diff options
Diffstat (limited to '')
| -rw-r--r-- | upstream/opensuse-tumbleweed/man1/systemd-measure.1 | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/upstream/opensuse-tumbleweed/man1/systemd-measure.1 b/upstream/opensuse-tumbleweed/man1/systemd-measure.1 index 6c9f79ee..cbb356f3 100644 --- a/upstream/opensuse-tumbleweed/man1/systemd-measure.1 +++ b/upstream/opensuse-tumbleweed/man1/systemd-measure.1 @@ -1,5 +1,5 @@ '\" t -.TH "SYSTEMD\-MEASURE" "1" "" "systemd 254" "systemd-measure" +.TH "SYSTEMD\-MEASURE" "1" "" "systemd 255" "systemd-measure" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -53,6 +53,8 @@ The following commands are understood: This is the default command if none is specified\&. This queries the local system\*(Aqs TPM2 PCR 11+12+13 values and displays them\&. The data is written in a similar format as the \fBcalculate\fR command below, and may be used to quickly compare expectation with reality\&. +.sp +Added in version 252\&. .RE .PP \fBcalculate\fR @@ -64,6 +66,7 @@ Pre\-calculate the expected values seen in PCR register 11 after boot\-up of a u \fB\-\-initrd=\fR, \fB\-\-splash=\fR, \fB\-\-dtb=\fR, +\fB\-\-uname=\fR, \fB\-\-sbat=\fR, \fB\-\-pcrpkey=\fR see below\&. Only @@ -71,6 +74,8 @@ see below\&. Only is mandatory\&. (Alternatively, specify \fB\-\-current\fR to use the current values of PCR register 11 instead\&.) +.sp +Added in version 252\&. .RE .PP \fBsign\fR @@ -87,12 +92,14 @@ option below), which may be used to unlock encrypted credentials (see \fBsystemd-cryptsetup@.service\fR(8))\&. This allows binding secrets to a set of kernels for which such PCR 11 signatures can be provided\&. .sp Note that a TPM2 device must be available for this signing to take place, even though the result is not tied to any TPM2 device or its state\&. +.sp +Added in version 252\&. .RE .SH "OPTIONS" .PP The following options are understood: .PP -\fB\-\-linux=\fR\fB\fIPATH\fR\fR, \fB\-\-osrel=\fR\fB\fIPATH\fR\fR, \fB\-\-cmdline=\fR\fB\fIPATH\fR\fR, \fB\-\-initrd=\fR\fB\fIPATH\fR\fR, \fB\-\-splash=\fR\fB\fIPATH\fR\fR, \fB\-\-dtb=\fR\fB\fIPATH\fR\fR, \fB\-\-sbat=\fR\fB\fIPATH\fR\fR, \fB\-\-pcrpkey=\fR\fB\fIPATH\fR\fR +\fB\-\-linux=\fR\fB\fIPATH\fR\fR, \fB\-\-osrel=\fR\fB\fIPATH\fR\fR, \fB\-\-cmdline=\fR\fB\fIPATH\fR\fR, \fB\-\-initrd=\fR\fB\fIPATH\fR\fR, \fB\-\-splash=\fR\fB\fIPATH\fR\fR, \fB\-\-dtb=\fR\fB\fIPATH\fR\fR, \fB\-\-uname=\fR\fB\fIPATH\fR\fR, \fB\-\-sbat=\fR\fB\fIPATH\fR\fR, \fB\-\-pcrpkey=\fR\fB\fIPATH\fR\fR .RS 4 When used with the \fBcalculate\fR @@ -103,6 +110,8 @@ verb, configures the files to read the unified kernel image components from\&. E switch expects the path to the ELF kernel file that the unified PE kernel will wrap\&. All switches except \fB\-\-linux=\fR are optional\&. Each option may be used at most once\&. +.sp +Added in version 252\&. .RE .PP \fB\-\-current\fR @@ -114,6 +123,8 @@ or verb, takes the PCR 11 values currently in effect for the system (which should typically reflect the hashes of the currently booted kernel)\&. This can be used in place of \fB\-\-linux=\fR and the other switches listed above\&. +.sp +Added in version 252\&. .RE .PP \fB\-\-bank=\fR\fB\fIDIGEST\fR\fR @@ -129,6 +140,8 @@ output\&. May be used more then once to specify multiple banks\&. If not specifi "sha256", "sha384", "sha512"\&. +.sp +Added in version 252\&. .RE .PP \fB\-\-private\-key=\fR\fB\fIPATH\fR\fR, \fB\-\-public\-key=\fR\fB\fIPATH\fR\fR @@ -150,6 +163,8 @@ If the is not specified but \fB\-\-private\-key=\fR is specified the public key is automatically derived from the private key\&. +.sp +Added in version 252\&. .RE .PP \fB\-\-tpm2\-device=\fR\fIPATH\fR @@ -160,13 +175,15 @@ Controls which TPM2 device to use\&. Expects a device node path referring to the may be specified, in order to automatically determine the device node of a suitable TPM2 device (of which there must be exactly one)\&. The special value "list" may be used to enumerate all suitable TPM2 devices currently discovered\&. +.sp +Added in version 252\&. .RE .PP \fB\-\-phase=\fR\fIPHASE\fR .RS 4 Controls which boot phases to calculate expected PCR 11 values for\&. This takes a series of colon\-separated strings that encode boot "paths" for entering a specific phase of the boot process\&. Each of the specified strings is measured by the -systemd\-pcrphase\-initrd\&.service -and +systemd\-pcrphase\-initrd\&.service, +systemd\-pcrphase\-sysinit\&.service, and \fBsystemd-pcrphase.service\fR(8) into PCR 11 during different milestones of the boot process\&. This switch may be specified multiple times to calculate PCR values for multiple boot phases at once\&. If not used defaults to "enter\-initrd", @@ -179,6 +196,8 @@ and .sp For further details about PCR boot phases, see \fBsystemd-pcrphase.service\fR(8)\&. +.sp +Added in version 252\&. .RE .PP \fB\-\-append=\fR\fIPATH\fR @@ -186,6 +205,8 @@ For further details about PCR boot phases, see When generating a PCR JSON signature (via the \fBsign\fR command), combine it with a previously generated PCR JSON signature, and output it as one\&. The specified path must refer to a regular file that contains a valid JSON PCR signature object\&. The specified file is not modified\&. It will be read first, then the newly generated signature appended to it, and the resulting object is written to standard output\&. Use this to generate a single JSON object consisting from signatures made with a number of signing keys (for example, to have one key per boot phase)\&. The command will suppress duplicates: if a specific signature is already included in a JSON signature object it is not added a second time\&. +.sp +Added in version 253\&. .RE .PP \fB\-\-json=\fR\fIMODE\fR @@ -298,7 +319,7 @@ And then unlock the device with the signature: .RS 4 .\} .nf -# /usr/lib/systemd/systemd\-cryptsetup attach \e +# systemd\-cryptsetup attach \e volume5 /dev/sda5 \- \e tpm2\-device=auto,tpm2\-signature=/path/to/tpm2\-pcr\-signature\&.json .fi |