# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2024-03-01 17:10+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "SYSTEMD-MEASURE" msgstr "" #. type: TH #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "systemd 255" msgstr "" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "systemd-measure" msgstr "" #. ----------------------------------------------------------------- #. * MAIN CONTENT STARTS HERE * #. ----------------------------------------------------------------- #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "systemd-measure - Pre-calculate and sign expected TPM2 PCR values for booted " "unified kernel images" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "SYNOPSIS" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "BB<[OPTIONS...]>" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Note: this command is experimental for now\\&. While it is likely to become " "a regular component of systemd, it might still change in behaviour and " "interface\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B is a tool that may be used to pre-calculate and sign the " "expected TPM2 PCR 11 values that should be seen when a Linux " "\\m[blue]B\\m[]\\&\\s-2\\u[1]\\d\\s+2 based on " "B(7) is booted up\\&. It accepts paths to the ELF kernel " "image file, initrd image file, devicetree file, kernel command line file, " "B(5) file, boot splash file, and TPM2 PCR PEM public key file " "that make up the unified kernel image, and determines the PCR values " "expected to be in place after booting the image\\&. Calculation starts with " "a zero-initialized PCR 11, and is executed in a fashion compatible with what " "systemd-stub does at boot\\&. The result may optionally be signed " "cryptographically, to allow TPM2 policies that can only be unlocked if a " "certain set of kernels is booted, for which such a PCR signature can be " "provided\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "It usually doesn\\*(Aqt make sense to call this tool directly when " "constructing a UKI\\&. Instead, B(1) should be used; it will invoke " "B and take care of embedding the resulting measurements " "into the UKI\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "COMMANDS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "The following commands are understood:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "This is the default command if none is specified\\&. This queries the local " "system\\*(Aqs TPM2 PCR 11+12+13 values and displays them\\&. The data is " "written in a similar format as the B command below, and may be " "used to quickly compare expectation with reality\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "Added in version 252\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Pre-calculate the expected values seen in PCR register 11 after boot-up of a " "unified kernel image consisting of the components specified with B<--" "linux=>, B<--osrel=>, B<--cmdline=>, B<--initrd=>, B<--splash=>, B<--dtb=>, " "B<--uname=>, B<--sbat=>, B<--pcrpkey=> see below\\&. Only B<--linux=> is " "mandatory\\&. (Alternatively, specify B<--current> to use the current values " "of PCR register 11 instead\\&.)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "As with the B command, pre-calculate the expected value seen in " "TPM2 PCR register 11 after boot-up of a unified kernel image\\&. Then, " "cryptographically sign the resulting values with the private/public key pair " "(RSA) configured via B<--private-key=> and B<--public-key=>\\&. This will " "write a JSON object to standard output that contains signatures for all " "specified PCR banks (see the B<--bank=> option below), which may be used to " "unlock encrypted credentials (see B(1)) or LUKS volumes (see " "B(8))\\&. This allows binding secrets to a set " "of kernels for which such PCR 11 signatures can be provided\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Note that a TPM2 device must be available for this signing to take place, " "even though the result is not tied to any TPM2 device or its state\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "OPTIONS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "The following options are