/runtime.proto

@@ -64,6 +64,11 @@ message MetaKeySpec {
   string value = 1;
 }
 
+// MetaLoadedSpec is the spec for meta loaded. The Done field is always true when resource exists.
+message MetaLoadedSpec {
+  bool done = 1;
+}
+
 // MountStatusSpec describes status of the defined sysctls.
 message MountStatusSpec {
   string source = 1;
@@ -93,6 +98,11 @@ message SecurityStateSpec {
   string pcr_signing_key_fingerprint = 3;
 }
 
+// UniqueMachineTokenSpec is the spec for the machine unique token. Token can be empty if machine wasn't assigned any.
+message UniqueMachineTokenSpec {
+  string token = 1;
+}
+
 // UnmetCondition is a failure which prevents machine from being ready at the stage.
 message UnmetCondition {
   string name = 1;

cmd/talosctl/cmd/talos/meta.go

@@ -13,6 +13,10 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/client"
 )
 
+var metaCmdFlags struct {
+	insecure bool
+}
+
 var metaCmd = &cobra.Command{
 	Use:   "meta",
 	Short: "Write and delete keys in the META partition",
@@ -26,14 +30,20 @@ var metaWriteCmd = &cobra.Command{
 	Long:  ``,
 	Args:  cobra.ExactArgs(2),
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return WithClient(func(ctx context.Context, c *client.Client) error {
+		fn := func(ctx context.Context, c *client.Client) error {
 			key, err := strconv.ParseUint(args[0], 0, 8)
 			if err != nil {
 				return err
 			}
 
 			return c.MetaWrite(ctx, uint8(key), []byte(args[1]))
-		})
+		}
+
+		if metaCmdFlags.insecure {
+			return WithClientMaintenance(nil, fn)
+		}
+
+		return WithClient(fn)
 	},
 }
 
@@ -43,18 +53,26 @@ var metaDeleteCmd = &cobra.Command{
 	Long:  ``,
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return WithClient(func(ctx context.Context, c *client.Client) error {
+		fn := func(ctx context.Context, c *client.Client) error {
 			key, err := strconv.ParseUint(args[0], 0, 8)
 			if err != nil {
 				return err
 			}
 
 			return c.MetaDelete(ctx, uint8(key))
-		})
+		}
+
+		if metaCmdFlags.insecure {
+			return WithClientMaintenance(nil, fn)
+		}
+
+		return WithClient(fn)
 	},
 }
 
 func init() {
+	metaCmd.PersistentFlags().BoolVarP(&metaCmdFlags.insecure, "insecure", "i", false, "write|delete meta using the insecure (encrypted with no auth) maintenance service")
+
 	metaCmd.AddCommand(metaWriteCmd)
 	metaCmd.AddCommand(metaDeleteCmd)
 	addCommand(metaCmd)

go.mod

@@ -117,7 +117,7 @@ require (
 	github.com/siderolabs/grpc-proxy v0.4.0
 	github.com/siderolabs/kms-client v0.1.0
 	github.com/siderolabs/net v0.4.0
-	github.com/siderolabs/siderolink v0.3.1
+	github.com/siderolabs/siderolink v0.3.2-0.20231109194336-71dd3084984d
 	github.com/siderolabs/talos/pkg/machinery v1.6.0-alpha.1
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
@@ -305,7 +305,7 @@ require (
 	golang.org/x/oauth2 v0.12.0 // indirect
 	golang.org/x/tools v0.12.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b // indirect
+	golang.zx2c4.com/wireguard v0.0.0-20231022001213-2e0774f246fb // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a // indirect

go.sum

@@ -669,8 +669,8 @@ github.com/siderolabs/net v0.4.0 h1:1bOgVay/ijPkJz4qct98nHsiB/ysLQU0KLoBC4qLm7I=
 github.com/siderolabs/net v0.4.0/go.mod h1:/ibG+Hm9HU27agp5r9Q3eZicEfjquzNzQNux5uEk0kM=
 github.com/siderolabs/protoenc v0.2.0 h1:QFxWIAo//12+/bm27GNYoK/TpQGTYsRrrZCu9jSghvU=
 github.com/siderolabs/protoenc v0.2.0/go.mod h1:mu4gc6pJxhdJYpuloacKE4jsJojj87qDXwn8LUvs2bY=
-github.com/siderolabs/siderolink v0.3.1 h1:n0pkf7dEhiqX0nfcwWiEqGKoD5CuBRTrWdPBvmvQ8vs=
+github.com/siderolabs/siderolink v0.3.2-0.20231109194336-71dd3084984d h1:05OjO5Ue/UGH6Onq9KLJN1VKl3G3EdKvbtLU2yNtl/E=
-github.com/siderolabs/siderolink v0.3.1/go.mod h1:LrkE9BoHzfi/m43EQx/Fk6kSal6Uvthu5AtRC3W5GcI=
+github.com/siderolabs/siderolink v0.3.2-0.20231109194336-71dd3084984d/go.mod h1:3a+b/jpRwA+iyumrnyP2/VmkMUWr8AHZBo6LEHqx/rU=
 github.com/siderolabs/tcpproxy v0.1.0 h1:IbkS9vRhjMOscc1US3M5P1RnsGKFgB6U5IzUk+4WkKA=
 github.com/siderolabs/tcpproxy v0.1.0/go.mod h1:onn6CPPj/w1UNqQ0U97oRPF0CqbrgEApYCw4P9IiCW8=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
@@ -1014,8 +1014,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b h1:J1CaxgLerRR5lgx3wnr6L04cJFbWoceSK9JWBdglINo=
+golang.zx2c4.com/wireguard v0.0.0-20231022001213-2e0774f246fb h1:c5tyN8sSp8jSDxdCCDXVOpJwYXXhmTkNMt+g0zTSOic=
-golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b/go.mod h1:tqur9LnfstdR9ep2LaJT4lFUl0EjlHtge+gAjmsHUG4=
+golang.zx2c4.com/wireguard v0.0.0-20231022001213-2e0774f246fb/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
@@ -1140,8 +1140,8 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 h1:Wobr37noukisGxpKo5jAsLREcpj61RxrWYzD8uwveOY=
+gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
-gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA=
+gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

internal/app/machined/pkg/adapters/hardware/system_information.go

@@ -24,18 +24,18 @@ type systemInformation struct {
 }
 
 // Update current systemInformation info.
-func (p systemInformation) Update(systemInformation *smbios.SystemInformation) {
+func (p systemInformation) Update(systemInformation *smbios.SystemInformation, uuidRewrite string) {
-	translateSystemInformationInfo := func(in *smbios.SystemInformation) hardware.SystemInformationSpec {
+	if uuidRewrite == "" {
-		return hardware.SystemInformationSpec{
+		uuidRewrite = systemInformation.UUID
-			Manufacturer: in.Manufacturer,
-			ProductName:  in.ProductName,
-			Version:      in.Version,
-			SerialNumber: in.SerialNumber,
-			UUID:         in.UUID,
-			WakeUpType:   in.WakeUpType.String(),
-			SKUNumber:    in.SKUNumber,
-		}
 	}
 
-	*p.SystemInformation.TypedSpec() = translateSystemInformationInfo(systemInformation)
+	*p.SystemInformation.TypedSpec() = hardware.SystemInformationSpec{
+		Manufacturer: systemInformation.Manufacturer,
+		ProductName:  systemInformation.ProductName,
+		Version:      systemInformation.Version,
+		SerialNumber: systemInformation.SerialNumber,
+		UUID:         uuidRewrite,
+		WakeUpType:   systemInformation.WakeUpType.String(),
+		SKUNumber:    systemInformation.SKUNumber,
+	}
 }

internal/app/machined/pkg/controllers/hardware/hardware_test.go

@@ -46,21 +46,6 @@ func (suite *HardwareSuite) SetupTest() {
 	suite.Require().NoError(err)
 }
 
