You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
63 lines
2.8 KiB
63 lines
2.8 KiB
From 4b28fbe37b02e0df2bd746303108a5e3ed089209 Mon Sep 17 00:00:00 2001
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
Date: Fri, 14 Oct 2022 15:27:34 +0200
|
|
Subject: [PATCH] man: document the new crypttab measurement options
|
|
|
|
(cherry picked from commit 572f78767f9958559aa4a3060fc5c9a006766240)
|
|
|
|
Related: RHEL-16182
|
|
---
|
|
man/crypttab.xml | 22 ++++++++++++++++++++++
|
|
man/systemd-cryptenroll.xml | 5 +++++
|
|
2 files changed, 27 insertions(+)
|
|
|
|
diff --git a/man/crypttab.xml b/man/crypttab.xml
|
|
index cbbb8ab2a9..1dd9bb1bb6 100644
|
|
--- a/man/crypttab.xml
|
|
+++ b/man/crypttab.xml
|
|
@@ -700,6 +700,28 @@
|
|
order).</para></listitem>
|
|
</varlistentry>
|
|
|
|
+ <varlistentry>
|
|
+ <term><option>tpm2-measure-pcr=</option></term>
|
|
+
|
|
+ <listitem><para>Controls whether to measure the volume key of the encrypted volume to a TPM2 PCR. If
|
|
+ set to "no" (which is the default) no PCR extension is done. If set to "yes" the volume key is
|
|
+ measured into PCR 15. If set to a decimal integer in the range 0…23 the volume key is measured into
|
|
+ the specified PCR. The volume key is measured along with the activated volume name and its UUID. This
|
|
+ functionality is particularly useful for the encrypted volume backing the root file system, as it
|
|
+ then allows later TPM objects to be securely bound to the root file system and hence the specific
|
|
+ installation.</para></listitem>
|
|
+ </varlistentry>
|
|
+
|
|
+ <varlistentry>
|
|
+ <term><option>tpm2-measure-bank=</option></term>
|
|
+
|
|
+ <listitem><para>Selects one or more TPM2 PCR banks to measure the volume key into, as configured with
|
|
+ <option>tpm2-measure-pcr=</option> above. Multiple banks may be specified, separated by a colon
|
|
+ character. If not specified automatically determines available and used banks. Expects a message
|
|
+ digest name (e.g. <literal>sha1</literal>, <literal>sha256</literal>, …) as argument, to identify the
|
|
+ bank.</para></listitem>
|
|
+ </varlistentry>
|
|
+
|
|
<varlistentry>
|
|
<term><option>token-timeout=</option></term>
|
|
|
|
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
|
|
index ad338cdcc5..f08d95c6fb 100644
|
|
--- a/man/systemd-cryptenroll.xml
|
|
+++ b/man/systemd-cryptenroll.xml
|
|
@@ -324,6 +324,11 @@
|
|
<entry>14</entry>
|
|
<entry>The shim project measures its "MOK" certificates and hashes into this PCR.</entry>
|
|
</row>
|
|
+
|
|
+ <row>
|
|
+ <entry>15</entry>
|
|
+ <entry><citerefentry><refentrytitle>systemd-cryptsetup</refentrytitle><manvolnum>7</manvolnum></citerefentry> optionally measures the volume key of activated LUKS volumes into this PCR.</entry>
|
|
+ </row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|