diff options
Diffstat (limited to 'man/systemd-measure.xml')
-rw-r--r-- | man/systemd-measure.xml | 53 |
1 files changed, 36 insertions, 17 deletions
diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml index ff3abc4..8ea6674 100644 --- a/man/systemd-measure.xml +++ b/man/systemd-measure.xml @@ -1,9 +1,9 @@ <?xml version="1.0"?> <!--*-nxml-*--> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" - "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> -<refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='ENABLE_BOOTLOADER'> +<refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='HAVE_TPM2 HAVE_BLKID HAVE_OPENSSL'> <refentryinfo> <title>systemd-measure</title> @@ -22,7 +22,7 @@ <refsynopsisdiv> <cmdsynopsis> - <command>/usr/lib/systemd/systemd-measure <arg choice="opt" rep="repeat">OPTIONS</arg></command> + <command>/usr/lib/systemd/systemd-measure</command> <arg choice="opt" rep="repeat">OPTIONS</arg> </cmdsynopsis> </refsynopsisdiv> @@ -75,9 +75,9 @@ <listitem><para>Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified kernel image consisting of the components specified with <option>--linux=</option>, <option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>, - <option>--splash=</option>, <option>--dtb=</option>, <option>--uname=</option>, - <option>--sbat=</option>, <option>--pcrpkey=</option> see below. Only <option>--linux=</option> is - mandatory. (Alternatively, specify <option>--current</option> to use the current values of PCR + <option>--ucode=</option>, <option>--splash=</option>, <option>--dtb=</option>, + <option>--uname=</option>, <option>--sbat=</option>, <option>--pcrpkey=</option> see below. + Only <option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the current values of PCR register 11 instead.)</para> <xi:include href="version-info.xml" xpointer="v252"/> @@ -118,6 +118,7 @@ <term><option>--osrel=<replaceable>PATH</replaceable></option></term> <term><option>--cmdline=<replaceable>PATH</replaceable></option></term> <term><option>--initrd=<replaceable>PATH</replaceable></option></term> + <term><option>--ucode=<replaceable>PATH</replaceable></option></term> <term><option>--splash=<replaceable>PATH</replaceable></option></term> <term><option>--dtb=<replaceable>PATH</replaceable></option></term> <term><option>--uname=<replaceable>PATH</replaceable></option></term> @@ -158,6 +159,7 @@ <varlistentry> <term><option>--private-key=<replaceable>PATH</replaceable></option></term> <term><option>--public-key=<replaceable>PATH</replaceable></option></term> + <term><option>--certificate=<replaceable>PATH</replaceable></option></term> <listitem><para>These switches take paths to a pair of PEM encoded RSA key files, for use with the <command>sign</command> command.</para> @@ -172,11 +174,28 @@ <para>If the <option>--public-key=</option> is not specified but <option>--private-key=</option> is specified the public key is automatically derived from the private key.</para> + <para><option>--certificate=</option> can be used to specify an X.509 certificate as an alternative + to <option>--public-key=</option> since v256.</para> + <xi:include href="version-info.xml" xpointer="v252"/></listitem> </varlistentry> <varlistentry> - <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term> + <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term> + <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term> + <term><option>--certificate=<replaceable>PATH</replaceable></option></term> + + <listitem><para>As an alternative to <option>--public-key=</option> for the + <command>sign</command> command, these switches can be used to sign with an hardware token. The + private key option can take a path or a URI that will be passed to the OpenSSL engine or + provider, as specified by <option>--private-key-source=</option> as a type:name tuple, such as + engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign.</para> + + <xi:include href="version-info.xml" xpointer="v256"/></listitem> + </varlistentry> + + <varlistentry> + <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term> <listitem><para>Controls which TPM2 device to use. Expects a device node path referring to the TPM2 chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal> @@ -188,7 +207,7 @@ </varlistentry> <varlistentry> - <term><option>--phase=</option><replaceable>PHASE</replaceable></term> + <term><option>--phase=<replaceable>PHASE</replaceable></option></term> <listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot @@ -214,7 +233,7 @@ </varlistentry> <varlistentry> - <term><option>--append=</option><replaceable>PATH</replaceable></term> + <term><option>--append=<replaceable>PATH</replaceable></option></term> <listitem><para>When generating a PCR JSON signature (via the <command>sign</command> command), combine it with a previously generated PCR JSON signature, and output it as one. The specified path @@ -375,14 +394,14 @@ Wrote unsigned vmlinux-1.2.3.efi <refsect1> <title>See Also</title> - <para> - <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>, - <citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, - <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> - </para> + <para><simplelist type="inline"> + <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> + <member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member> + <member><citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> + <member><citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> + <member><citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> + <member><citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> + </simplelist></para> </refsect1> </refentry> |