-func (suite *HardwareSuite) assertResource(md resource.Metadata, check func(res resource.Resource) error) func() error {
-	return func() error {
-		r, err := suite.state.Get(suite.ctx, md)
-		if err != nil {
-			if state.IsNotFoundError(err) {
-				return retry.ExpectedError(err)
-			}
-
-			return err
-		}
-
-		return check(r)
-	}
-}
-
 func (suite *HardwareSuite) assertNoResource(md resource.Metadata) func() error {
 	return func() error {
 		_, err := suite.state.Get(suite.ctx, md)
@@ -83,3 +68,11 @@ func (suite *HardwareSuite) TearDownTest() {
 
 	suite.wg.Wait()
 }
+
+func (suite *HardwareSuite) State() state.State {
+	return suite.state
+}
+
+func (suite *HardwareSuite) Ctx() context.Context {
+	return suite.ctx
+}

internal/app/machined/pkg/controllers/hardware/system.go

@@ -10,14 +10,18 @@ import (
 	"strings"
 
 	"github.com/cosi-project/runtime/pkg/controller"
-	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/safe"
+	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/optional"
 	"github.com/siderolabs/go-smbios/smbios"
 	"go.uber.org/zap"
 
 	hwadapter "github.com/siderolabs/talos/internal/app/machined/pkg/adapters/hardware"
 	runtimetalos "github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
+	"github.com/siderolabs/talos/internal/pkg/meta"
 	pkgSMBIOS "github.com/siderolabs/talos/internal/pkg/smbios"
 	"github.com/siderolabs/talos/pkg/machinery/resources/hardware"
+	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 )
 
 // SystemInfoController populates CPU information of the underlying hardware.
@@ -33,7 +37,19 @@ func (ctrl *SystemInfoController) Name() string {
 
 // Inputs implements controller.Controller interface.
 func (ctrl *SystemInfoController) Inputs() []controller.Input {
-	return nil
+	return []controller.Input{
+		{
+			Namespace: runtime.NamespaceName,
+			Type:      runtime.MetaKeyType,
+			Kind:      controller.InputWeak,
+		},
+		{
+			Namespace: runtime.NamespaceName,
+			Type:      runtime.MetaLoadedType,
+			ID:        optional.Some(runtime.MetaLoadedID),
+			Kind:      controller.InputWeak,
+		},
+	}
 }
 
 // Outputs implements controller.Controller interface.
@@ -58,59 +74,83 @@ func (ctrl *SystemInfoController) Outputs() []controller.Output {
 //
 //nolint:gocyclo
 func (ctrl *SystemInfoController) Run(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
-	select {
-	case <-ctx.Done():
-		return nil
-	case <-r.EventCh():
-	}
-
 	// smbios info is not available inside container, so skip the controller
 	if ctrl.V1Alpha1Mode == runtimetalos.ModeContainer {
 		return nil
 	}
-	// controller runs only once
+
-	if ctrl.SMBIOS == nil {
+	for {
-		s, err := pkgSMBIOS.GetSMBIOSInfo()
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-r.EventCh():
+		}
+
+		_, err := safe.ReaderGetByID[*runtime.MetaLoaded](ctx, r, runtime.MetaLoadedID)
 		if err != nil {
-			return err
+			if state.IsNotFoundError(err) {
+				continue
+			}
+
+			return fmt.Errorf("error getting meta loaded resource: %w", err)
 		}
 
-		ctrl.SMBIOS = s
+		if ctrl.SMBIOS == nil {
-	}
+			var s *smbios.SMBIOS
 
-	if err := r.Modify(ctx, hardware.NewSystemInformation(hardware.SystemInformationID), func(res resource.Resource) error {
+			s, err = pkgSMBIOS.GetSMBIOSInfo()
-		hwadapter.SystemInformation(res.(*hardware.SystemInformation)).Update(&ctrl.SMBIOS.SystemInformation)
+			if err != nil {
+				return err
+			}
 
-		return nil
+			ctrl.SMBIOS = s
-	}); err != nil {
+		}
-		return fmt.Errorf("error updating objects: %w", err)
-	}
 
-	for _, p := range ctrl.SMBIOS.ProcessorInformation {
+		uuidRewriteRes, err := safe.ReaderGetByID[*runtime.MetaKey](ctx, r, runtime.MetaKeyTagToID(meta.UUIDOverride))
-		// replaces `CPU 0` with `CPU-0`
+		if err != nil && !state.IsNotFoundError(err) {
-		id := strings.ReplaceAll(p.SocketDesignation, " ", "-")
+			return fmt.Errorf("error getting meta key resource: %w", err)
+		}
 
-		if err := r.Modify(ctx, hardware.NewProcessorInfo(id), func(res resource.Resource) error {
+		var uuidRewrite string
-			hwadapter.Processor(res.(*hardware.Processor)).Update(&p)
+
+		if uuidRewriteRes != nil && uuidRewriteRes.TypedSpec().Value != "" {
+			uuidRewrite = uuidRewriteRes.TypedSpec().Value
+
+			logger.Info("using UUID rewrite", zap.String("uuid", uuidRewrite))
+		}
+
+		if err := safe.WriterModify(ctx, r, hardware.NewSystemInformation(hardware.SystemInformationID), func(res *hardware.SystemInformation) error {
+			hwadapter.SystemInformation(res).Update(&ctrl.SMBIOS.SystemInformation, uuidRewrite)
 
 			return nil
 		}); err != nil {
 			return fmt.Errorf("error updating objects: %w", err)
 		}
-	}
 
-	for _, m := range ctrl.SMBIOS.MemoryDevices {
+		for _, p := range ctrl.SMBIOS.ProcessorInformation {
-		// replaces `SIMM 0` with `SIMM-0`
+			// replaces `CPU 0` with `CPU-0`
-		id := strings.ReplaceAll(m.DeviceLocator, " ", "-")
+			id := strings.ReplaceAll(p.SocketDesignation, " ", "-")
 
-		if err := r.Modify(ctx, hardware.NewMemoryModuleInfo(id), func(res resource.Resource) error {
+			if err := safe.WriterModify(ctx, r, hardware.NewProcessorInfo(id), func(res *hardware.Processor) error {
-			hwadapter.MemoryModule(res.(*hardware.MemoryModule)).Update(&m)
+				hwadapter.Processor(res).Update(&p)
 
-			return nil
+				return nil
-		}); err != nil {
+			}); err != nil {
-			return fmt.Errorf("error updating objects: %w", err)
+				return fmt.Errorf("error updating objects: %w", err)
+			}
+		}
+
+		for _, m := range ctrl.SMBIOS.MemoryDevices {
+			// replaces `SIMM 0` with `SIMM-0`
+			id := strings.ReplaceAll(m.DeviceLocator, " ", "-")
+
+			if err := safe.WriterModify(ctx, r, hardware.NewMemoryModuleInfo(id), func(res *hardware.MemoryModule) error {
+				hwadapter.MemoryModule(res).Update(&m)
+
+				return nil
+			}); err != nil {
+				return fmt.Errorf("error updating objects: %w", err)
+			}
 		}
 	}
-
-	return nil
 }

internal/app/machined/pkg/controllers/hardware/system_test.go

@@ -5,19 +5,21 @@
 package hardware_test
 
 import (
-	"fmt"
 	"os"
 	"testing"
 	"time"
 
-	"github.com/cosi-project/runtime/pkg/resource"
 	"github.com/siderolabs/go-retry/retry"
 	"github.com/siderolabs/go-smbios/smbios"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
 
+	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
 	hardwarectrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/hardware"
 	runtimetalos "github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
+	"github.com/siderolabs/talos/internal/pkg/meta"
 	"github.com/siderolabs/talos/pkg/machinery/resources/hardware"
+	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 )
 
 type SystemInfoSuite struct {
@@ -28,8 +30,7 @@ func (suite *SystemInfoSuite) TestPopulateSystemInformation() {
 	stream, err := os.Open("testdata/SuperMicro-Dual-Xeon.dmi")
 	suite.Require().NoError(err)
 
-	//nolint: errcheck
+	suite.T().Cleanup(func() { suite.NoError(stream.Close()) })
-	defer stream.Close()
 
 	version := smbios.Version{Major: 3, Minor: 3, Revision: 0} // dummy version
 	s, err := smbios.Decode(stream, version)
@@ -45,6 +46,8 @@ func (suite *SystemInfoSuite) TestPopulateSystemInformation() {
 
 	suite.startRuntime()
 
