[thirdparty/systemd.git] / man / systemd-measure.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='HAVE_GNU_EFI'>

  <refentryinfo>
    <title>systemd-measure</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-measure</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-measure</refname>
    <refpurpose>Pre-calculate and sign expected TPM2 PCR values for booted unified kernel images</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/usr/lib/systemd/systemd-measure <arg choice="opt" rep="repeat">OPTIONS</arg></command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>Note: this command is experimental for now. While it is likely to become a regular component of
    systemd, it might still change in behaviour and interface.</para>

    <para><command>systemd-measure</command> is a tool that may be used to pre-calculate and sign the
    expected TPM2 PCR 11 values that should be seen when a unified Linux kernel image based on
    <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> is
    booted up. It accepts paths to the ELF kernel image file, initrd image file, devicetree file, kernel
    command line file,
    <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file, boot
    splash file, and TPM2 PCR PEM public key file that make up the unified kernel image, and determines the
    PCR values expected to be in place after booting the image. Calculation starts with a zero-initialized
    PCR 11, and is executed in a fashion compatible with what <filename>systemd-stub</filename> does at
    boot. The result may optionally be signed cryptographically, to allow TPM2 policies that can only be
    unlocked if a certain set of kernels is booted, for which such a PCR signature can be provided.</para>
  </refsect1>

  <refsect1>
    <title>Commands</title>

    <para>The following commands are understood:</para>

    <variablelist>
      <varlistentry>
        <term><command>status</command></term>

        <listitem><para>This is the default command if none is specified. This queries the local system's
        TPM2 PCR 11+12+13 values and displays them. The data is written in a similar format as the
        <command>calculate</command> command below, and may be used to quickly compare expectation with
        reality.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><command>calculate</command></term>

        <listitem><para>Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified
        kernel image consisting of the components specified with <option>--linux=</option>,
        <option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>,
        <option>--splash=</option>, <option>--dtb=</option>, <option>--pcrpkey=</option> see below. Only
        <option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the
        current values of PCR register 11 instead.)</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><command>sign</command></term>

        <listitem><para>As with the <command>calculate</command> command, pre-calculate the expected value
        seen in TPM2 PCR register 11 after boot-up of a unified kernel image. Then, cryptographically sign
        the resulting values with the private/public key pair (RSA) configured via
        <option>--private-key=</option> and <option>--public-key=</option>. This will write a JSON object to
        standard output that contains signatures for all specified PCR banks (see
        <option>--pcr-bank=</option>) below, which may be used to unlock encrypted credentials (see
        <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>) or
        LUKS volumes (see
        <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>). This
        allows binding secrets to a set of kernels for which such PCR 11 signatures can be provided.</para>

        <para>Note that a TPM2 device must be available for this signing to take place, even though the
        result is not tied to any TPM2 device or its state.</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist>
      <varlistentry>
        <term><option>--linux=PATH</option></term>
        <term><option>--osrel=PATH</option></term>
        <term><option>--cmdline=PATH</option></term>
        <term><option>--initrd=PATH</option></term>
        <term><option>--splash=PATH</option></term>
        <term><option>--dtb=PATH</option></term>
        <term><option>--pcrpkey=PATH</option></term>

        <listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
        configures the files to read the unified kernel image components from. Each option corresponds with
        the equally named section in the unified kernel PE file. The <option>--linux=</option> switch expects
        the path to the ELF kernel file that the unified PE kernel will wrap. All switches except
        <option>--linux=</option> are optional. Each option may be used at most once.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--current</option></term>
        <listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
        takes the PCR 11 values currently in effect for the system (which should typically reflect the hashes
        of the currently booted kernel). This can be used in place of <option>--linux=</option> and the other
        switches listed above.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--bank=DIGEST</option></term>

        <listitem><para>Controls the PCR banks to pre-calculate the PCR values for – in case
        <command>calculate</command> or <command>sign</command> is invoked –, or the banks to show in the
        <command>status</command> output. May be used more then once to specify multiple banks. If not
        specified, defaults to the four banks <literal>sha1</literal>, <literal>sha256</literal>,
        <literal>sha384</literal>, <literal>sha512</literal>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--private-key=PATH</option></term>
        <term><option>--public-key=PATH</option></term>

        <listitem><para>These switches take paths to a pair of PEM encoded RSA key files, for use with
        the <command>sign</command> command.</para>

