Adding upstream version 4.23.0.upstream/4.23.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 53 insertions, 15 deletions

diff --git a/upstream/fedora-rawhide/man1/systemd-creds.1 b/upstream/fedora-rawhide/man1/systemd-creds.1
index db9944ec..e2c9198c 100644
--- a/upstream/fedora-rawhide/man1/systemd-creds.1
+++ b/upstream/fedora-rawhide/man1/systemd-creds.1
@@ -1,5 +1,5 @@
 '\" t
-.TH "SYSTEMD\-CREDS" "1" "" "systemd 255" "systemd-creds"
+.TH "SYSTEMD\-CREDS" "1" "" "systemd 256~rc3" "systemd-creds"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -219,6 +219,39 @@ commands operates on the credentials passed to system as a whole instead of on t
 Added in version 250\&.
 .RE
 .PP
+\fB\-\-user\fR
+.RS 4
+When specified with the
+\fBencrypt\fR
+and
+\fBdecrypt\fR
+commands encrypts a user\-scoped (rather than a system\-scoped) credential\&. Use
+\fB\-\-uid=\fR
+to select which user the credential is from\&. Such credentials may only be decrypted from the specified user\*(Aqs context, except if privileges can be acquired\&. Generally, when an encrypted credential shall be used in the per\-user service manager it should be encrypted with this option set, when it shall be used in the system service manager it should be encrypted without\&.
+.sp
+Internally, this ensures that the selected user\*(Aqs numeric UID and username, as well as the system\*(Aqs
+\fBmachine-id\fR(5)
+are incorporated into the encryption key\&.
+.sp
+Added in version 256\&.
+.RE
+.PP
+\fB\-\-uid=\fR
+.RS 4
+Specifies the user to encrypt the credential for\&. Takes a user name or numeric UID\&. If set, implies
+\fB\-\-user\fR\&. If set to the special string
+"self"
+sets the user to the user of the calling process\&. If
+\fB\-\-user\fR
+is used without
+\fB\-\-uid=\fR
+then
+\fB\-\-uid=self\fR
+is implied, i\&.e\&. the credential is encrypted for the calling user\&.
+.sp
+Added in version 256\&.
+.RE
+.PP
 \fB\-\-transcode=\fR
 .RS 4
 When specified with the
@@ -272,7 +305,7 @@ as the output file\&.
 Added in version 250\&.
 .RE
 .PP
-\fB\-\-name=\fR\fIname\fR
+\fB\-\-name=\fR\fB\fIname\fR\fR
 .RS 4
 When specified with the
 \fBencrypt\fR
@@ -289,7 +322,7 @@ Embedding the credential name in the encrypted credential is done in order to pr
 Added in version 250\&.
 .RE
 .PP
-\fB\-\-timestamp=\fR\fItimestamp\fR
+\fB\-\-timestamp=\fR\fB\fItimestamp\fR\fR
 .RS 4
 When specified with the
 \fBencrypt\fR
@@ -305,7 +338,7 @@ during encryption\&. If not specified defaults to the current system time\&.
 Added in version 250\&.
 .RE
 .PP
-\fB\-\-not\-after=\fR\fItimestamp\fR
+\fB\-\-not\-after=\fR\fB\fItimestamp\fR\fR
 .RS 4
 When specified with the
 \fBencrypt\fR
@@ -323,7 +356,7 @@ command controls the encryption/signature key to use\&. Takes one of
 "host",
 "tpm2",
 "host+tpm2",
-"tpm2\-absent",
+"null",
 "auto",
 "auto\-initrd"\&. See above for details on the three key types\&. If set to
 "auto"
@@ -334,11 +367,11 @@ is on persistent media\&. This means on typical systems the encryption is by def
 is selected but neither TPM2 is available (or running in container) nor
 /var/lib/systemd/
 is on persistent media, encryption will fail\&. If set to
-"tpm2\-absent"
+"null"
 a fixed zero length key is used (thus, in this mode no confidentiality nor authenticity are provided!)\&. This logic is useful to cover for systems that lack a TPM2 chip but where credentials shall be generated\&. Note that decryption of such credentials is refused on systems that have a TPM2 chip and where UEFI SecureBoot is enabled (this is done so that such a locked down system cannot be tricked into loading a credential generated this way that lacks authentication information)\&. If set to
 "auto\-initrd"
 a TPM2 key is used if a TPM2 is found\&. If not a fixed zero length key is used, equivalent to
-"tpm2\-absent"
+"null"
 mode\&. This option is particularly useful to generate credentials files that are encrypted/authenticated against TPM2 where available but still work on systems lacking support for this\&.