+	suite.Require().NoError(suite.state.Create(suite.ctx, runtime.NewMetaLoaded()))
+
 	cpuSpecs := map[string]hardware.ProcessorSpec{
 		"CPU-1": {
 			Socket:       "CPU 1",
@@ -95,36 +98,50 @@ func (suite *SystemInfoSuite) TestPopulateSystemInformation() {
 	}
 
 	for k, v := range cpuSpecs {
-		suite.Assert().NoError(
+		ctest.AssertResource(suite, k, func(r *hardware.Processor, assertions *assert.Assertions) {
-			retry.Constant(1*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(
+			assertions.Equal(v, *r.TypedSpec())
-				suite.assertResource(*hardware.NewProcessorInfo(k).Metadata(), func(r resource.Resource) error {
+		})
-					status := *r.(*hardware.Processor).TypedSpec()
-					if !suite.Assert().Equal(v, status) {
-						return retry.ExpectedError(fmt.Errorf("cpu status doesn't match: %v != %v", v, status))
-					}
-
-					return nil
-				}),
-			),
-		)
 	}
 
 	for k, v := range memorySpecs {
-		suite.Assert().NoError(
+		ctest.AssertResource(suite, k, func(r *hardware.MemoryModule, assertions *assert.Assertions) {
-			retry.Constant(1*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(
+			assertions.Equal(v, *r.TypedSpec())
-				suite.assertResource(*hardware.NewMemoryModuleInfo(k).Metadata(), func(r resource.Resource) error {
+		})
-					status := *r.(*hardware.MemoryModule).TypedSpec()
-					if !suite.Assert().Equal(v, status) {
-						return retry.ExpectedError(fmt.Errorf("memory status doesn't match: %v != %v", v, status))
-					}
-
-					return nil
-				}),
-			),
-		)
 	}
 }
 
+func (suite *SystemInfoSuite) TestUUIDOverwrite() {
+	stream, err := os.Open("testdata/SuperMicro-Dual-Xeon.dmi")
+	suite.Require().NoError(err)
+
+	suite.T().Cleanup(func() { suite.NoError(stream.Close()) })
+
+	version := smbios.Version{Major: 3, Minor: 3, Revision: 0} // dummy version
+	s, err := smbios.Decode(stream, version)
+	suite.Require().NoError(err)
+
+	suite.Require().NoError(
+		suite.runtime.RegisterController(
+			&hardwarectrl.SystemInfoController{
+				SMBIOS: s,
+			},
+		),
+	)
+
+	suite.startRuntime()
+
+	suite.Require().NoError(suite.state.Create(suite.ctx, runtime.NewMetaLoaded()))
+
+	key := runtime.NewMetaKey(runtime.NamespaceName, runtime.MetaKeyTagToID(meta.UUIDOverride))
+	key.TypedSpec().Value = "00000000-0000-0000-0000-000000000001"
+
+	suite.Require().NoError(suite.state.Create(suite.ctx, key))
+
+	ctest.AssertResource(suite, hardware.SystemInformationID, func(r *hardware.SystemInformation, assertions *assert.Assertions) {
+		assertions.Equal("00000000-0000-0000-0000-000000000001", r.TypedSpec().UUID)
+	})
+}
+
 func (suite *SystemInfoSuite) TestPopulateSystemInformationIsDisabledInContainerMode() {
 	suite.Require().NoError(
 		suite.runtime.RegisterController(
@@ -136,6 +153,8 @@ func (suite *SystemInfoSuite) TestPopulateSystemInformationIsDisabledInContainer
 
 	suite.startRuntime()
 
+	suite.Require().NoError(suite.state.Create(suite.ctx, runtime.NewMetaLoaded()))
+
 	suite.Assert().NoError(retry.Constant(1*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(suite.assertNoResource(*hardware.NewSystemInformation("systeminformation").Metadata())))
 }
 

internal/app/machined/pkg/controllers/runtime/unique_token.go

@@ -0,0 +1,56 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package runtime
+
+import (
+	"context"
+
+	"github.com/cosi-project/runtime/pkg/controller"
+	"github.com/cosi-project/runtime/pkg/controller/generic/transform"
+	"github.com/cosi-project/runtime/pkg/safe"
+	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/optional"
+	"go.uber.org/zap"
+
+	"github.com/siderolabs/talos/internal/pkg/meta"
+	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
+)
+
+// UniqueMachineTokenController provides a unique token the machine.
+type UniqueMachineTokenController = transform.Controller[*runtime.MetaLoaded, *runtime.UniqueMachineToken]
+
+// NewUniqueMachineTokenController instanciates the controller.
+func NewUniqueMachineTokenController() *UniqueMachineTokenController {
+	return transform.NewController(
+		transform.Settings[*runtime.MetaLoaded, *runtime.UniqueMachineToken]{
+			Name: "runtime.UniqueMachineTokenController",
+			MapMetadataFunc: func(in *runtime.MetaLoaded) *runtime.UniqueMachineToken {
+				return runtime.NewUniqueMachineToken()
+			},
+			TransformFunc: func(ctx context.Context, r controller.Reader, logger *zap.Logger, _ *runtime.MetaLoaded, out *runtime.UniqueMachineToken) error {
+				uniqueToken, err := safe.ReaderGetByID[*runtime.MetaKey](ctx, r, runtime.MetaKeyTagToID(meta.UniqueMachineToken))
+				if state.IsNotFoundError(err) {
+					out.TypedSpec().Token = ""
+
+					return nil
+				} else if err != nil {
+					return err
+				}
+
+				out.TypedSpec().Token = uniqueToken.TypedSpec().Value
+
+				return nil
+			},
+		},
+		transform.WithExtraInputs(
+			controller.Input{
+				Namespace: runtime.NamespaceName,
+				Type:      runtime.MetaKeyType,
+				ID:        optional.Some(runtime.MetaKeyTagToID(meta.UniqueMachineToken)),
+				Kind:      controller.InputWeak,
+			},
+		),
+	)
+}

internal/app/machined/pkg/controllers/siderolink/manager.go

@@ -36,7 +36,9 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/hardware"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
+	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 	"github.com/siderolabs/talos/pkg/machinery/resources/siderolink"
+	"github.com/siderolabs/talos/pkg/version"
 )
 
 // ManagerController interacts with SideroLink API and brings up the SideroLink Wireguard interface.
@@ -90,6 +92,12 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 				ID:        optional.Some(hardware.SystemInformationID),
 				Kind:      controller.InputWeak,
 			},
+			{
+				Namespace: runtime.NamespaceName,
+				Type:      runtime.UniqueMachineTokenType,
+				ID:        optional.Some(runtime.UniqueMachineTokenID),
+				Kind:      controller.InputWeak,
+			},
 		},
 	); err != nil {
 		return fmt.Errorf("error waiting for network: %w", err)
@@ -138,7 +146,7 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 		case <-r.EventCh():
 		}
 
-		cfg, err := safe.ReaderGet[*siderolink.Config](ctx, r, siderolink.NewConfig(config.NamespaceName, siderolink.ConfigID).Metadata())
+		cfg, err := safe.ReaderGetByID[*siderolink.Config](ctx, r, siderolink.ConfigID)
 		if err != nil {
 			if state.IsNotFoundError(err) {
 				if cleanupErr := ctrl.cleanup(ctx, r, nil, nil, logger); cleanupErr != nil {
@@ -152,7 +160,7 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 			return fmt.Errorf("failed to get siderolink config: %w", err)
 		}
 
-		sysInfo, err := safe.ReaderGet[*hardware.SystemInformation](ctx, r, hardware.NewSystemInformation(hardware.SystemInformationID).Metadata())
+		sysInfo, err := safe.ReaderGetByID[*hardware.SystemInformation](ctx, r, hardware.SystemInformationID)
 		if err != nil {
 			if state.IsNotFoundError(err) {
 				// no system information
@@ -198,10 +206,17 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 				}
 			}()
 
+			uniqTokenRes, rdrErr := safe.ReaderGetByID[*runtime.UniqueMachineToken](ctx, r, runtime.UniqueMachineTokenID)
+			if rdrErr != nil {
+				return nil, fmt.Errorf("failed to get unique token: %w", rdrErr)
+			}
+
 			sideroLinkClient := pb.NewProvisionServiceClient(conn)
 			request := &pb.ProvisionRequest{
-				NodeUuid:      nodeUUID,
+				NodeUuid:        nodeUUID,
-				NodePublicKey: ctrl.nodeKey.PublicKey().String(),
+				NodePublicKey:   ctrl.nodeKey.PublicKey().String(),
+				NodeUniqueToken: pointer.To(uniqTokenRes.TypedSpec().Token),
+				TalosVersion:    pointer.To(version.Tag),
 			}
 
 			token := parsedEndpoint.GetParam("jointoken")
@@ -231,7 +246,7 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 		linkSpec := network.NewLinkSpec(network.ConfigNamespaceName, network.LayeredID(network.ConfigOperator, network.LinkID(constants.SideroLinkName)))
 		addressSpec := network.NewAddressSpec(network.ConfigNamespaceName, network.LayeredID(network.ConfigOperator, network.AddressID(constants.SideroLinkName, nodeAddress)))
 