understood:" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "B<--linux=>I, B<--osrel=>I, B<--cmdline=>I, B<--" "initrd=>I, B<--splash=>I, B<--dtb=>I, B<--uname=>I, " "B<--sbat=>I, B<--pcrpkey=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "When used with the B or B verb, configures the files to " "read the unified kernel image components from\\&. Each option corresponds " "with the equally named section in the unified kernel PE file\\&. The B<--" "linux=> switch expects the path to the ELF kernel file that the unified PE " "kernel will wrap\\&. All switches except B<--linux=> are optional\\&. Each " "option may be used at most once\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--current>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "When used with the B or B verb, takes the PCR 11 values " "currently in effect for the system (which should typically reflect the " "hashes of the currently booted kernel)\\&. This can be used in place of B<--" "linux=> and the other switches listed above\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--bank=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Controls the PCR banks to pre-calculate the PCR values for \\(en in case " "B or B is invoked \\(en, or the banks to show in the " "B output\\&. May be used more then once to specify multiple " "banks\\&. If not specified, defaults to the four banks \"sha1\", \"sha256\", " "\"sha384\", \"sha512\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--private-key=>I, B<--public-key=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "These switches take paths to a pair of PEM encoded RSA key files, for use " "with the B command\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Note the difference between the B<--pcrpkey=> and B<--public-key=> " "switches\\&. The former selects the data to include in the \"\\&.pcrpkey\" " "PE section of the unified kernel image, the latter picks the public key of " "the key pair used to sign the resulting PCR 11 values\\&. The former is the " "key that the booted system will likely use to lock disk and credential " "encryption to, the latter is the key used for unlocking such resources " "again\\&. Hence, typically the same PEM key should be supplied in both " "cases\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "If the B<--public-key=> is not specified but B<--private-key=> is specified " "the public key is automatically derived from the private key\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--tpm2-device=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Controls which TPM2 device to use\\&. Expects a device node path referring " "to the TPM2 chip (e\\&.g\\&. /dev/tpmrm0)\\&. Alternatively the special " "value \"auto\" may be specified, in order to automatically determine the " "device node of a suitable TPM2 device (of which there must be exactly " "one)\\&. The special value \"list\" may be used to enumerate all suitable " "TPM2 devices currently discovered\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--phase=>I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Controls which boot phases to calculate expected PCR 11 values for\\&. This " "takes a series of colon-separated strings that encode boot \"paths\" for " "entering a specific phase of the boot process\\&. Each of the specified " "strings is measured by the systemd-pcrphase-initrd\\&.service, systemd-" "pcrphase-sysinit\\&.service, and B(8) into PCR 11 " "during different milestones of the boot process\\&. This switch may be " "specified multiple times to calculate PCR values for multiple boot phases at " "once\\&. If not used defaults to \"enter-initrd\", \"enter-initrd:leave-" "initrd\", \"enter-initrd:leave-initrd:sysinit\", \"enter-initrd:leave-initrd:" "sysinit:ready\", i\\&.e\\&. calculates expected PCR values for the boot " "phase in the initrd, during early boot, during later boot, and during system " "runtime, but excluding the phases before the initrd or when shutting " "down\\&. This setting is honoured both by B and B\\&. When " "used with the latter it\\*(Aqs particularly useful for generating PCR " "signatures that can only be used for unlocking resources during specific " "parts of the boot process\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "For further details about PCR boot phases, see B(8)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--append=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "When