From fc53809803cd2bc2434e312b19a18fa36776da12 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 12 Jun 2024 05:50:40 +0200 Subject: Adding upstream version 256. Signed-off-by: Daniel Baumann --- man/systemd-pcrlock.xml | 86 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 59 insertions(+), 27 deletions(-) (limited to 'man/systemd-pcrlock.xml') diff --git a/man/systemd-pcrlock.xml b/man/systemd-pcrlock.xml index a364dd3..19ba4c4 100644 --- a/man/systemd-pcrlock.xml +++ b/man/systemd-pcrlock.xml @@ -1,9 +1,10 @@ + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> - + systemd-pcrlock @@ -29,7 +30,7 @@ - /usr/lib/systemd/systemd-pcrlock OPTIONS + /usr/lib/systemd/systemd-pcrlock OPTIONS @@ -61,7 +62,7 @@ *.pcrlock.d/*.pcrlock, see systemd.pcrlock5) that each define expected measurements for one component of the boot process, permitting alternative - variants for each. (Variants may be used used to bless multiple kernel versions or boot loader versions + variants for each. (Variants may be used to bless multiple kernel versions or boot loader versions at the same time.) @@ -104,7 +105,7 @@ cel This reads the combined TPM2 event log and writes it to STDOUT in TCG Common Event Log + url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Canonical Event Log Format (CEL-JSON) format. @@ -155,6 +156,19 @@ If the new prediction matches the old this command terminates quickly and executes no further operation. (Unless is specified, see below.) + Starting with v256, a copy of the /var/lib/systemd/pcrlock.json policy + file is encoded in a credential (see + systemd-creds1 for + details) and written to the EFI System Partition or XBOOTLDR partition, in the + /loader/credentials/ subdirectory. There it is picked up at boot by + systemd-stub7 and + passed to the invoked initrd, where it can be used to unlock the root file system (which typically + contains /var/, which is where the primary copy of the policy is located, which + hence cannot be used to unlock the root file system). The credential file is named after the boot + entry token of the installation (see + bootctl1), which + is configurable via the switch, see below. + @@ -266,7 +280,7 @@ - lock-gpt DEVICE + lock-gpt DEVICE unlock-gpt Generates/removes a .pcrlock file based on the GPT partition @@ -282,7 +296,7 @@ - lock-pe BINARY + lock-pe BINARY unlock-pe Generates/removes a .pcrlock file based on the specified PE @@ -301,7 +315,7 @@ - lock-uki UKI + lock-uki UKI unlock-uki Generates/removes a .pcrlock file based on the specified UKI PE @@ -336,8 +350,8 @@ - lock-file-system PATH - unlock-file-system PATH + lock-file-system PATH + unlock-file-system PATH Generates/removes a .pcrlock file based on file system identity. This is useful for predicting measurements @@ -353,7 +367,7 @@ - lock-kernel-cmdline FILE + lock-kernel-cmdline FILE unlock-kernel-cmdline Generates/removes a .pcrlock file based on @@ -384,7 +398,7 @@ - lock-raw FILE + lock-raw FILE unlock-raw Generates/removes a .pcrlock file based on raw binary data. The @@ -490,13 +504,16 @@ - Takes a boolean. Defaults to false. Honoured by make-policy. If - true, will query the user for a PIN to unlock the TPM2 NV index with. If no policy was created before - this PIN is used to protect the newly allocated NV index. If a policy has been created before the PIN - is used to unlock write access to the NV index. If this option is not used a PIN is automatically - generated. Regardless if user supplied or automatically generated, it is stored in encrypted form in - the policy metadata file. The recovery PIN may be used to regain write access to an NV index in case - the access policy became out of date. + Takes one of hide, show or + query. Defaults to hide. Honoured by + make-policy. If query, will query the user for a PIN to unlock + the TPM2 NV index with. If no policy was created before, this PIN is used to protect the newly + allocated NV index. If a policy has been created before, the PIN is used to unlock write access to + the NV index. If either hide or show is used, a PIN is + automatically generated, and — only in case of show — displayed on + screen. Regardless if user supplied or automatically generated, it is stored in encrypted form in the + policy metadata file. The recovery PIN may be used to regain write access to an NV index in case the + access policy became out of date. @@ -531,6 +548,18 @@ + + + + Sets the boot entry token to use for the file name for the pcrlock policy credential + in the EFI System Partition or XBOOTLDR partition. See the + bootctl1 option of + the same regarding expected values. This switch has an effect on the + make-policy command only. + + + + @@ -546,14 +575,17 @@ See Also - - systemd1, - systemd.pcrlock5, - systemd-cryptenroll1, - systemd-cryptsetup@.service8, - systemd-repart8, - systemd-pcrmachine.service8 - + + systemd1 + systemd.pcrlock5 + systemd-cryptenroll1 + systemd-cryptsetup@.service8 + systemd-repart8 + systemd-pcrmachine.service8 + systemd-creds1 + systemd-stub7 + bootctl1 + -- cgit v1.2.3