-		if err = safe.WriterModify(ctx, r, linkSpec,
+		if err := safe.WriterModify(ctx, r, linkSpec,
 			func(res *network.LinkSpec) error {
 				spec := res.TypedSpec()
 
@@ -265,7 +280,7 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 			return fmt.Errorf("error creating siderolink spec: %w", err)
 		}
 
-		if err = safe.WriterModify(ctx, r, addressSpec,
+		if err := safe.WriterModify(ctx, r, addressSpec,
 			func(res *network.AddressSpec) error {
 				spec := res.TypedSpec()
 
@@ -289,7 +304,7 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo
 			addressSpec.Metadata().ID(): {},
 		}
 
-		if err = ctrl.cleanup(ctx, r, keepLinkSpecSet, keepAddressSpecSet, logger); err != nil {
+		if err := ctrl.cleanup(ctx, r, keepLinkSpecSet, keepAddressSpecSet, logger); err != nil {
 			return err
 		}
 

internal/app/machined/pkg/controllers/siderolink/manager_test.go

@@ -27,6 +27,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/hardware"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
+	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 	"github.com/siderolabs/talos/pkg/machinery/resources/siderolink"
 )
 
@@ -89,6 +90,11 @@ func (suite *ManagerSuite) TestReconcile() {
 
 	suite.Require().NoError(suite.State().Create(suite.Ctx(), systemInformation))
 
+	uniqToken := runtime.NewUniqueMachineToken()
+	uniqToken.TypedSpec().Token = "random-token"
+
+	suite.Require().NoError(suite.State().Create(suite.Ctx(), uniqToken))
+
 	nodeAddress := netip.MustParsePrefix(mockNodeAddressPrefix)
 
 	addressSpec := network.NewAddressSpec(network.ConfigNamespaceName, network.LayeredID(network.ConfigOperator, network.AddressID(constants.SideroLinkName, nodeAddress)))

internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go

@@ -25,6 +25,7 @@ import (
 	"github.com/containerd/cgroups/v3/cgroup1"
 	"github.com/containerd/cgroups/v3/cgroup2"
 	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/dustin/go-humanize"
 	"github.com/hashicorp/go-multierror"
@@ -2190,6 +2191,8 @@ func CleanupLegacyStaticPodFiles(runtime.Sequence, any) (runtime.TaskExecutionFu
 }
 
 // ReloadMeta reloads META partition after disk mount, installer run, etc.
+//
+//nolint:gocyclo
 func ReloadMeta(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
 		err := r.State().Machine().Meta().Reload(ctx)
@@ -2222,6 +2225,25 @@ func ReloadMeta(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 			}
 		}
 
+		if _, err := safe.ReaderGetByID[*resourceruntime.MetaLoaded](
+			ctx,
+			r.State().V1Alpha2().Resources(),
+			resourceruntime.MetaLoadedID,
+		); err != nil {
+			if !state.IsNotFoundError(err) {
+				return fmt.Errorf("error reading MetaLoaded resource: %w", err)
+			}
+
+			// create MetaLoaded resource signaling that META is now loaded
+			loaded := resourceruntime.NewMetaLoaded()
+			loaded.TypedSpec().Done = true
+
+			err = r.State().V1Alpha2().Resources().Create(ctx, loaded)
+			if err != nil {
+				return fmt.Errorf("error creating MetaLoaded resource: %w", err)
+			}
+		}
+
 		return nil
 	}, "reloadMeta"
 }

internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go

@@ -281,6 +281,7 @@ func (ctrl *Controller) Run(ctx context.Context, drainer *runtime.Drainer) error
 		&runtimecontrollers.SecurityStateController{
 			V1Alpha1Mode: ctrl.v1alpha1Runtime.State().Platform().Mode(),
 		},
+		runtimecontrollers.NewUniqueMachineTokenController(),
 		&secrets.APICertSANsController{},
 		&secrets.APIController{},
 		&secrets.EtcdController{},

internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_state.go

@@ -180,9 +180,11 @@ func NewState() (*State, error) {
 		&runtime.MaintenanceServiceRequest{},
 		&runtime.MachineStatus{},
 		&runtime.MetaKey{},
+		&runtime.MetaLoaded{},
 		&runtime.MountStatus{},
 		&runtime.PlatformMetadata{},
 		&runtime.SecurityState{},
+		&runtime.UniqueMachineToken{},
 		&secrets.API{},
 		&secrets.CertSAN{},
 		&secrets.Etcd{},

internal/app/maintenance/server.go

@@ -6,7 +6,9 @@ package maintenance
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"io/fs"
 	"log"
 	"strings"
 
@@ -34,7 +36,7 @@ import (
 	"github.com/siderolabs/talos/pkg/version"
 )
 
-// Server implements machine.MachineService, network.NetworkService, and storage.StorageService.
+// Server implements [machine.MachineServiceServer], network.NetworkService, and [storage.StorageServiceServer].
 type Server struct {
 	machine.UnimplementedMachineServiceServer
 
@@ -43,7 +45,7 @@ type Server struct {
 	server     *grpc.Server
 }
 
-// New initializes and returns a `Server`.
+// New initializes and returns a [Server].
 func New(cfgCh chan<- config.Provider) *Server {
 	if runtimeController == nil {
 		panic("runtime controller is not set")
@@ -68,7 +70,7 @@ func (s *Server) Register(obj *grpc.Server) {
 	cosiv1alpha1.RegisterStateServer(obj, server.NewState(resourceState))
 }
 
-// ApplyConfiguration implements machine.MachineService.
+// ApplyConfiguration implements [machine.MachineServiceServer].
 func (s *Server) ApplyConfiguration(ctx context.Context, in *machine.ApplyConfigurationRequest) (*machine.ApplyConfigurationResponse, error) {
 	//nolint:exhaustive
 	switch in.Mode {
@@ -112,7 +114,7 @@ Node is running in maintenance mode and does not have a config yet.`
 	return reply, nil
 }
 
-// GenerateConfiguration implements the machine.MachineServer interface.
+// GenerateConfiguration implements the [machine.MachineServiceServer] interface.
 func (s *Server) GenerateConfiguration(ctx context.Context, in *machine.GenerateConfigurationRequest) (*machine.GenerateConfigurationResponse, error) {
 	if in.MachineConfig == nil {
 		return nil, fmt.Errorf("invalid generate request")
@@ -127,7 +129,7 @@ func (s *Server) GenerateConfiguration(ctx context.Context, in *machine.Generate
 	return configuration.Generate(ctx, in)
 }
 
-// GenerateClientConfiguration implements the machine.MachineServer interface.
+// GenerateClientConfiguration implements the [machine.MachineServiceServer] interface.
 func (s *Server) GenerateClientConfiguration(ctx context.Context, in *machine.GenerateClientConfigurationRequest) (*machine.GenerateClientConfigurationResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "client configuration (talosconfig) can't be generated in the maintenance mode")
 }
@@ -288,3 +290,65 @@ func (s *Server) Reset(ctx context.Context, in *machine.ResetRequest) (reply *ma
 