generating a PCR JSON signature (via the B command), combine it " "with a previously generated PCR JSON signature, and output it as one\\&. The " "specified path must refer to a regular file that contains a valid JSON PCR " "signature object\\&. The specified file is not modified\\&. It will be read " "first, then the newly generated signature appended to it, and the resulting " "object is written to standard output\\&. Use this to generate a single JSON " "object consisting from signatures made with a number of signing keys (for " "example, to have one key per boot phase)\\&. The command will suppress " "duplicates: if a specific signature is already included in a JSON signature " "object it is not added a second time\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "Added in version 253\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--json=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Shows output formatted as JSON\\&. Expects one of \"short\" (for the " "shortest possible output without any redundant whitespace or line breaks), " "\"pretty\" (for a pretty version of the same, with indentation and line " "breaks) or \"off\" (to turn off JSON output, the default)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--no-pager>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Do not pipe output into a pager\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<-h>, B<--help>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Print a short help text and exit\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--version>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Print a short version string and exit\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "EXAMPLES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "$ ukify --output=vmlinux\\&.efi \\e\n" " --os-release=@os-release\\&.txt \\e\n" " --cmdline=@cmdline\\&.txt \\e\n" " --splash=splash\\&.bmp \\e\n" " --devicetree=devicetree\\&.dtb \\e\n" " --measure \\e\n" " vmlinux initrd\\&.cpio\n" "11:sha1=d775a7b4482450ac77e03ee19bda90bd792d6ec7\n" "11:sha256=bc6170f9ce28eb051ab465cd62be8cf63985276766cf9faf527ffefb66f45651\n" "11:sha384=1cf67dff4757e61e5\\&.\\&.\\&.7f49ad720be02fd07263e1f93061243aec599d1ee4b4\n" "11:sha512=8e79acd3ddbbc8282\\&.\\&.\\&.0c3e8ec0c714821032038f525f744960bcd082d937da\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B(1) internally calls B\\&. The output with hashes " "is from B\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private\\&.pem\n" "\\&.\\&.+\\&.+++++++++\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n" "$ openssl rsa -pubout -in tpm2-pcr-private\\&.pem -out tpm2-pcr-public\\&.pem\n" "# systemd-measure sign \\e\n" " --linux=vmlinux \\e\n" " --osrel=os-release\\&.txt \\e\n" " --cmdline=cmdline\\&.txt \\e\n" " --initrd=initrd\\&.cpio \\e\n" " --splash=splash\\&.bmp \\e\n" " --dtb=devicetree\\&.dtb \\e\n" " --pcrpkey=tpm2-pcr-public\\&.pem \\e\n" " --bank=sha1 \\e\n" " --bank=sha256 \\e\n" " --private-key=tpm2-pcr-private\\&.pem \\e\n" " --public-key=tpm2-pcr-public\\&.pem Etpm2-pcr-signature\\&.json\n" "# ukify --output=vmlinuz\\&.efi \\e\n" " --os-release=@os-release\\&.txt \\e\n" " --cmdline=@cmdline\\&.txt \\e\n" " --splash=splash\\&.bmp \\e\n" " --devicetree=devicetree\\&.dtb \\e\n" " --pcr-private-key=tpm2-pcr-private\\&.pem \\e\n" " --pcr-public-key=tpm2-pcr-public\\&.pem \\e\n" " --pcr-banks=sha1,sha256 \\e\n" " vmlinux initrd\\&.cpio\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Later on, enroll the signed PCR policy on a LUKS volume:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "# systemd-cryptenroll --tpm2-device=auto \\e\n" " --tpm2-public-key=tpm2-pcr-public\\&.pem \\e\n" " --tpm2-signature=tpm2-pcr-signature\\&.json \\e\n" " /dev/sda5\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "And then unlock the device with the signature:" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "" "# systemd-cryptsetup attach \\e\n" " volume5 /dev/sda5 - \\e\n" " tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature\\&.json\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Note that when the generated unified kernel image vmlinux\\&.efi is booted, " "the signature and public key files will be placed at locations B and B will look for anyway, and thus these " "paths do not actually need to be