summaryrefslogtreecommitdiffstats
path: root/man/systemd-measure.xml
diff options
context:
space:
mode:
Diffstat (limited to 'man/systemd-measure.xml')
-rw-r--r--man/systemd-measure.xml53
1 files changed, 36 insertions, 17 deletions
diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index ff3abc4..8ea6674 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -1,9 +1,9 @@
<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
-<refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='ENABLE_BOOTLOADER'>
+<refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='HAVE_TPM2 HAVE_BLKID HAVE_OPENSSL'>
<refentryinfo>
<title>systemd-measure</title>
@@ -22,7 +22,7 @@
<refsynopsisdiv>
<cmdsynopsis>
- <command>/usr/lib/systemd/systemd-measure <arg choice="opt" rep="repeat">OPTIONS</arg></command>
+ <command>/usr/lib/systemd/systemd-measure</command> <arg choice="opt" rep="repeat">OPTIONS</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -75,9 +75,9 @@
<listitem><para>Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified
kernel image consisting of the components specified with <option>--linux=</option>,
<option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>,
- <option>--splash=</option>, <option>--dtb=</option>, <option>--uname=</option>,
- <option>--sbat=</option>, <option>--pcrpkey=</option> see below. Only <option>--linux=</option> is
- mandatory. (Alternatively, specify <option>--current</option> to use the current values of PCR
+ <option>--ucode=</option>, <option>--splash=</option>, <option>--dtb=</option>,
+ <option>--uname=</option>, <option>--sbat=</option>, <option>--pcrpkey=</option> see below.
+ Only <option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the current values of PCR
register 11 instead.)</para>
<xi:include href="version-info.xml" xpointer="v252"/>
@@ -118,6 +118,7 @@
<term><option>--osrel=<replaceable>PATH</replaceable></option></term>
<term><option>--cmdline=<replaceable>PATH</replaceable></option></term>
<term><option>--initrd=<replaceable>PATH</replaceable></option></term>
+ <term><option>--ucode=<replaceable>PATH</replaceable></option></term>
<term><option>--splash=<replaceable>PATH</replaceable></option></term>
<term><option>--dtb=<replaceable>PATH</replaceable></option></term>
<term><option>--uname=<replaceable>PATH</replaceable></option></term>
@@ -158,6 +159,7 @@
<varlistentry>
<term><option>--private-key=<replaceable>PATH</replaceable></option></term>
<term><option>--public-key=<replaceable>PATH</replaceable></option></term>
+ <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
<listitem><para>These switches take paths to a pair of PEM encoded RSA key files, for use with
the <command>sign</command> command.</para>
@@ -172,11 +174,28 @@
<para>If the <option>--public-key=</option> is not specified but <option>--private-key=</option> is
specified the public key is automatically derived from the private key.</para>
+ <para><option>--certificate=</option> can be used to specify an X.509 certificate as an alternative
+ to <option>--public-key=</option> since v256.</para>
+
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
<varlistentry>
- <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>
+ <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
+ <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term>
+ <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>As an alternative to <option>--public-key=</option> for the
+ <command>sign</command> command, these switches can be used to sign with an hardware token. The
+ private key option can take a path or a URI that will be passed to the OpenSSL engine or
+ provider, as specified by <option>--private-key-source=</option> as a type:name tuple, such as
+ engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
<listitem><para>Controls which TPM2 device to use. Expects a device node path referring to the TPM2
chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal>
@@ -188,7 +207,7 @@
</varlistentry>
<varlistentry>
- <term><option>--phase=</option><replaceable>PHASE</replaceable></term>
+ <term><option>--phase=<replaceable>PHASE</replaceable></option></term>
<listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a
series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot
@@ -214,7 +233,7 @@
</varlistentry>
<varlistentry>
- <term><option>--append=</option><replaceable>PATH</replaceable></term>
+ <term><option>--append=<replaceable>PATH</replaceable></option></term>
<listitem><para>When generating a PCR JSON signature (via the <command>sign</command> command),
combine it with a previously generated PCR JSON signature, and output it as one. The specified path
@@ -375,14 +394,14 @@ Wrote unsigned vmlinux-1.2.3.efi
<refsect1>
<title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- </para>
+ <para><simplelist type="inline">
+ <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ </simplelist></para>
</refsect1>
</refentry>