Adding upstream version 4.22.0.upstream/4.22.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 796 insertions, 0 deletions

diff --git a/templates/man1/systemd-measure.1.pot b/templates/man1/systemd-measure.1.pot
new file mode 100644
index 00000000..2000030e
--- /dev/null
+++ b/templates/man1/systemd-measure.1.pot
@@ -0,0 +1,796 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Free Software Foundation, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"POT-Creation-Date: 2024-03-01 17:10+0100\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: TH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "SYSTEMD-MEASURE"
+msgstr ""
+
+#. type: TH
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid "systemd 255"
+msgstr ""
+
+#. type: TH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "systemd-measure"
+msgstr ""
+
+#.  -----------------------------------------------------------------
+#.  * MAIN CONTENT STARTS HERE *
+#.  -----------------------------------------------------------------
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "NAME"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"systemd-measure - Pre-calculate and sign expected TPM2 PCR values for booted "
+"unified kernel images"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "SYNOPSIS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#: opensuse-tumbleweed
+msgid "B</usr/lib/systemd/systemd-measure >B<[OPTIONS...]>"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"Note: this command is experimental for now\\&. While it is likely to become "
+"a regular component of systemd, it might still change in behaviour and "
+"interface\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"B<systemd-measure> is a tool that may be used to pre-calculate and sign the "
+"expected TPM2 PCR 11 values that should be seen when a Linux "
+"\\m[blue]B<Unified Kernel Image (UKI)>\\m[]\\&\\s-2\\u[1]\\d\\s+2 based on "
+"B<systemd-stub>(7)  is booted up\\&. It accepts paths to the ELF kernel "
+"image file, initrd image file, devicetree file, kernel command line file, "
+"B<os-release>(5)  file, boot splash file, and TPM2 PCR PEM public key file "
+"that make up the unified kernel image, and determines the PCR values "
+"expected to be in place after booting the image\\&. Calculation starts with "
+"a zero-initialized PCR 11, and is executed in a fashion compatible with what "
+"systemd-stub does at boot\\&. The result may optionally be signed "
+"cryptographically, to allow TPM2 policies that can only be unlocked if a "
+"certain set of kernels is booted, for which such a PCR signature can be "
+"provided\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"It usually doesn\\*(Aqt make sense to call this tool directly when "
+"constructing a UKI\\&. Instead, B<ukify>(1)  should be used; it will invoke "
+"B<systemd-measure> and take care of embedding the resulting measurements "
+"into the UKI\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "COMMANDS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "The following commands are understood:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<status>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"This is the default command if none is specified\\&. This queries the local "
+"system\\*(Aqs TPM2 PCR 11+12+13 values and displays them\\&. The data is "
+"written in a similar format as the B<calculate> command below, and may be "
+"used to quickly compare expectation with reality\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 252\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<calculate>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Pre-calculate the expected values seen in PCR register 11 after boot-up of a "
+"unified kernel image consisting of the components specified with B<--"
+"linux=>, B<--osrel=>, B<--cmdline=>, B<--initrd=>, B<--splash=>, B<--dtb=>, "
+"B<--uname=>, B<--sbat=>, B<--pcrpkey=> see below\\&. Only B<--linux=> is "
+"mandatory\\&. (Alternatively, specify B<--current> to use the current values "
+"of PCR register 11 instead\\&.)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<sign>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"As with the B<calculate> command, pre-calculate the expected value seen in "
+"TPM2 PCR register 11 after boot-up of a unified kernel image\\&. Then, "
+"cryptographically sign the resulting values with the private/public key pair "
+"(RSA) configured via B<--private-key=> and B<--public-key=>\\&. This will "
+"write a JSON object to standard output that contains signatures for all "
+"specified PCR banks (see the B<--bank=> option below), which may be used to "
+"unlock encrypted credentials (see B<systemd-creds>(1)) or LUKS volumes (see "
+"B<systemd-cryptsetup@.service>(8))\\&. This allows binding secrets to a set "