 	return reply, nil
 }
+
+// MetaWrite implements the [machine.MachineServiceServer] interface.
+func (s *Server) MetaWrite(ctx context.Context, req *machine.MetaWriteRequest) (*machine.MetaWriteResponse, error) {
+	if err := assertPeerSideroLink(ctx); err != nil {
+		return nil, err
+	}
+
+	if uint32(uint8(req.Key)) != req.Key {
+		return nil, status.Errorf(codes.InvalidArgument, "key must be a uint8")
+	}
+
+	ok, err := s.controller.Runtime().State().Machine().Meta().SetTagBytes(ctx, uint8(req.Key), req.Value)
+	if err != nil {
+		return nil, err
+	}
+
+	if !ok {
+		// META overflowed
+		return nil, status.Errorf(codes.ResourceExhausted, "meta write failed")
+	}
+
+	err = s.controller.Runtime().State().Machine().Meta().Flush()
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		// ignore not exist error, as it's possible that the meta partition is not created yet
+		return nil, err
+	}
+
+	return &machine.MetaWriteResponse{
+		Messages: []*machine.MetaWrite{{}},
+	}, nil
+}
+
+// MetaDelete implements the [machine.MachineServiceServer] interface.
+func (s *Server) MetaDelete(ctx context.Context, req *machine.MetaDeleteRequest) (*machine.MetaDeleteResponse, error) {
+	if err := assertPeerSideroLink(ctx); err != nil {
+		return nil, err
+	}
+
+	if uint32(uint8(req.Key)) != req.Key {
+		return nil, status.Errorf(codes.InvalidArgument, "key must be a uint8")
+	}
+
+	ok, err := s.controller.Runtime().State().Machine().Meta().DeleteTag(ctx, uint8(req.Key))
+	if err != nil {
+		return nil, err
+	}
+
+	if !ok {
+		// META key not found
+		return nil, status.Errorf(codes.NotFound, "meta key not found")
+	}
+
+	err = s.controller.Runtime().State().Machine().Meta().Flush()
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		// ignore not exist error, as it's possible that the meta partition is not created yet
+		return nil, err
+	}
+
+	return &machine.MetaDeleteResponse{
+		Messages: []*machine.MetaDelete{{}},
+	}, nil
+}

internal/pkg/meta/constants.go

@@ -23,4 +23,8 @@ const (
 	UserReserved2
 	// UserReserved3 is reserved for user-defined metadata.
 	UserReserved3
+	// UUIDOverride stores the UUID that this machine will use instead of the one from the hardware.
+	UUIDOverride
+	// UniqueMachineToken store the unique token for this machine. It's useful because UUID may repeat or be filled with zeros.
+	UniqueMachineToken
 )

pkg/machinery/api/resource/definitions/runtime/runtime.pb.go

@@ -560,6 +560,54 @@ func (x *MetaKeySpec) GetValue() string {
 	return ""
 }
 
+// MetaLoadedSpec is the spec for meta loaded. The Done field is always true when resource exists.
+type MetaLoadedSpec struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Done bool `protobuf:"varint,1,opt,name=done,proto3" json:"done,omitempty"`
+}
+
+func (x *MetaLoadedSpec) Reset() {
+	*x = MetaLoadedSpec{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[10]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *MetaLoadedSpec) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*MetaLoadedSpec) ProtoMessage() {}
+
+func (x *MetaLoadedSpec) ProtoReflect() protoreflect.Message {
+	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[10]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use MetaLoadedSpec.ProtoReflect.Descriptor instead.
+func (*MetaLoadedSpec) Descriptor() ([]byte, []int) {
+	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *MetaLoadedSpec) GetDone() bool {
+	if x != nil {
+		return x.Done
+	}
+	return false
+}
+
 // MountStatusSpec describes status of the defined sysctls.
 type MountStatusSpec struct {
 	state         protoimpl.MessageState
@@ -577,7 +625,7 @@ type MountStatusSpec struct {
 func (x *MountStatusSpec) Reset() {
 	*x = MountStatusSpec{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[10]
+		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[11]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -590,7 +638,7 @@ func (x *MountStatusSpec) String() string {
 func (*MountStatusSpec) ProtoMessage() {}
 
 func (x *MountStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[10]
+	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[11]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -603,7 +651,7 @@ func (x *MountStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use MountStatusSpec.ProtoReflect.Descriptor instead.
 func (*MountStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{10}
+	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{11}
 }
 
 func (x *MountStatusSpec) GetSource() string {
@@ -667,7 +715,7 @@ type PlatformMetadataSpec struct {
 func (x *PlatformMetadataSpec) Reset() {
 	*x = PlatformMetadataSpec{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[11]
+		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[12]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -680,7 +728,7 @@ func (x *PlatformMetadataSpec) String() string {
 func (*PlatformMetadataSpec) ProtoMessage() {}
 
 func (x *PlatformMetadataSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[11]
+	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[12]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -693,7 +741,7 @@ func (x *PlatformMetadataSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PlatformMetadataSpec.ProtoReflect.Descriptor instead.
 func (*PlatformMetadataSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{11}
+	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{12}
 }
 
 func (x *PlatformMetadataSpec) GetPlatform() string {
@@ -766,7 +814,7 @@ type SecurityStateSpec struct {
 func (x *SecurityStateSpec) Reset() {
 	*x = SecurityStateSpec{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[12]
+		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -779,7 +827,7 @@ func (x *SecurityStateSpec) String() string {
 func (*SecurityStateSpec) ProtoMessage() {}
 
 func (x *SecurityStateSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[12]
+	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -792,7 +840,7 @@ func (x *SecurityStateSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SecurityStateSpec.ProtoReflect.Descriptor instead.
 func (*SecurityStateSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{12}
+	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{13}
 }
 
 func (x *SecurityStateSpec) GetSecureBoot() bool {
@@ -816,6 +864,54 @@ func (x *SecurityStateSpec) GetPcrSigningKeyFingerprint() string {
 	return ""
 }
 
+// UniqueMachineTokenSpec is the spec for the machine unique token. Token can be empty if machine wasn't assigned any.
+type UniqueMachineTokenSpec struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+}
+
+func (x *UniqueMachineTokenSpec) Reset() {
+	*x = UniqueMachineTokenSpec{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[14]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UniqueMachineTokenSpec) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UniqueMachineTokenSpec) ProtoMessage() {}
+
+func (x *UniqueMachineTokenSpec) ProtoReflect() protoreflect.Message {
+	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[14]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UniqueMachineTokenSpec.ProtoReflect.Descriptor instead.
+func (*UniqueMachineTokenSpec) Descriptor() ([]byte, []int) {
+	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{14}
+}
+
+func (x *UniqueMachineTokenSpec) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
 // UnmetCondition is a failure which prevents machine from being ready at the stage.
 type UnmetCondition struct {
 	state         protoimpl.MessageState
@@ -829,7 +925,7 @@ type UnmetCondition struct {
 func (x *UnmetCondition) Reset() {
 	*x = UnmetCondition{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[13]
+		mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[15]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -842,7 +938,7 @@ func (x *UnmetCondition) String() string {
 func (*UnmetCondition) ProtoMessage() {}
 
 func (x *UnmetCondition) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[13]
+	mi := &file_resource_definitions_runtime_runtime_proto_msgTypes[15]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -855,7 +951,7 @@ func (x *UnmetCondition) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use UnmetCondition.ProtoReflect.Descriptor instead.
 func (*UnmetCondition) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{13}
+	return file_resource_definitions_runtime_runtime_proto_rawDescGZIP(), []int{15}
 }
 