        <para>Note the difference between the <option>--pcrpkey=</option> and <option>--public-key=</option>
        switches. The former selects the data to include in the <literal>.pcrpkey</literal> PE section of the
        unified kernel image, the latter picks the public key of the key pair used to sign the resulting PCR
        11 values. The former is the key that the booted system will likely use to lock disk and credential
        encryption to, the latter is the key used for unlocking such resources again. Hence, typically the
        same PEM key should be supplied in both cases.</para>

        <para>If the <option>--public-key=</option> is not specified but <option>--private-key=</option> is
        specified the public key is automatically derived from the private key.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>

        <listitem><para>Controls which TPM2 device to use. Expects a device node path referring to the TPM2
        chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal>
        may be specified, in order to automatically determine the device node of a suitable TPM2 device (of
        which there must be exactly one). The special value <literal>list</literal> may be used to enumerate
        all suitable TPM2 devices currently discovered.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--phase=</option><replaceable>PHASE</replaceable></term>

        <listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a
        series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot
        process. Each of the specified strings is measured by the
        <filename>systemd-pcrphase-initrd.service</filename> and
        <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        into PCR 11 during different milestones of the boot process. This switch may be specified multiple
        times to calculate PCR values for multiple boot phases at once. If not used defaults to
        <literal>enter-initrd</literal>, <literal>enter-initrd:leave-initrd</literal>,
        <literal>enter-initrd:leave-initrd:sysinit</literal>,
        <literal>enter-initrd:leave-initrd:sysinit:ready</literal>, i.e. calculates expected PCR values for
        the boot phase in the initrd, during early boot, during later boot, and during system runtime, but
        excluding the phases before the initrd or when shutting down. This setting is honoured both by
        <command>calculate</command> and <command>sign</command>. When used with the latter it's particularly
        useful for generating PCR signatures that can only be used for unlocking resources during specific
        parts of the boot process.</para>

        <para>For further details about PCR boot phases, see
        <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="json" />
      <xi:include href="standard-options.xml" xpointer="no-pager" />
      <xi:include href="standard-options.xml" xpointer="help" />
      <xi:include href="standard-options.xml" xpointer="version" />
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Examples</title>

    <example>
      <title>Generate a unified kernel image, and calculate the expected TPM PCR 11 value</title>

      <programlisting># objcopy \
    --add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
    --add-section .osrel=os-release.txt --change-section-vma .osrel=0x20000 \
    --add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
    --add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
    --add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
    --add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
    /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
    foo.efi
# systemd-measure calculate \
     --linux=vmlinux \
     --osrel=os-release.txt \
     --cmdline=cmdline.txt \
     --initrd=initrd.cpio \
     --splash=splash.bmp \
     --dtb=devicetree.dtb
11:sha1=d775a7b4482450ac77e03ee19bda90bd792d6ec7
11:sha256=bc6170f9ce28eb051ab465cd62be8cf63985276766cf9faf527ffefb66f45651
11:sha384=1cf67dff4757e61e5a73d2a21a6694d668629bbc3761747d493f7f49ad720be02fd07263e1f93061243aec599d1ee4b4
11:sha512=8e79acd3ddbbc8282e98091849c3530f996303c8ac8e87a3b2378b71c8b3a6e86d5c4f41ecea9e1517090c3e8ec0c714821032038f525f744960bcd082d937da
</programlisting>
    </example>

    <example>
      <title>Generate a private/public key pair, and a unified kernel image, and a TPM PCR 11 signature for
      it, and embed the signature and the public key in the image</title>

      <programlisting># openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem
# openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
# systemd-measure sign \
     --linux=vmlinux \
     --osrel=os-release.txt \
     --cmdline=cmdline.txt \
     --initrd=initrd.cpio \
     --splash=splash.bmp \
     --dtb=devicetree.dtb \
     --pcrpkey=tpm2-pcr-public.pem \
     --bank=sha1 \
     --bank=sha256 \
     --private-key=tpm2-pcr-private.pem \
     --public-key=tpm2-pcr-public.pem > tpm2-pcr-signature.json
# objcopy \
    --add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
    --add-section .osrel=os-release.txt --change-section-vma .osrel=0x20000 \
    --add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
    --add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
    --add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
    --add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
    --add-section .pcrsig=tpm2-pcr-signature.json --change-section-vma .pcrsig=0x80000 \
    --add-section .pcrpkey=tpm2-pcr-public.pem --change-section-vma .pcrpkey=0x90000 \
    /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
    foo.efi</programlisting>