specified\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "This example extends the previous one, but we now introduce a second signing " "key that is only used to sign PCR policies restricted to the initrd boot " "phase\\&. This can be used to lock down root volumes in a way that they can " "only be unlocked before the transition to the host system\\&. Thus we have " "two classes of secrets or credentials: one that can be unlocked during the " "entire runtime, and the other that can only be used in the initrd\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "" "$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private\\&.pem\n" "\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n" "$ openssl rsa -pubout -in tpm2-pcr-private\\&.pem -out tpm2-pcr-public\\&.pem\n" "$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private\\&.pem\n" "\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.++\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n" "$ openssl rsa -pubout -in tpm2-pcr-initrd-private\\&.pem -out tpm2-pcr-initrd-public\\&.pem\n" "# ukify --output vmlinux-1\\&.2\\&.3\\&.efi \\e\n" " --os-release=@os-release\\&.txt \\e\n" " --cmdline=@cmdline\\&.txt \\e\n" " --splash=splash\\&.bmp \\e\n" " --devicetree=devicetree\\&.dtb \\e\n" " --pcr-private-key=tpm2-pcr-private\\&.pem \\e\n" " --pcr-public-key=tpm2-pcr-public\\&.pem \\e\n" " --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \\e\n" " --pcr-banks=sha1,sha256 \\e\n" " --pcr-private-key=tpm2-pcr-initrd-private\\&.pem \\e\n" " --pcr-public-key=tpm2-pcr-initrd-public\\&.pem \\e\n" " --phases=enter-initrd \\e\n" " vmlinux-1\\&.2\\&.3 initrd\\&.cpio \\e\n" " --uname=1\\&.2\\&.3\n" "+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1\\&.2\\&.3 \\e\n" "--osrel=os-release\\&.txt --cmdline=cmdline\\&.txt --dtb=devicetree\\&.dtb \\e\n" "--splash=splash\\&.bmp --initrd=initrd\\&.cpio --bank=sha1 --bank=sha256 \\e\n" "--private-key=tpm2-pcr-private\\&.pem --public-key=tpm2-pcr-public\\&.pem \\e\n" "--phase=enter-initrd --phase=enter-initrd:leave-initrd \\e\n" "--phase=enter-initrd:leave-initrd:sysinit \\e\n" "--phase=enter-initrd:leave-initrd:sysinit:ready\n" "+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1\\&.2\\&.3 \\e\n" "--osrel=os-release\\&.txt --cmdline=cmdline\\&.txt --dtb=devicetree\\&.dtb \\e\n" "--splash=splash\\&.bmp --initrd=initrd\\&.cpio --bank=sha1 --bank=sha256 \\e\n" "--private-key=tpm2-pcr-initrd-private\\&.pem \\e\n" "--public-key=tpm2-pcr-initrd-public\\&.pem \\e\n" "--phase=enter-initrd\n" "Wrote unsigned vmlinux-1\\&.2\\&.3\\&.efi\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B prints out both invocations of B as informative " "output (the lines starting with \"+\"); this allows us to see how B is called\\&. It then merges the output of both invocations into " "the \"\\&.pcrsig\" section\\&. B may also do this merge " "itself using the B<--append=> option\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Note that in this example the \"\\&.pcrpkey\" PE section contains the key " "specified by the first B<--pcr-private-key=> option, covering all boot " "phases\\&. The \"\\&.pcrpkey\" section is used in the default policies of " "B and B\\&. To use the stricter policy " "bound to tpm-pcr-initrd-public\\&.pem, specify B<--tpm2-public-key=> on the " "command line of those tools\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "EXIT STATUS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "On success, 0 is returned, a non-zero failure code otherwise\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "SEE ALSO" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B(1), B(7), B(1), B(1), " "B(8), B(8)" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "NOTES" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid " 1." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Unified Kernel Image (UKI)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "\\%https://uapi-group.org/specifications/specs/unified_kernel_image/" msgstr "" #. type: TH #: debian-bookworm opensuse-tumbleweed #, no-wrap msgid "systemd 254" msgstr "" #. type: Plain text #: debian-bookworm msgid "BB<[OPTIONS...]