+"of kernels for which such PCR 11 signatures can be provided\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"Note that a TPM2 device must be available for this signing to take place, "
+"even though the result is not tied to any TPM2 device or its state\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "The following options are understood:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"B<--linux=>I<PATH>, B<--osrel=>I<PATH>, B<--cmdline=>I<PATH>, B<--"
+"initrd=>I<PATH>, B<--splash=>I<PATH>, B<--dtb=>I<PATH>, B<--uname=>I<PATH>, "
+"B<--sbat=>I<PATH>, B<--pcrpkey=>I<PATH>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"When used with the B<calculate> or B<sign> verb, configures the files to "
+"read the unified kernel image components from\\&. Each option corresponds "
+"with the equally named section in the unified kernel PE file\\&. The B<--"
+"linux=> switch expects the path to the ELF kernel file that the unified PE "
+"kernel will wrap\\&. All switches except B<--linux=> are optional\\&. Each "
+"option may be used at most once\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--current>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"When used with the B<calculate> or B<sign> verb, takes the PCR 11 values "
+"currently in effect for the system (which should typically reflect the "
+"hashes of the currently booted kernel)\\&. This can be used in place of B<--"
+"linux=> and the other switches listed above\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--bank=>I<DIGEST>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"Controls the PCR banks to pre-calculate the PCR values for \\(en in case "
+"B<calculate> or B<sign> is invoked \\(en, or the banks to show in the "
+"B<status> output\\&. May be used more then once to specify multiple "
+"banks\\&. If not specified, defaults to the four banks \"sha1\", \"sha256\", "
+"\"sha384\", \"sha512\"\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--private-key=>I<PATH>, B<--public-key=>I<PATH>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"These switches take paths to a pair of PEM encoded RSA key files, for use "
+"with the B<sign> command\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"Note the difference between the B<--pcrpkey=> and B<--public-key=> "
+"switches\\&. The former selects the data to include in the \"\\&.pcrpkey\" "
+"PE section of the unified kernel image, the latter picks the public key of "
+"the key pair used to sign the resulting PCR 11 values\\&. The former is the "
+"key that the booted system will likely use to lock disk and credential "
+"encryption to, the latter is the key used for unlocking such resources "
+"again\\&. Hence, typically the same PEM key should be supplied in both "
+"cases\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"If the B<--public-key=> is not specified but B<--private-key=> is specified "
+"the public key is automatically derived from the private key\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--tpm2-device=>I<PATH>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"Controls which TPM2 device to use\\&. Expects a device node path referring "
+"to the TPM2 chip (e\\&.g\\&.  /dev/tpmrm0)\\&. Alternatively the special "
+"value \"auto\" may be specified, in order to automatically determine the "
+"device node of a suitable TPM2 device (of which there must be exactly "
+"one)\\&. The special value \"list\" may be used to enumerate all suitable "
+"TPM2 devices currently discovered\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--phase=>I<PHASE>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+msgid ""
+"Controls which boot phases to calculate expected PCR 11 values for\\&. This "
+"takes a series of colon-separated strings that encode boot \"paths\" for "
+"entering a specific phase of the boot process\\&. Each of the specified "
+"strings is measured by the systemd-pcrphase-initrd\\&.service, systemd-"
+"pcrphase-sysinit\\&.service, and B<systemd-pcrphase.service>(8)  into PCR 11 "
+"during different milestones of the boot process\\&. This switch may be "
+"specified multiple times to calculate PCR values for multiple boot phases at "
+"once\\&. If not used defaults to \"enter-initrd\", \"enter-initrd:leave-"
+"initrd\", \"enter-initrd:leave-initrd:sysinit\", \"enter-initrd:leave-initrd:"
+"sysinit:ready\", i\\&.e\\&. calculates expected PCR values for the boot "
+"phase in the initrd, during early boot, during later boot, and during system "
+"runtime, but excluding the phases before the initrd or when shutting "
+"down\\&. This setting is honoured both by B<calculate> and B<sign>\\&. When "
+"used with the latter it\\*(Aqs particularly useful for generating PCR "
+"signatures that can only be used for unlocking resources during specific "
+"parts of the boot process\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"For further details about PCR boot phases, see B<systemd-pcrphase."