     <para>Later on, enroll the signed PCR policy on a LUKS volume:</para>

     <programlisting># systemd-cryptenroll --tpm2-device=auto --tpm2-public-key=tpm2-pcr-public.pem --tpm2-signature=tpm2-pcr-signature.json /dev/sda5</programlisting>

     <para>And then unlock the device with the signature:</para>

     <programlisting># /usr/lib/systemd/systemd-cryptsetup attach myvolume /dev/sda5 - tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature.json</programlisting>

     <para>Note that when the generated unified kernel image <filename>foo.efi</filename> is booted the
     signature and public key files will be placed at locations <command>systemd-cryptenroll</command> and
     <command>systemd-cryptsetup</command> will look for anyway, and thus these paths do not actually need to
     be specified.</para>
    </example>
  </refsect1>

  <refsect1>
    <title>Exit status</title>

    <para>On success, 0 is returned, a non-zero failure code otherwise.</para>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>objcopy</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>1</manvolnum></citerefentry>
     </para>
  </refsect1>

</refentry>
Commit	Line	Data
ca1092dc LP	1	<?xml version="1.0"?>
	2	<!---nxml--->
	3	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	4	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	5	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
	6	<refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='HAVE_GNU_EFI'>
	7
	8	<refentryinfo>
	9	<title>systemd-measure</title>
	10	<productname>systemd</productname>
	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>systemd-measure</refentrytitle>
	15	<manvolnum>1</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>systemd-measure</refname>
cdaaa62c	20	<refpurpose>Pre-calculate and sign expected TPM2 PCR values for booted unified kernel images</refpurpose>
ca1092dc LP	21	</refnamediv>
	22
	23	<refsynopsisdiv>
	24	<cmdsynopsis>
	25	<command>/usr/lib/systemd/systemd-measure <arg choice="opt" rep="repeat">OPTIONS</arg></command>
	26	</cmdsynopsis>
	27	</refsynopsisdiv>
	28
	29	<refsect1>
	30	<title>Description</title>
	31
	32	<para>Note: this command is experimental for now. While it is likely to become a regular component of
	33	systemd, it might still change in behaviour and interface.</para>
	34
cdaaa62c LP	35	<para><command>systemd-measure</command> is a tool that may be used to pre-calculate and sign the
cdaaa62c LP	36	expected TPM2 PCR 11 values that should be seen when a unified Linux kernel image based on
ca1092dc	37	<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> is
55c041b4 LP	38	booted up. It accepts paths to the ELF kernel image file, initrd image file, devicetree file, kernel
55c041b4 LP	39	command line file,
2deca517 LP	40	<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file, boot
	41	splash file, and TPM2 PCR PEM public key file that make up the unified kernel image, and determines the
	42	PCR values expected to be in place after booting the image. Calculation starts with a zero-initialized
	43	PCR 11, and is executed in a fashion compatible with what <filename>systemd-stub</filename> does at
	44	boot. The result may optionally be signed cryptographically, to allow TPM2 policies that can only be
	45	unlocked if a certain set of kernels is booted, for which such a PCR signature can be provided.</para>
ca1092dc LP	46	</refsect1>
	47
	48	<refsect1>
	49	<title>Commands</title>
	50
	51	<para>The following commands are understood:</para>
	52
	53	<variablelist>
	54	<varlistentry>
	55	<term><command>status</command></term>
	56
	57	<listitem><para>This is the default command if none is specified. This queries the local system's
	58	TPM2 PCR 11+12+13 values and displays them. The data is written in a similar format as the
	59	<command>calculate</command> command below, and may be used to quickly compare expectation with
	60	reality.</para></listitem>
	61	</varlistentry>
	62
	63	<varlistentry>
	64	<term><command>calculate</command></term>
	65
cdaaa62c	66	<listitem><para>Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified
ca1092dc LP	67	kernel image consisting of the components specified with <option>--linux=</option>,
ca1092dc LP	68	<option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>,
2deca517 LP	69	<option>--splash=</option>, <option>--dtb=</option>, <option>--pcrpkey=</option> see below. Only
	70	<option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the
	71	current values of PCR register 11 instead.)</para></listitem>
cdaaa62c LP	72	</varlistentry>
	73
	74	<varlistentry>
	75	<term><command>sign</command></term>
	76