>" msgstr "" #. type: Plain text #: debian-bookworm opensuse-tumbleweed msgid "" "Pre-calculate the expected values seen in PCR register 11 after boot-up of a " "unified kernel image consisting of the components specified with B<--" "linux=>, B<--osrel=>, B<--cmdline=>, B<--initrd=>, B<--splash=>, B<--dtb=>, " "B<--sbat=>, B<--pcrpkey=> see below\\&. Only B<--linux=> is mandatory\\&. " "(Alternatively, specify B<--current> to use the current values of PCR " "register 11 instead\\&.)" msgstr "" #. type: Plain text #: debian-bookworm opensuse-tumbleweed msgid "" "B<--linux=>I, B<--osrel=>I, B<--cmdline=>I, B<--" "initrd=>I, B<--splash=>I, B<--dtb=>I, B<--sbat=>I, " "B<--pcrpkey=>I" msgstr "" #. type: Plain text #: debian-bookworm opensuse-tumbleweed msgid "" "Controls which boot phases to calculate expected PCR 11 values for\\&. This " "takes a series of colon-separated strings that encode boot \"paths\" for " "entering a specific phase of the boot process\\&. Each of the specified " "strings is measured by the systemd-pcrphase-initrd\\&.service and B(8) into PCR 11 during different milestones of the boot " "process\\&. This switch may be specified multiple times to calculate PCR " "values for multiple boot phases at once\\&. If not used defaults to \"enter-" "initrd\", \"enter-initrd:leave-initrd\", \"enter-initrd:leave-initrd:" "sysinit\", \"enter-initrd:leave-initrd:sysinit:ready\", i\\&.e\\&. " "calculates expected PCR values for the boot phase in the initrd, during " "early boot, during later boot, and during system runtime, but excluding the " "phases before the initrd or when shutting down\\&. This setting is honoured " "both by B and B\\&. When used with the latter it\\*(Aqs " "particularly useful for generating PCR signatures that can only be used for " "unlocking resources during specific parts of the boot process\\&." msgstr "" #. type: Plain text #: debian-bookworm #, no-wrap msgid "" "# /lib/systemd/systemd-cryptsetup attach \\e\n" " volume5 /dev/sda5 - \\e\n" " tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature\\&.json\n" msgstr "" #. type: Plain text #: debian-bookworm #, no-wrap msgid "" "$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private\\&.pem\n" "\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n" "$ openssl rsa -pubout -in tpm2-pcr-private\\&.pem -out tpm2-pcr-public\\&.pem\n" "$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private\\&.pem\n" "\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.++\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.+\\&.\\&.\\&.\\&.\\&.+\\&.+\\&.\\&.+\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\\&.\n" "$ openssl rsa -pubout -in tpm2-pcr-initrd-private\\&.pem -out tpm2-pcr-initrd-public\\&.pem\n" "# ukify --output vmlinux-1\\&.2\\&.3\\&.efi \\e\n" " --os-release=@os-release\\&.txt \\e\n" " --cmdline=@cmdline\\&.txt \\e\n" " --splash=splash\\&.bmp \\e\n" " --devicetree=devicetree\\&.dtb \\e\n" " --pcr-private-key=tpm2-pcr-private\\&.pem \\e\n" " --pcr-public-key=tpm2-pcr-public\\&.pem \\e\n" " --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \\e\n" " --pcr-banks=sha1,sha256 \\e\n" " --pcr-private-key=tpm2-pcr-initrd-private\\&.pem \\e\n" " --pcr-public-key=tpm2-pcr-initrd-public\\&.pem \\e\n" " --phases=enter-initrd \\e\n" " vmlinux-1\\&.2\\&.3 initrd\\&.cpio \\e\n" " --uname=1\\&.2\\&.3\n" "+ /lib/systemd/systemd-measure sign --linux=vmlinux-1\\&.2\\&.3 \\e\n" "--osrel=os-release\\&.txt --cmdline=cmdline\\&.txt --dtb=devicetree\\&.dtb \\e\n" "--splash=splash\\&.bmp --initrd=initrd\\&.cpio --bank=sha1 --bank=sha256 \\e\n" "--private-key=tpm2-pcr-private\\&.pem --public-key=tpm2-pcr-public\\&.pem \\e\n" "--phase=enter-initrd --phase=enter-initrd:leave-initrd \\e\n" "--phase=enter-initrd:leave-initrd:sysinit \\e\n" "--phase=enter-initrd:leave-initrd:sysinit:ready\n" "+ /lib/systemd/systemd-measure sign --linux=vmlinux-1\\&.2\\&.3 \\e\n" "--osrel=os-release\\&.txt --cmdline=cmdline\\&.txt --dtb=devicetree\\&.dtb \\e\n" "--splash=splash\\&.bmp --initrd=initrd\\&.cpio --bank=sha1 --bank=sha256 \\e\n" "--private-key=tpm2-pcr-initrd-private\\&.pem \\e\n" "--public-key=tpm2-pcr-initrd-public\\&.pem \\e\n" "--phase=enter-initrd\n" "Wrote unsigned vmlinux-1\\&.2\\&.3\\&.efi\n" msgstr "" #. type: Plain text #: opensuse-tumbleweed #, no-wrap msgid "" "# /usr/lib/systemd/systemd-cryptsetup attach \\e\n" " volume5 /dev/sda5 - \\e\n" " tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature\\&.json\n" msgstr ""