diff options
Diffstat (limited to 'upstream/debian-unstable/man1/systemd-measure.1')
| -rw-r--r-- | upstream/debian-unstable/man1/systemd-measure.1 | 44 |
1 files changed, 29 insertions, 15 deletions
diff --git a/upstream/debian-unstable/man1/systemd-measure.1 b/upstream/debian-unstable/man1/systemd-measure.1 index cbb356f3..9599e6b8 100644 --- a/upstream/debian-unstable/man1/systemd-measure.1 +++ b/upstream/debian-unstable/man1/systemd-measure.1 @@ -1,5 +1,5 @@ '\" t -.TH "SYSTEMD\-MEASURE" "1" "" "systemd 255" "systemd-measure" +.TH "SYSTEMD\-MEASURE" "1" "" "systemd 256~rc3" "systemd-measure" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -22,8 +22,8 @@ .SH "NAME" systemd-measure \- Pre\-calculate and sign expected TPM2 PCR values for booted unified kernel images .SH "SYNOPSIS" -.HP \w'\fB/usr/lib/systemd/systemd\-measure\ \fR\fB[OPTIONS...]\fR\ 'u -\fB/usr/lib/systemd/systemd\-measure \fR\fB[OPTIONS...]\fR +.HP \w'\fB/usr/lib/systemd/systemd\-measure\fR\ 'u +\fB/usr/lib/systemd/systemd\-measure\fR [OPTIONS...] .SH "DESCRIPTION" .PP Note: this command is experimental for now\&. While it is likely to become a regular component of systemd, it might still change in behaviour and interface\&. @@ -64,6 +64,7 @@ Pre\-calculate the expected values seen in PCR register 11 after boot\-up of a u \fB\-\-osrel=\fR, \fB\-\-cmdline=\fR, \fB\-\-initrd=\fR, +\fB\-\-ucode=\fR, \fB\-\-splash=\fR, \fB\-\-dtb=\fR, \fB\-\-uname=\fR, @@ -99,7 +100,7 @@ Added in version 252\&. .PP The following options are understood: .PP -\fB\-\-linux=\fR\fB\fIPATH\fR\fR, \fB\-\-osrel=\fR\fB\fIPATH\fR\fR, \fB\-\-cmdline=\fR\fB\fIPATH\fR\fR, \fB\-\-initrd=\fR\fB\fIPATH\fR\fR, \fB\-\-splash=\fR\fB\fIPATH\fR\fR, \fB\-\-dtb=\fR\fB\fIPATH\fR\fR, \fB\-\-uname=\fR\fB\fIPATH\fR\fR, \fB\-\-sbat=\fR\fB\fIPATH\fR\fR, \fB\-\-pcrpkey=\fR\fB\fIPATH\fR\fR +\fB\-\-linux=\fR\fB\fIPATH\fR\fR, \fB\-\-osrel=\fR\fB\fIPATH\fR\fR, \fB\-\-cmdline=\fR\fB\fIPATH\fR\fR, \fB\-\-initrd=\fR\fB\fIPATH\fR\fR, \fB\-\-ucode=\fR\fB\fIPATH\fR\fR, \fB\-\-splash=\fR\fB\fIPATH\fR\fR, \fB\-\-dtb=\fR\fB\fIPATH\fR\fR, \fB\-\-uname=\fR\fB\fIPATH\fR\fR, \fB\-\-sbat=\fR\fB\fIPATH\fR\fR, \fB\-\-pcrpkey=\fR\fB\fIPATH\fR\fR .RS 4 When used with the \fBcalculate\fR @@ -144,7 +145,7 @@ output\&. May be used more then once to specify multiple banks\&. If not specifi Added in version 252\&. .RE .PP -\fB\-\-private\-key=\fR\fB\fIPATH\fR\fR, \fB\-\-public\-key=\fR\fB\fIPATH\fR\fR +\fB\-\-private\-key=\fR\fB\fIPATH\fR\fR, \fB\-\-public\-key=\fR\fB\fIPATH\fR\fR, \fB\-\-certificate=\fR\fB\fIPATH\fR\fR .RS 4 These switches take paths to a pair of PEM encoded RSA key files, for use with the \fBsign\fR @@ -164,10 +165,28 @@ is not specified but \fB\-\-private\-key=\fR is specified the public key is automatically derived from the private key\&. .sp +\fB\-\-certificate=\fR +can be used to specify an X\&.509 certificate as an alternative to +\fB\-\-public\-key=\fR +since v256\&. +.sp Added in version 252\&. .RE .PP -\fB\-\-tpm2\-device=\fR\fIPATH\fR +\fB\-\-private\-key=\fR\fB\fIPATH/URI\fR\fR, \fB\-\-private\-key\-source=\fR\fB\fITYPE[:NAME]\fR\fR, \fB\-\-certificate=\fR\fB\fIPATH\fR\fR +.RS 4 +As an alternative to +\fB\-\-public\-key=\fR +for the +\fBsign\fR +command, these switches can be used to sign with an hardware token\&. The private key option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by +\fB\-\-private\-key\-source=\fR +as a type:name tuple, such as engine:pkcs11\&. The specified OpenSSL signing engine or provider will be used to sign\&. +.sp +Added in version 256\&. +.RE +.PP +\fB\-\-tpm2\-device=\fR\fB\fIPATH\fR\fR .RS 4 Controls which TPM2 device to use\&. Expects a device node path referring to the TPM2 chip (e\&.g\&. /dev/tpmrm0)\&. Alternatively the special value @@ -179,7 +198,7 @@ may be used to enumerate all suitable TPM2 devices currently discovered\&. Added in version 252\&. .RE .PP -\fB\-\-phase=\fR\fIPHASE\fR +\fB\-\-phase=\fR\fB\fIPHASE\fR\fR .RS 4 Controls which boot phases to calculate expected PCR 11 values for\&. This takes a series of colon\-separated strings that encode boot "paths" for entering a specific phase of the boot process\&. Each of the specified strings is measured by the systemd\-pcrphase\-initrd\&.service, @@ -200,7 +219,7 @@ For further details about PCR boot phases, see Added in version 252\&. .RE .PP -\fB\-\-append=\fR\fIPATH\fR +\fB\-\-append=\fR\fB\fIPATH\fR\fR .RS 4 When generating a PCR JSON signature (via the \fBsign\fR @@ -209,7 +228,7 @@ command), combine it with a previously generated PCR JSON signature, and output Added in version 253\&. .RE .PP -\fB\-\-json=\fR\fIMODE\fR +\fB\-\-json=\fR\fB\fIMODE\fR\fR .RS 4 Shows output formatted as JSON\&. Expects one of "short" @@ -415,12 +434,7 @@ on the command line of those tools\&. On success, 0 is returned, a non\-zero failure code otherwise\&. .SH "SEE ALSO" .PP -\fBsystemd\fR(1), -\fBsystemd-stub\fR(7), -\fBukify\fR(1), -\fBsystemd-creds\fR(1), -\fBsystemd-cryptsetup@.service\fR(8), -\fBsystemd-pcrphase.service\fR(8) +\fBsystemd\fR(1), \fBsystemd-stub\fR(7), \fBukify\fR(1), \fBsystemd-creds\fR(1), \fBsystemd-cryptsetup@.service\fR(8), \fBsystemd-pcrphase.service\fR(8) .SH "NOTES" .IP " 1." 4 Unified Kernel Image (UKI) |