 func (x *UnmetCondition) GetName() string {
@@ -941,57 +1037,62 @@ var file_resource_definitions_runtime_runtime_proto_rawDesc = []byte{
 	0x74, 0x49, 0x50, 0x52, 0x12, 0x72, 0x65, 0x61, 0x63, 0x68, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x64,
 	0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x22, 0x23, 0x0a, 0x0b, 0x4d, 0x65, 0x74, 0x61, 0x4b,
 	0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xd5, 0x01, 0x0a,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x24, 0x0a, 0x0e,
-	0x0f, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63,
+	0x4d, 0x65, 0x74, 0x61, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x64, 0x53, 0x70, 0x65, 0x63, 0x12, 0x12,
-	0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x0a, 0x04, 0x64, 0x6f, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x64, 0x6f,
-	0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67,
+	0x6e, 0x65, 0x22, 0xd5, 0x01, 0x0a, 0x0f, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74,
-	0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74,
+	0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x12, 0x27, 0x0a, 0x0f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x74,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x16,
-	0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73,
+	0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
-	0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6f, 0x70, 0x74,
+	0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x27, 0x0a, 0x0f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79,
-	0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69,
+	0x73, 0x74, 0x65, 0x6d, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
+	0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
+	0x18, 0x0a, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09,
-	0x64, 0x12, 0x31, 0x0a, 0x14, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+	0x52, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x65, 0x6e, 0x63,
-	0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x65, 0x6e,
-	0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x12, 0x31, 0x0a, 0x14, 0x65, 0x6e, 0x63, 0x72, 0x79,
-	0x64, 0x65, 0x72, 0x73, 0x22, 0xf5, 0x01, 0x0a, 0x14, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72,
+	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x18,
-	0x6d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1a, 0x0a,
+	0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f,
-	0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x22, 0xf5, 0x01, 0x0a, 0x14, 0x50,
-	0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73,
+	0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x53,
-	0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73,
+	0x70, 0x65, 0x63, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18,
-	0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a,
+	0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x04, 0x7a, 0x6f, 0x6e, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x7a, 0x6f, 0x6e,
+	0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72,
-	0x65, 0x12, 0x23, 0x0a, 0x0d, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x74, 0x79,
+	0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67,
-	0x70, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e,
+	0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x7a, 0x6f, 0x6e, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28,
-	0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e,
+	0x09, 0x52, 0x04, 0x7a, 0x6f, 0x6e, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x69, 0x6e, 0x73, 0x74, 0x61,
-	0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x6e, 0x73,
+	0x6e, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
-	0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x6f, 0x76, 0x69,
+	0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b,
-	0x64, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72,
+	0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28,
-	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x70, 0x6f, 0x74,
+	0x09, 0x52, 0x0a, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1f, 0x0a,
-	0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x70, 0x6f, 0x74, 0x22, 0xb2, 0x01, 0x0a,
+	0x0b, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01,
-	0x11, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x53, 0x70,
+	0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x49, 0x64, 0x12, 0x12,
-	0x65, 0x63, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x62, 0x6f, 0x6f,
+	0x0a, 0x04, 0x73, 0x70, 0x6f, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x70,
-	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x42,
+	0x6f, 0x74, 0x22, 0xb2, 0x01, 0x0a, 0x11, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x53,
-	0x6f, 0x6f, 0x74, 0x12, 0x3d, 0x0a, 0x1b, 0x75, 0x6b, 0x69, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69,
+	0x74, 0x61, 0x74, 0x65, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x63, 0x75,
-	0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69,
+	0x72, 0x65, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73,
-	0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x75, 0x6b, 0x69, 0x53, 0x69, 0x67,
+	0x65, 0x63, 0x75, 0x72, 0x65, 0x42, 0x6f, 0x6f, 0x74, 0x12, 0x3d, 0x0a, 0x1b, 0x75, 0x6b, 0x69,
-	0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69,
+	0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e,
-	0x6e, 0x74, 0x12, 0x3d, 0x0a, 0x1b, 0x70, 0x63, 0x72, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e,
+	0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18,
-	0x67, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e,
+	0x75, 0x6b, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e,
-	0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x70, 0x63, 0x72, 0x53, 0x69, 0x67, 0x6e,
+	0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, 0x3d, 0x0a, 0x1b, 0x70, 0x63, 0x72, 0x5f,
-	0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e,
+	0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67,
-	0x74, 0x22, 0x3c, 0x0a, 0x0e, 0x55, 0x6e, 0x6d, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74,
+	0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x70,
-	0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x63, 0x72, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67,
-	0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f,
+	0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x22, 0x2e, 0x0a, 0x16, 0x55, 0x6e, 0x69, 0x71, 0x75,
-	0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x42,
+	0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x53, 0x70, 0x65,
-	0x4c, 0x5a, 0x4a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69,
+	0x63, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70,
+	0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x3c, 0x0a, 0x0e, 0x55, 0x6e, 0x6d, 0x65, 0x74,
-	0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69,
+	0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d,
-	0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x62, 0x06, 0x70,
+	0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x65, 0x61, 0x73, 0x6f, 0x6e, 0x42, 0x4c, 0x5a, 0x4a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
+	0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74,
+	0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f,
+	0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x72, 0x75, 0x6e, 0x74,
+	0x69, 0x6d, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -1006,7 +1107,7 @@ func file_resource_definitions_runtime_runtime_proto_rawDescGZIP() []byte {
 	return file_resource_definitions_runtime_runtime_proto_rawDescData
 }
 
-var file_resource_definitions_runtime_runtime_proto_msgTypes = make([]protoimpl.MessageInfo, 14)
+var file_resource_definitions_runtime_runtime_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
 var file_resource_definitions_runtime_runtime_proto_goTypes = []interface{}{
 	(*DevicesStatusSpec)(nil),            // 0: talos.resource.definitions.runtime.DevicesStatusSpec
 	(*EventSinkConfigSpec)(nil),          // 1: talos.resource.definitions.runtime.EventSinkConfigSpec
@@ -1018,20 +1119,22 @@ var file_resource_definitions_runtime_runtime_proto_goTypes = []interface{}{
 	(*MachineStatusStatus)(nil),          // 7: talos.resource.definitions.runtime.MachineStatusStatus
 	(*MaintenanceServiceConfigSpec)(nil), // 8: talos.resource.definitions.runtime.MaintenanceServiceConfigSpec
 	(*MetaKeySpec)(nil),                  // 9: talos.resource.definitions.runtime.MetaKeySpec
-	(*MountStatusSpec)(nil),              // 10: talos.resource.definitions.runtime.MountStatusSpec
+	(*MetaLoadedSpec)(nil),               // 10: talos.resource.definitions.runtime.MetaLoadedSpec
-	(*PlatformMetadataSpec)(nil),         // 11: talos.resource.definitions.runtime.PlatformMetadataSpec
+	(*MountStatusSpec)(nil),              // 11: talos.resource.definitions.runtime.MountStatusSpec
-	(*SecurityStateSpec)(nil),            // 12: talos.resource.definitions.runtime.SecurityStateSpec
+	(*PlatformMetadataSpec)(nil),         // 12: talos.resource.definitions.runtime.PlatformMetadataSpec
-	(*UnmetCondition)(nil),               // 13: talos.resource.definitions.runtime.UnmetCondition
+	(*SecurityStateSpec)(nil),            // 13: talos.resource.definitions.runtime.SecurityStateSpec
-	(*common.URL)(nil),                   // 14: common.URL
+	(*UniqueMachineTokenSpec)(nil),       // 14: talos.resource.definitions.runtime.UniqueMachineTokenSpec
-	(enums.RuntimeMachineStage)(0),       // 15: talos.resource.definitions.enums.RuntimeMachineStage
+	(*UnmetCondition)(nil),               // 15: talos.resource.definitions.runtime.UnmetCondition
-	(*common.NetIP)(nil),                 // 16: common.NetIP
+	(*common.URL)(nil),                   // 16: common.URL
+	(enums.RuntimeMachineStage)(0),       // 17: talos.resource.definitions.enums.RuntimeMachineStage
+	(*common.NetIP)(nil),                 // 18: common.NetIP
 }
 var file_resource_definitions_runtime_runtime_proto_depIdxs = []int32{
-	14, // 0: talos.resource.definitions.runtime.KmsgLogConfigSpec.destinations:type_name -> common.URL
+	16, // 0: talos.resource.definitions.runtime.KmsgLogConfigSpec.destinations:type_name -> common.URL
-	15, // 1: talos.resource.definitions.runtime.MachineStatusSpec.stage:type_name -> talos.resource.definitions.enums.RuntimeMachineStage
+	17, // 1: talos.resource.definitions.runtime.MachineStatusSpec.stage:type_name -> talos.resource.definitions.enums.RuntimeMachineStage
 	7,  // 2: talos.resource.definitions.runtime.MachineStatusSpec.status:type_name -> talos.resource.definitions.runtime.MachineStatusStatus
-	13, // 3: talos.resource.definitions.runtime.MachineStatusStatus.unmet_conditions:type_name -> talos.resource.definitions.runtime.UnmetCondition
+	15, // 3: talos.resource.definitions.runtime.MachineStatusStatus.unmet_conditions:type_name -> talos.resource.definitions.runtime.UnmetCondition
-	16, // 4: talos.resource.definitions.runtime.MaintenanceServiceConfigSpec.reachable_addresses:type_name -> common.NetIP
+	18, // 4: talos.resource.definitions.runtime.MaintenanceServiceConfigSpec.reachable_addresses:type_name -> common.NetIP
 	5,  // [5:5] is the sub-list for method output_type
 	5,  // [5:5] is the sub-list for method input_type
 	5,  // [5:5] is the sub-list for extension type_name
@@ -1166,7 +1269,7 @@ func file_resource_definitions_runtime_runtime_proto_init() {
 			}
 		}
 		file_resource_definitions_runtime_runtime_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*MountStatusSpec); i {
+			switch v := v.(*MetaLoadedSpec); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1178,7 +1281,7 @@ func file_resource_definitions_runtime_runtime_proto_init() {
 			}
 		}
 		file_resource_definitions_runtime_runtime_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PlatformMetadataSpec); i {
+			switch v := v.(*MountStatusSpec); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1190,7 +1293,7 @@ func file_resource_definitions_runtime_runtime_proto_init() {
 			}
 		}
 		file_resource_definitions_runtime_runtime_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SecurityStateSpec); i {
+			switch v := v.(*PlatformMetadataSpec); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1202,6 +1305,30 @@ func file_resource_definitions_runtime_runtime_proto_init() {
 			}
 		}
 		file_resource_definitions_runtime_runtime_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecurityStateSpec); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_resource_definitions_runtime_runtime_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UniqueMachineTokenSpec); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_resource_definitions_runtime_runtime_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*UnmetCondition); i {
 			case 0:
 				return &v.state
@@ -1220,7 +1347,7 @@ func file_resource_definitions_runtime_runtime_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_resource_definitions_runtime_runtime_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   14,
+			NumMessages:   16,
 			NumExtensions: 0,
 			NumServices:   0,
 		},