+"service>(8)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--append=>I<PATH>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"When generating a PCR JSON signature (via the B<sign> command), combine it "
+"with a previously generated PCR JSON signature, and output it as one\\&. The "
+"specified path must refer to a regular file that contains a valid JSON PCR "
+"signature object\\&. The specified file is not modified\\&. It will be read "
+"first, then the newly generated signature appended to it, and the resulting "
+"object is written to standard output\\&. Use this to generate a single JSON "
+"object consisting from signatures made with a number of signing keys (for "
+"example, to have one key per boot phase)\\&. The command will suppress "
+"duplicates: if a specific signature is already included in a JSON signature "
+"object it is not added a second time\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+msgid "Added in version 253\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--json=>I<MODE>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"Shows output formatted as JSON\\&. Expects one of \"short\" (for the "
+"shortest possible output without any redundant whitespace or line breaks), "
+"\"pretty\" (for a pretty version of the same, with indentation and line "
+"breaks) or \"off\" (to turn off JSON output, the default)\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--no-pager>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "Do not pipe output into a pager\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<-h>, B<--help>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "Print a short help text and exit\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "B<--version>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "Print a short version string and exit\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "EXAMPLES"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"B<Example\\ \\&1.\\ \\&Generate a unified kernel image, and calculate the "
+"expected TPM PCR 11 value>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"$ ukify --output=vmlinux\\&.efi \\e\n"
+"     --os-release=@os-release\\&.txt \\e\n"
+"     --cmdline=@cmdline\\&.txt \\e\n"
+"     --splash=splash\\&.bmp \\e\n"
+"     --devicetree=devicetree\\&.dtb \\e\n"
+"     --measure \\e\n"
+"     vmlinux initrd\\&.cpio\n"
+"11:sha1=d775a7b4482450ac77e03ee19bda90bd792d6ec7\n"
+"11:sha256=bc6170f9ce28eb051ab465cd62be8cf63985276766cf9faf527ffefb66f45651\n"
+"11:sha384=1cf67dff4757e61e5\\&.\\&.\\&.7f49ad720be02fd07263e1f93061243aec599d1ee4b4\n"
+"11:sha512=8e79acd3ddbbc8282\\&.\\&.\\&.0c3e8ec0c714821032038f525f744960bcd082d937da\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"B<ukify>(1)  internally calls B<systemd-measure>\\&. The output with hashes "
+"is from B<systemd-measure>\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"B<Example\\ \\&2.\\ \\&Generate a private/public key pair, a unified kernel "
+"image, and a TPM PCR 11 signature for it, and embed the signature and the "
+"public key in the image>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private\\&.pem\n"
+"\\&.\\&.+\\&.+++++++++\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n"
+"$ openssl rsa -pubout -in tpm2-pcr-private\\&.pem -out tpm2-pcr-public\\&.pem\n"
+"# systemd-measure sign \\e\n"
+"     --linux=vmlinux \\e\n"
+"     --osrel=os-release\\&.txt \\e\n"
+"     --cmdline=cmdline\\&.txt \\e\n"
+"     --initrd=initrd\\&.cpio \\e\n"
+"     --splash=splash\\&.bmp \\e\n"
+"     --dtb=devicetree\\&.dtb \\e\n"
+"     --pcrpkey=tpm2-pcr-public\\&.pem \\e\n"
+"     --bank=sha1 \\e\n"
+"     --bank=sha256 \\e\n"
+"     --private-key=tpm2-pcr-private\\&.pem \\e\n"
+"     --public-key=tpm2-pcr-public\\&.pem E<gt>tpm2-pcr-signature\\&.json\n"
+"# ukify --output=vmlinuz\\&.efi \\e\n"
+"     --os-release=@os-release\\&.txt \\e\n"
+"     --cmdline=@cmdline\\&.txt \\e\n"
+"     --splash=splash\\&.bmp \\e\n"
+"     --devicetree=devicetree\\&.dtb \\e\n"
