{
    "content": [
        {
            "type": "text",
            "text": "# systemd-boot-system-token.service (man)\n\n## NAME\n\nsystemd-boot-system-token.service - Generate an initial boot loader system token and random seed\n\n## SYNOPSIS\n\nsystemd-boot-system-token.service\n\n## DESCRIPTION\n\nsystemd-boot-system-token.service is a system service that automatically generates a 'system\ntoken' to store in an EFI variable in the system's NVRAM and a random seed to store on the\nEFI System Partition ESP on disk. The boot loader may then combine these two randomized data\nfields by cryptographic hashing, and pass it to the OS it boots as initialization seed for\nits entropy pool. The random seed stored in the ESP is refreshed on each reboot ensuring that\nmultiple subsequent boots will boot with different seeds. The 'system token' is generated\nrandomly once, and then persistently stored in the system's EFI variable storage.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **SEE ALSO**\n- **NOTES**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n"
        }
    ],
    "structuredContent": {
        "command": "systemd-boot-system-token.service",
        "section": "",
        "mode": "man",
        "summary": "systemd-boot-system-token.service - Generate an initial boot loader system token and random seed",
        "synopsis": "systemd-boot-system-token.service",
        "tldr_summary": null,
        "tldr_examples": [],
        "tldr_source": null,
        "flags": [],
        "examples": [],
        "see_also": [
            {
                "name": "systemd",
                "section": "1",
                "url": "https://www.chedong.com/phpMan.php/man/systemd/1/json"
            },
            {
                "name": "bootctl",
                "section": "1",
                "url": "https://www.chedong.com/phpMan.php/man/bootctl/1/json"
            },
            {
                "name": "systemd-boot",
                "section": "7",
                "url": "https://www.chedong.com/phpMan.php/man/systemd-boot/7/json"
            }
        ],
        "section_outline": [
            {
                "name": "NAME",
                "lines": 3,
                "subsections": []
            },
            {
                "name": "SYNOPSIS",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "DESCRIPTION",
                "lines": 30,
                "subsections": []
            },
            {
                "name": "SEE ALSO",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "NOTES",
                "lines": 6,
                "subsections": []
            }
        ],
        "sections": {
            "NAME": {
                "content": "systemd-boot-system-token.service - Generate an initial boot loader system token and random\nseed\n",
                "subsections": []
            },
            "SYNOPSIS": {
                "content": "systemd-boot-system-token.service\n",
                "subsections": []
            },
            "DESCRIPTION": {
                "content": "systemd-boot-system-token.service is a system service that automatically generates a 'system\ntoken' to store in an EFI variable in the system's NVRAM and a random seed to store on the\nEFI System Partition ESP on disk. The boot loader may then combine these two randomized data\nfields by cryptographic hashing, and pass it to the OS it boots as initialization seed for\nits entropy pool. The random seed stored in the ESP is refreshed on each reboot ensuring that\nmultiple subsequent boots will boot with different seeds. The 'system token' is generated\nrandomly once, and then persistently stored in the system's EFI variable storage.\n\nThe systemd-boot-system-token.service unit invokes the bootctl random-seed command, which\nupdates the random seed in the ESP, and initializes the 'system token' if it's not\ninitialized yet. The service is conditionalized so that it is run only when all of the below\napply:\n\n•   A boot loader is used that implements the Boot Loader Interface[1] (which defines the\n'system token' concept).\n\n•   Either a 'system token' was not set yet, or the boot loader has not passed the OS a\nrandom seed yet (and thus most likely has been missing the random seed file in the ESP).\n\n•   The system is not running in a VM environment. This case is explicitly excluded since on\nVM environments the ESP backing storage and EFI variable storage is typically not\nphysically separated and hence booting the same OS image in multiple instances would\nreplicate both, thus reusing the same random seed and 'system token' among all instances,\nwhich defeats its purpose. Note that it's still possible to use boot loader random seed\nprovisioning in this mode, but the automatic logic implemented by this service has no\neffect then, and the user instead has to manually invoke the bootctl random-seed\nacknowledging these restrictions.\n\nFor further details see bootctl(1), regarding the command this service invokes.\n",
                "subsections": []
            },
            "SEE ALSO": {
                "content": "systemd(1), bootctl(1), systemd-boot(7)\n",
                "subsections": []
            },
            "NOTES": {
                "content": "1. Boot Loader Interface\nhttps://systemd.io/BOOTLOADERINTERFACE\n\n\n\nsystemd 249                                                     SYSTEMD-BOOT-SYSTEM-TOKEN.SERVICE(8)",
                "subsections": []
            }
        }
    }
}