pkg/machinery/api/resource/definitions/runtime/runtime_vtproto.pb.go

@@ -526,6 +526,49 @@ func (m *MetaKeySpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *MetaLoadedSpec) MarshalVT() (dAtA []byte, err error) {
+	if m == nil {
+		return nil, nil
+	}
+	size := m.SizeVT()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *MetaLoadedSpec) MarshalToVT(dAtA []byte) (int, error) {
+	size := m.SizeVT()
+	return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *MetaLoadedSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+	if m == nil {
+		return 0, nil
+	}
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.unknownFields != nil {
+		i -= len(m.unknownFields)
+		copy(dAtA[i:], m.unknownFields)
+	}
+	if m.Done {
+		i--
+		if m.Done {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x8
+	}
+	return len(dAtA) - i, nil
+}
+
 func (m *MountStatusSpec) MarshalVT() (dAtA []byte, err error) {
 	if m == nil {
 		return nil, nil
@@ -757,6 +800,46 @@ func (m *SecurityStateSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *UniqueMachineTokenSpec) MarshalVT() (dAtA []byte, err error) {
+	if m == nil {
+		return nil, nil
+	}
+	size := m.SizeVT()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *UniqueMachineTokenSpec) MarshalToVT(dAtA []byte) (int, error) {
+	size := m.SizeVT()
+	return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *UniqueMachineTokenSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+	if m == nil {
+		return 0, nil
+	}
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.unknownFields != nil {
+		i -= len(m.unknownFields)
+		copy(dAtA[i:], m.unknownFields)
+	}
+	if len(m.Token) > 0 {
+		i -= len(m.Token)
+		copy(dAtA[i:], m.Token)
+		i = encodeVarint(dAtA, i, uint64(len(m.Token)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func (m *UnmetCondition) MarshalVT() (dAtA []byte, err error) {
 	if m == nil {
 		return nil, nil
@@ -998,6 +1081,19 @@ func (m *MetaKeySpec) SizeVT() (n int) {
 	return n
 }
 
+func (m *MetaLoadedSpec) SizeVT() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.Done {
+		n += 2
+	}
+	n += len(m.unknownFields)
+	return n
+}
+
 func (m *MountStatusSpec) SizeVT() (n int) {
 	if m == nil {
 		return 0
@@ -1097,6 +1193,20 @@ func (m *SecurityStateSpec) SizeVT() (n int) {
 	return n
 }
 
+func (m *UniqueMachineTokenSpec) SizeVT() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Token)
+	if l > 0 {
+		n += 1 + l + sov(uint64(l))
+	}
+	n += len(m.unknownFields)
+	return n
+}
+
 func (m *UnmetCondition) SizeVT() (n int) {
 	if m == nil {
 		return 0
@@ -2140,6 +2250,77 @@ func (m *MetaKeySpec) UnmarshalVT(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *MetaLoadedSpec) UnmarshalVT(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflow
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: MetaLoadedSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: MetaLoadedSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Done", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Done = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skip(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLength
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *MountStatusSpec) UnmarshalVT(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@@ -2801,6 +2982,89 @@ func (m *SecurityStateSpec) UnmarshalVT(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *UniqueMachineTokenSpec) UnmarshalVT(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflow
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: UniqueMachineTokenSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: UniqueMachineTokenSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Token", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Token = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skip(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLength
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *UnmetCondition) UnmarshalVT(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0

pkg/machinery/resources/runtime/deep_copy.generated.go

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-// Code generated by "deep-copy -type DevicesStatusSpec -type EventSinkConfigSpec -type KernelModuleSpecSpec -type KernelParamSpecSpec -type KernelParamStatusSpec -type KmsgLogConfigSpec -type MaintenanceServiceConfigSpec -type MaintenanceServiceRequestSpec -type MachineStatusSpec -type MetaKeySpec -type MountStatusSpec -type PlatformMetadataSpec -type SecurityStateSpec -header-file ../../../../hack/boilerplate.txt -o deep_copy.generated.go ."; DO NOT EDIT.
+// Code generated by "deep-copy -type DevicesStatusSpec -type EventSinkConfigSpec -type KernelModuleSpecSpec -type KernelParamSpecSpec -type KernelParamStatusSpec -type KmsgLogConfigSpec -type MaintenanceServiceConfigSpec -type MaintenanceServiceRequestSpec -type MachineStatusSpec -type MetaKeySpec -type MountStatusSpec -type PlatformMetadataSpec -type SecurityStateSpec -type MetaLoadedSpec -type UniqueMachineTokenSpec -header-file ../../../../hack/boilerplate.txt -o deep_copy.generated.go ."; DO NOT EDIT.
 
 package runtime
 
@@ -122,3 +122,15 @@ func (o SecurityStateSpec) DeepCopy() SecurityStateSpec {
 	var cp SecurityStateSpec = o
 	return cp
 }
+
+// DeepCopy generates a deep copy of MetaLoadedSpec.
+func (o MetaLoadedSpec) DeepCopy() MetaLoadedSpec {
+	var cp MetaLoadedSpec = o
+	return cp
+}
+
+// DeepCopy generates a deep copy of UniqueMachineTokenSpec.
+func (o UniqueMachineTokenSpec) DeepCopy() UniqueMachineTokenSpec {
+	var cp UniqueMachineTokenSpec = o
+	return cp
+}

pkg/machinery/resources/runtime/meta_loaded.go

@@ -0,0 +1,65 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package runtime
+
+import (
+	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/resource/meta"
+	"github.com/cosi-project/runtime/pkg/resource/protobuf"
+	"github.com/cosi-project/runtime/pkg/resource/typed"
+
+	"github.com/siderolabs/talos/pkg/machinery/proto"
+)
+
+// MetaLoadedType is type of [MetaLoaded] resource.
+const MetaLoadedType = resource.Type("MetaLoads.runtime.talos.dev")
+
+// MetaLoaded resource appears when all meta keys are loaded.
+type MetaLoaded = typed.Resource[MetaLoadedSpec, MetaLoadedExtension]
+
+// MetaLoadedID is the ID of [MetaLoaded] resource.
+const MetaLoadedID = resource.ID("meta-loaded")
+
+// MetaLoadedSpec is the spec for meta loaded. The Done field is always true when resource exists.
+//
+//gotagsrewrite:gen
+type MetaLoadedSpec struct {
+	Done bool `yaml:"done" protobuf:"1"`
+}
+
+// NewMetaLoaded initializes a [MetaLoaded] resource.
+func NewMetaLoaded() *MetaLoaded {
+	return typed.NewResource[MetaLoadedSpec, MetaLoadedExtension](
+		resource.NewMetadata(NamespaceName, MetaLoadedType, MetaLoadedID, resource.VersionUndefined),
+		MetaLoadedSpec{},
+	)
+}
+
+// MetaLoadedExtension is auxiliary resource data for [MetaLoaded].
+type MetaLoadedExtension struct{}
+
+// ResourceDefinition implements [meta.ResourceDefinitionProvider] interface.
+func (MetaLoadedExtension) ResourceDefinition() meta.ResourceDefinitionSpec {
+	return meta.ResourceDefinitionSpec{
+		Type:             MetaLoadedType,
+		Aliases:          []resource.Type{},
+		DefaultNamespace: NamespaceName,
+		PrintColumns: []meta.PrintColumn{
+			{
+				Name:     "Done",
+				JSONPath: `{.done}`,
+			},
+		},
+	}
+}
+
+func init() {
+	proto.RegisterDefaultTypes()
+
+	err := protobuf.RegisterDynamic[MetaLoadedSpec](MetaLoadedType, &MetaLoaded{})
+	if err != nil {
+		panic(err)
+	}
+}