+"     --pcr-private-key=tpm2-pcr-private\\&.pem \\e\n"
+"     --pcr-public-key=tpm2-pcr-public\\&.pem \\e\n"
+"     --pcr-banks=sha1,sha256 \\e\n"
+"     vmlinux initrd\\&.cpio\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "Later on, enroll the signed PCR policy on a LUKS volume:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"# systemd-cryptenroll --tpm2-device=auto \\e\n"
+"     --tpm2-public-key=tpm2-pcr-public\\&.pem \\e\n"
+"     --tpm2-signature=tpm2-pcr-signature\\&.json \\e\n"
+"     /dev/sda5\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "And then unlock the device with the signature:"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#, no-wrap
+msgid ""
+"# systemd-cryptsetup attach \\e\n"
+"     volume5 /dev/sda5 - \\e\n"
+"     tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature\\&.json\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"Note that when the generated unified kernel image vmlinux\\&.efi is booted, "
+"the signature and public key files will be placed at locations B<systemd-"
+"cryptenroll> and B<systemd-cryptsetup> will look for anyway, and thus these "
+"paths do not actually need to be specified\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"B<Example\\ \\&3.\\ \\&Introduce a second public key, signing the same "
+"kernel PCR measurements, but only for the initrd boot phase>"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"This example extends the previous one, but we now introduce a second signing "
+"key that is only used to sign PCR policies restricted to the initrd boot "
+"phase\\&. This can be used to lock down root volumes in a way that they can "
+"only be unlocked before the transition to the host system\\&. Thus we have "
+"two classes of secrets or credentials: one that can be unlocked during the "
+"entire runtime, and the other that can only be used in the initrd\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
+#: opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private\\&.pem\n"
+"\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n"
+"$ openssl rsa -pubout -in tpm2-pcr-private\\&.pem -out tpm2-pcr-public\\&.pem\n"
+"$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private\\&.pem\n"
+"\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.++\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n"
+"$ openssl rsa -pubout -in tpm2-pcr-initrd-private\\&.pem -out tpm2-pcr-initrd-public\\&.pem\n"
+"# ukify --output vmlinux-1\\&.2\\&.3\\&.efi \\e\n"
+"     --os-release=@os-release\\&.txt \\e\n"
+"     --cmdline=@cmdline\\&.txt \\e\n"
+"     --splash=splash\\&.bmp \\e\n"
+"     --devicetree=devicetree\\&.dtb \\e\n"
+"     --pcr-private-key=tpm2-pcr-private\\&.pem \\e\n"
+"     --pcr-public-key=tpm2-pcr-public\\&.pem \\e\n"
+"     --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \\e\n"
+"     --pcr-banks=sha1,sha256 \\e\n"
+"     --pcr-private-key=tpm2-pcr-initrd-private\\&.pem \\e\n"
+"     --pcr-public-key=tpm2-pcr-initrd-public\\&.pem \\e\n"
+"     --phases=enter-initrd \\e\n"
+"     vmlinux-1\\&.2\\&.3 initrd\\&.cpio \\e\n"
+"     --uname=1\\&.2\\&.3\n"
+"+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1\\&.2\\&.3 \\e\n"
+"--osrel=os-release\\&.txt --cmdline=cmdline\\&.txt --dtb=devicetree\\&.dtb \\e\n"
+"--splash=splash\\&.bmp --initrd=initrd\\&.cpio --bank=sha1 --bank=sha256 \\e\n"
+"--private-key=tpm2-pcr-private\\&.pem --public-key=tpm2-pcr-public\\&.pem \\e\n"
+"--phase=enter-initrd --phase=enter-initrd:leave-initrd \\e\n"
+"--phase=enter-initrd:leave-initrd:sysinit \\e\n"
+"--phase=enter-initrd:leave-initrd:sysinit:ready\n"
+"+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1\\&.2\\&.3 \\e\n"
+"--osrel=os-release\\&.txt --cmdline=cmdline\\&.txt --dtb=devicetree\\&.dtb \\e\n"
+"--splash=splash\\&.bmp --initrd=initrd\\&.cpio --bank=sha1 --bank=sha256 \\e\n"
+"--private-key=tpm2-pcr-initrd-private\\&.pem \\e\n"
+"--public-key=tpm2-pcr-initrd-public\\&.pem \\e\n"
+"--phase=enter-initrd\n"
