1 files changed, 36 insertions, 17 deletions

diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index ff3abc4..8ea6674 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0"?>
 <!--*-nxml-*-->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
-<refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='ENABLE_BOOTLOADER'>
+<refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='HAVE_TPM2 HAVE_BLKID HAVE_OPENSSL'>
 
   <refentryinfo>
     <title>systemd-measure</title>
@@ -22,7 +22,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/usr/lib/systemd/systemd-measure <arg choice="opt" rep="repeat">OPTIONS</arg></command>
+      <command>/usr/lib/systemd/systemd-measure</command> <arg choice="opt" rep="repeat">OPTIONS</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -75,9 +75,9 @@
         <listitem><para>Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified
         kernel image consisting of the components specified with <option>--linux=</option>,
         <option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>,
-        <option>--splash=</option>, <option>--dtb=</option>, <option>--uname=</option>,
-        <option>--sbat=</option>, <option>--pcrpkey=</option> see below. Only <option>--linux=</option> is
-        mandatory. (Alternatively, specify <option>--current</option> to use the current values of PCR
+        <option>--ucode=</option>, <option>--splash=</option>, <option>--dtb=</option>,
+        <option>--uname=</option>, <option>--sbat=</option>, <option>--pcrpkey=</option> see below.
+        Only <option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the current values of PCR
         register 11 instead.)</para>
 
         <xi:include href="version-info.xml" xpointer="v252"/>
@@ -118,6 +118,7 @@
         <term><option>--osrel=<replaceable>PATH</replaceable></option></term>
         <term><option>--cmdline=<replaceable>PATH</replaceable></option></term>
         <term><option>--initrd=<replaceable>PATH</replaceable></option></term>
+        <term><option>--ucode=<replaceable>PATH</replaceable></option></term>
         <term><option>--splash=<replaceable>PATH</replaceable></option></term>
         <term><option>--dtb=<replaceable>PATH</replaceable></option></term>
         <term><option>--uname=<replaceable>PATH</replaceable></option></term>
@@ -158,6 +159,7 @@
       <varlistentry>
         <term><option>--private-key=<replaceable>PATH</replaceable></option></term>
         <term><option>--public-key=<replaceable>PATH</replaceable></option></term>
+        <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
 
         <listitem><para>These switches take paths to a pair of PEM encoded RSA key files, for use with
         the <command>sign</command> command.</para>
@@ -172,11 +174,28 @@
         <para>If the <option>--public-key=</option> is not specified but <option>--private-key=</option> is
         specified the public key is automatically derived from the private key.</para>
 
+        <para><option>--certificate=</option> can be used to specify an X.509 certificate as an alternative
+        to <option>--public-key=</option> since v256.</para>
+
         <xi:include href="version-info.xml" xpointer="v252"/></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>
+        <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
+        <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term>
+        <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
+
+        <listitem><para>As an alternative to <option>--public-key=</option> for the
+        <command>sign</command> command, these switches can be used to sign with an hardware token. The
+        private key option can take a path or a URI that will be passed to the OpenSSL engine or
+        provider, as specified by <option>--private-key-source=</option> as a type:name tuple, such as
+        engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
 
         <listitem><para>Controls which TPM2 device to use. Expects a device node path referring to the TPM2
         chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal>
@@ -188,7 +207,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--phase=</option><replaceable>PHASE</replaceable></term>
+        <term><option>--phase=<replaceable>PHASE</replaceable></option></term>
 
         <listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a
         series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot
@@ -214,7 +233,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--append=</option><replaceable>PATH</replaceable></term>
+        <term><option>--append=<replaceable>PATH</replaceable></option></term>
 
         <listitem><para>When generating a PCR JSON signature (via the <command>sign</command> command),
         combine it with a previously generated PCR JSON signature, and output it as one. The specified path
@@ -375,14 +394,14 @@ Wrote unsigned vmlinux-1.2.3.efi
 
   <refsect1>
     <title>See Also</title>
-    <para>
-      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-     </para>
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+     </simplelist></para>
   </refsect1>
 
 </refentry>