 .sp
 The
@@ -362,7 +395,7 @@ command, as information on which key to use for decryption is included in the en
 Added in version 250\&.
 .RE
 .PP
-\fB\-\-tpm2\-device=\fR\fIPATH\fR
+\fB\-\-tpm2\-device=\fR\fB\fIPATH\fR\fR
 .RS 4
 Controls the TPM2 device to use\&. Expects a device node path referring to the TPM2 chip (e\&.g\&.
 /dev/tpmrm0)\&. Alternatively the special value
@@ -374,7 +407,7 @@ may be used to enumerate all suitable TPM2 devices currently discovered\&.
 Added in version 250\&.
 .RE
 .PP
-\fB\-\-tpm2\-pcrs=\fR [PCR...]
+\fB\-\-tpm2\-pcrs=\fR\fB\fIPCR\fR\fI[+PCR\&.\&.\&.]\fR\fR
 .RS 4
 Configures the TPM2 PCRs (Platform Configuration Registers) to bind the encryption key to\&. Takes a
 "+"
@@ -384,7 +417,7 @@ separated list of numeric PCR indexes in the range 0\&...23\&. If not used, defa
 Added in version 250\&.
 .RE
 .PP
-\fB\-\-tpm2\-public\-key=\fR [PATH], \fB\-\-tpm2\-public\-key\-pcrs=\fR [PCR...]
+\fB\-\-tpm2\-public\-key=\fR\fB\fIPATH\fR\fR, \fB\-\-tpm2\-public\-key\-pcrs=\fR\fB\fIPCR\fR\fI[+PCR\&.\&.\&.]\fR\fR
 .RS 4
 Configures a TPM2 signed PCR policy to bind encryption to, for use with the
 \fBencrypt\fR
@@ -410,7 +443,7 @@ and
 Added in version 252\&.
 .RE
 .PP
-\fB\-\-tpm2\-signature=\fR [PATH]
+\fB\-\-tpm2\-signature=\fR\fB\fIPATH\fR\fR
 .RS 4
 Takes a path to a TPM2 PCR signature file as generated by the
 \fBsystemd-measure\fR(1)
@@ -427,6 +460,13 @@ is searched for in
 Added in version 252\&.
 .RE
 .PP
+\fB\-\-allow\-null\fR
+.RS 4
+Allow decrypting credentials that use an empty key\&.
+.sp
+Added in version 256\&.
+.RE
+.PP
 \fB\-\-quiet\fR, \fB\-q\fR
 .RS 4
 When used with
@@ -446,7 +486,7 @@ Do not pipe output into a pager\&.
 Do not print the legend, i\&.e\&. column headers and the footer with hints\&.
 .RE
 .PP
-\fB\-\-json=\fR\fIMODE\fR
+\fB\-\-json=\fR\fB\fIMODE\fR\fR
 .RS 4
 Shows output formatted as JSON\&. Expects one of
 "short"
@@ -543,9 +583,7 @@ xyz\&.service:
 .\}
 .SH "SEE ALSO"
 .PP
-\fBsystemd\fR(1),
-\fBsystemd.exec\fR(5),
-\fBsystemd-measure\fR(1)
+\fBsystemd\fR(1), \fBsystemd.exec\fR(5), \fBsystemd-measure\fR(1)
 .SH "NOTES"
 .IP " 1." 4
 System and Service Credentials