+"Wrote unsigned vmlinux-1\\&.2\\&.3\\&.efi\n"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"B<ukify> prints out both invocations of B<systemd-measure> as informative "
+"output (the lines starting with \"+\"); this allows us to see how B<systemd-"
+"measure> is called\\&. It then merges the output of both invocations into "
+"the \"\\&.pcrsig\" section\\&.  B<systemd-measure> may also do this merge "
+"itself using the B<--append=> option\\&."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"Note that in this example the \"\\&.pcrpkey\" PE section contains the key "
+"specified by the first B<--pcr-private-key=> option, covering all boot "
+"phases\\&. The \"\\&.pcrpkey\" section is used in the default policies of "
+"B<systemd-cryptenroll> and B<systemd-creds>\\&. To use the stricter policy "
+"bound to tpm-pcr-initrd-public\\&.pem, specify B<--tpm2-public-key=> on the "
+"command line of those tools\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "EXIT STATUS"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "On success, 0 is returned, a non-zero failure code otherwise\\&."
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid ""
+"B<systemd>(1), B<systemd-stub>(7), B<ukify>(1), B<systemd-creds>(1), "
+"B<systemd-cryptsetup@.service>(8), B<systemd-pcrphase.service>(8)"
+msgstr ""
+
+#. type: SH
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid "NOTES"
+msgstr ""
+
+#. type: IP
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+#, no-wrap
+msgid " 1."
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "Unified Kernel Image (UKI)"
+msgstr ""
+
+#. type: Plain text
+#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
+#: mageia-cauldron opensuse-tumbleweed
+msgid "\\%https://uapi-group.org/specifications/specs/unified_kernel_image/"
+msgstr ""
+
+#. type: TH
+#: debian-bookworm opensuse-tumbleweed
+#, no-wrap
+msgid "systemd 254"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm
+msgid "B</lib/systemd/systemd-measure >B<[OPTIONS...]>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-tumbleweed
+msgid ""
+"Pre-calculate the expected values seen in PCR register 11 after boot-up of a "
+"unified kernel image consisting of the components specified with B<--"
+"linux=>, B<--osrel=>, B<--cmdline=>, B<--initrd=>, B<--splash=>, B<--dtb=>, "
+"B<--sbat=>, B<--pcrpkey=> see below\\&. Only B<--linux=> is mandatory\\&. "
+"(Alternatively, specify B<--current> to use the current values of PCR "
+"register 11 instead\\&.)"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-tumbleweed
+msgid ""
+"B<--linux=>I<PATH>, B<--osrel=>I<PATH>, B<--cmdline=>I<PATH>, B<--"
+"initrd=>I<PATH>, B<--splash=>I<PATH>, B<--dtb=>I<PATH>, B<--sbat=>I<PATH>, "
+"B<--pcrpkey=>I<PATH>"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm opensuse-tumbleweed
+msgid ""
+"Controls which boot phases to calculate expected PCR 11 values for\\&. This "
+"takes a series of colon-separated strings that encode boot \"paths\" for "
+"entering a specific phase of the boot process\\&. Each of the specified "
+"strings is measured by the systemd-pcrphase-initrd\\&.service and B<systemd-"
+"pcrphase.service>(8)  into PCR 11 during different milestones of the boot "
+"process\\&. This switch may be specified multiple times to calculate PCR "
+"values for multiple boot phases at once\\&. If not used defaults to \"enter-"
+"initrd\", \"enter-initrd:leave-initrd\", \"enter-initrd:leave-initrd:"
+"sysinit\", \"enter-initrd:leave-initrd:sysinit:ready\", i\\&.e\\&. "
+"calculates expected PCR values for the boot phase in the initrd, during "
+"early boot, during later boot, and during system runtime, but excluding the "
+"phases before the initrd or when shutting down\\&. This setting is honoured "
+"both by B<calculate> and B<sign>\\&. When used with the latter it\\*(Aqs "
+"particularly useful for generating PCR signatures that can only be used for "
+"unlocking resources during specific parts of the boot process\\&."