pkg/machinery/resources/runtime/runtime.go

@@ -4,4 +4,4 @@
 
 package runtime
 
-//go:generate deep-copy -type DevicesStatusSpec -type EventSinkConfigSpec -type KernelModuleSpecSpec -type KernelParamSpecSpec -type KernelParamStatusSpec -type KmsgLogConfigSpec -type MaintenanceServiceConfigSpec -type MaintenanceServiceRequestSpec -type MachineStatusSpec -type MetaKeySpec -type MountStatusSpec -type PlatformMetadataSpec -type SecurityStateSpec -header-file ../../../../hack/boilerplate.txt -o deep_copy.generated.go .
+//go:generate deep-copy -type DevicesStatusSpec -type EventSinkConfigSpec -type KernelModuleSpecSpec -type KernelParamSpecSpec -type KernelParamStatusSpec -type KmsgLogConfigSpec -type MaintenanceServiceConfigSpec -type MaintenanceServiceRequestSpec -type MachineStatusSpec -type MetaKeySpec -type MountStatusSpec -type PlatformMetadataSpec -type SecurityStateSpec -type MetaLoadedSpec -type UniqueMachineTokenSpec -header-file ../../../../hack/boilerplate.txt -o deep_copy.generated.go .

pkg/machinery/resources/runtime/runtime_test.go

@@ -36,9 +36,11 @@ func TestRegisterResource(t *testing.T) {
 		&runtime.MaintenanceServiceConfig{},
 		&runtime.MaintenanceServiceRequest{},
 		&runtime.MetaKey{},
+		&runtime.MetaLoaded{},
 		&runtime.MountStatus{},
 		&runtime.PlatformMetadata{},
 		&runtime.SecurityState{},
+		&runtime.UniqueMachineToken{},
 	} {
 		assert.NoError(t, resourceRegistry.Register(ctx, resource))
 	}

pkg/machinery/resources/runtime/unique_machine_token.go

@@ -0,0 +1,67 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package runtime
+
+import (
+	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/resource/meta"
+	"github.com/cosi-project/runtime/pkg/resource/protobuf"
+	"github.com/cosi-project/runtime/pkg/resource/typed"
+
+	"github.com/siderolabs/talos/pkg/machinery/proto"
+)
+
+const (
+	// UniqueMachineTokenType is type of [UniqueMachineToken] resource.
+	UniqueMachineTokenType = resource.Type("UniqueMachineTokens.runtime.talos.dev")
+
+	// UniqueMachineTokenID is the ID of [UniqueMachineToken] resource.
+	UniqueMachineTokenID = resource.ID("unique-machine-token")
+)
+
+// UniqueMachineToken resource appears when all meta keys are loaded.
+type UniqueMachineToken = typed.Resource[UniqueMachineTokenSpec, UniqueMachineTokenExtension]
+
+// UniqueMachineTokenSpec is the spec for the machine unique token. Token can be empty if machine wasn't assigned any.
+//
+//gotagsrewrite:gen
+type UniqueMachineTokenSpec struct {
+	Token string `yaml:"token" protobuf:"1"`
+}
+
+// NewUniqueMachineToken initializes a [UniqueMachineToken] resource.
+func NewUniqueMachineToken() *UniqueMachineToken {
+	return typed.NewResource[UniqueMachineTokenSpec, UniqueMachineTokenExtension](
+		resource.NewMetadata(NamespaceName, UniqueMachineTokenType, UniqueMachineTokenID, resource.VersionUndefined),
+		UniqueMachineTokenSpec{},
+	)
+}
+
+// UniqueMachineTokenExtension is auxiliary resource data for [UniqueMachineToken].
+type UniqueMachineTokenExtension struct{}
+
+// ResourceDefinition implements [meta.ResourceDefinitionProvider] interface.
+func (UniqueMachineTokenExtension) ResourceDefinition() meta.ResourceDefinitionSpec {
+	return meta.ResourceDefinitionSpec{
+		Type:             UniqueMachineTokenType,
+		Aliases:          []resource.Type{},
+		DefaultNamespace: NamespaceName,
+		PrintColumns: []meta.PrintColumn{
+			{
+				Name:     "Token",
+				JSONPath: `{.token}`,
+			},
+		},
+	}
+}
+
+func init() {
+	proto.RegisterDefaultTypes()
+
+	err := protobuf.RegisterDynamic[UniqueMachineTokenSpec](UniqueMachineTokenType, &UniqueMachineToken{})
+	if err != nil {
+		panic(err)
+	}
+}

website/content/v1.6/reference/api.md

@@ -199,9 +199,11 @@ description: Talos gRPC API reference.
     - [MachineStatusStatus](#talos.resource.definitions.runtime.MachineStatusStatus)
     - [MaintenanceServiceConfigSpec](#talos.resource.definitions.runtime.MaintenanceServiceConfigSpec)
     - [MetaKeySpec](#talos.resource.definitions.runtime.MetaKeySpec)
+    - [MetaLoadedSpec](#talos.resource.definitions.runtime.MetaLoadedSpec)
     - [MountStatusSpec](#talos.resource.definitions.runtime.MountStatusSpec)
     - [PlatformMetadataSpec](#talos.resource.definitions.runtime.PlatformMetadataSpec)
     - [SecurityStateSpec](#talos.resource.definitions.runtime.SecurityStateSpec)
+    - [UniqueMachineTokenSpec](#talos.resource.definitions.runtime.UniqueMachineTokenSpec)
     - [UnmetCondition](#talos.resource.definitions.runtime.UnmetCondition)
   
 - [resource/definitions/secrets/secrets.proto](#resource/definitions/secrets/secrets.proto)
@@ -3624,6 +3626,21 @@ MetaKeySpec describes status of the defined sysctls.
 
 
 
+<a name="talos.resource.definitions.runtime.MetaLoadedSpec"></a>
+
+### MetaLoadedSpec
+MetaLoadedSpec is the spec for meta loaded. The Done field is always true when resource exists.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| done | [bool](#bool) |  |  |
+
+
+
+
+
+
 <a name="talos.resource.definitions.runtime.MountStatusSpec"></a>
 
 ### MountStatusSpec
@@ -3683,6 +3700,21 @@ SecurityStateSpec describes the security state resource properties.
 
 
 
+<a name="talos.resource.definitions.runtime.UniqueMachineTokenSpec"></a>
+
+### UniqueMachineTokenSpec
+UniqueMachineTokenSpec is the spec for the machine unique token. Token can be empty if machine wasn't assigned any.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| token | [string](#string) |  |  |
+
+
+
+
+
+
 <a name="talos.resource.definitions.runtime.UnmetCondition"></a>
 
 ### UnmetCondition

website/content/v1.6/reference/cli.md

@@ -2234,6 +2234,7 @@ talosctl meta delete key [flags]
       --cluster string       Cluster to connect to if a proxy endpoint is used.
       --context string       Context to be used in command
   -e, --endpoints strings    override default endpoints in Talos configuration
+  -i, --insecure             write|delete meta using the insecure (encrypted with no auth) maintenance service
   -n, --nodes strings        target the specified nodes
       --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
 ```
@@ -2262,6 +2263,7 @@ talosctl meta write key value [flags]
       --cluster string       Cluster to connect to if a proxy endpoint is used.
       --context string       Context to be used in command
   -e, --endpoints strings    override default endpoints in Talos configuration
+  -i, --insecure             write|delete meta using the insecure (encrypted with no auth) maintenance service
   -n, --nodes strings        target the specified nodes
       --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
 ```
@@ -2277,7 +2279,8 @@ Write and delete keys in the META partition
 ### Options
 
 ```
-  -h, --help   help for meta
+  -h, --help       help for meta
+  -i, --insecure   write|delete meta using the insecure (encrypted with no auth) maintenance service
 ```
 
 ### Options inherited from parent commands