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm
+#, no-wrap
+msgid ""
+"# /lib/systemd/systemd-cryptsetup attach \\e\n"
+"     volume5 /dev/sda5 - \\e\n"
+"     tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature\\&.json\n"
+msgstr ""
+
+#. type: Plain text
+#: debian-bookworm
+#, no-wrap
+msgid ""
+"$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private\\&.pem\n"
+"\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n"
+"$ openssl rsa -pubout -in tpm2-pcr-private\\&.pem -out tpm2-pcr-public\\&.pem\n"
+"$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private\\&.pem\n"
+"\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.++\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n"
+"$ openssl rsa -pubout -in tpm2-pcr-initrd-private\\&.pem -out tpm2-pcr-initrd-public\\&.pem\n"
+"# ukify --output vmlinux-1\\&.2\\&.3\\&.efi \\e\n"
+"     --os-release=@os-release\\&.txt \\e\n"
+"     --cmdline=@cmdline\\&.txt \\e\n"
+"     --splash=splash\\&.bmp \\e\n"
+"     --devicetree=devicetree\\&.dtb \\e\n"
+"     --pcr-private-key=tpm2-pcr-private\\&.pem \\e\n"
+"     --pcr-public-key=tpm2-pcr-public\\&.pem \\e\n"
+"     --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \\e\n"
+"     --pcr-banks=sha1,sha256 \\e\n"
+"     --pcr-private-key=tpm2-pcr-initrd-private\\&.pem \\e\n"
+"     --pcr-public-key=tpm2-pcr-initrd-public\\&.pem \\e\n"
+"     --phases=enter-initrd \\e\n"
+"     vmlinux-1\\&.2\\&.3 initrd\\&.cpio \\e\n"
+"     --uname=1\\&.2\\&.3\n"
+"+ /lib/systemd/systemd-measure sign --linux=vmlinux-1\\&.2\\&.3 \\e\n"
+"--osrel=os-release\\&.txt --cmdline=cmdline\\&.txt --dtb=devicetree\\&.dtb \\e\n"
+"--splash=splash\\&.bmp --initrd=initrd\\&.cpio --bank=sha1 --bank=sha256 \\e\n"
+"--private-key=tpm2-pcr-private\\&.pem --public-key=tpm2-pcr-public\\&.pem \\e\n"
+"--phase=enter-initrd --phase=enter-initrd:leave-initrd \\e\n"
+"--phase=enter-initrd:leave-initrd:sysinit \\e\n"
+"--phase=enter-initrd:leave-initrd:sysinit:ready\n"
+"+ /lib/systemd/systemd-measure sign --linux=vmlinux-1\\&.2\\&.3 \\e\n"
+"--osrel=os-release\\&.txt --cmdline=cmdline\\&.txt --dtb=devicetree\\&.dtb \\e\n"
+"--splash=splash\\&.bmp --initrd=initrd\\&.cpio --bank=sha1 --bank=sha256 \\e\n"
+"--private-key=tpm2-pcr-initrd-private\\&.pem \\e\n"
+"--public-key=tpm2-pcr-initrd-public\\&.pem \\e\n"
+"--phase=enter-initrd\n"
+"Wrote unsigned vmlinux-1\\&.2\\&.3\\&.efi\n"
+msgstr ""
+
+#. type: Plain text
+#: opensuse-tumbleweed
+#, no-wrap
+msgid ""
+"# /usr/lib/systemd/systemd-cryptsetup attach \\e\n"
+"     volume5 /dev/sda5 - \\e\n"
+"     tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature\\&.json\n"
+msgstr ""