	77	<listitem><para>As with the <command>calculate</command> command, pre-calculate the expected value
	78	seen in TPM2 PCR register 11 after boot-up of a unified kernel image. Then, cryptographically sign
	79	the resulting values with the private/public key pair (RSA) configured via
	80	<option>--private-key=</option> and <option>--public-key=</option>. This will write a JSON object to
	81	standard output that contains signatures for all specified PCR banks (see
	82	<option>--pcr-bank=</option>) below, which may be used to unlock encrypted credentials (see
	83	<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>) or
	84	LUKS volumes (see
	85	<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>). This
	86	allows binding secrets to a set of kernels for which such PCR 11 signatures can be provided.</para>
	87
	88	<para>Note that a TPM2 device must be available for this signing to take place, even though the
	89	result is not tied to any TPM2 device or its state.</para></listitem>
ca1092dc LP	90	</varlistentry>
	91	</variablelist>
	92	</refsect1>
	93
	94	<refsect1>
	95	<title>Options</title>
	96
	97	<para>The following options are understood:</para>
	98
	99	<variablelist>
	100	<varlistentry>
	101	<term><option>--linux=PATH</option></term>
	102	<term><option>--osrel=PATH</option></term>
	103	<term><option>--cmdline=PATH</option></term>
	104	<term><option>--initrd=PATH</option></term>
	105	<term><option>--splash=PATH</option></term>
	106	<term><option>--dtb=PATH</option></term>
2deca517	107	<term><option>--pcrpkey=PATH</option></term>
ca1092dc	108
cdaaa62c LP	109	<listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
	110	configures the files to read the unified kernel image components from. Each option corresponds with
	111	the equally named section in the unified kernel PE file. The <option>--linux=</option> switch expects
	112	the path to the ELF kernel file that the unified PE kernel will wrap. All switches except
	113	<option>--linux=</option> are optional. Each option may be used at most once.</para></listitem>
ca1092dc LP	114	</varlistentry>
ca1092dc LP	115
127b72da LP	116	<varlistentry>
127b72da LP	117	<term><option>--current</option></term>
cdaaa62c LP	118	<listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
	119	takes the PCR 11 values currently in effect for the system (which should typically reflect the hashes
	120	of the currently booted kernel). This can be used in place of <option>--linux=</option> and the other
	121	switches listed above.</para></listitem>
127b72da LP	122	</varlistentry>
127b72da LP	123
ca1092dc LP	124	<varlistentry>
	125	<term><option>--bank=DIGEST</option></term>
	126
	127	<listitem><para>Controls the PCR banks to pre-calculate the PCR values for – in case
cdaaa62c LP	128	<command>calculate</command> or <command>sign</command> is invoked –, or the banks to show in the
	129	<command>status</command> output. May be used more then once to specify multiple banks. If not
	130	specified, defaults to the four banks <literal>sha1</literal>, <literal>sha256</literal>,
	131	<literal>sha384</literal>, <literal>sha512</literal>.</para></listitem>
	132	</varlistentry>
	133
	134	<varlistentry>
	135	<term><option>--private-key=PATH</option></term>
	136	<term><option>--public-key=PATH</option></term>
	137
	138	<listitem><para>These switches take paths to a pair of PEM encoded RSA key files, for use with
2deca517 LP	139	the <command>sign</command> command.</para>
	140
	141	<para>Note the difference between the <option>--pcrpkey=</option> and <option>--public-key=</option>
	142	switches. The former selects the data to include in the <literal>.pcrpkey</literal> PE section of the
	143	unified kernel image, the latter picks the public key of the key pair used to sign the resulting PCR
	144	11 values. The former is the key that the booted system will likely use to lock disk and credential
	145	encryption to, the latter is the key used for unlocking such resources again. Hence, typically the
a434e25f LP	146	same PEM key should be supplied in both cases.</para>
	147
	148	<para>If the <option>--public-key=</option> is not specified but <option>--private-key=</option> is
	149	specified the public key is automatically derived from the private key.</para></listitem>
cdaaa62c LP	150	</varlistentry>
	151
	152	<varlistentry>
	153	<term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>
	154
	155	<listitem><para>Controls which TPM2 device to use. Expects a device node path referring to the TPM2
	156	chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal>
	157	may be specified, in order to automatically determine the device node of a suitable TPM2 device (of
	158	which there must be exactly one). The special value <literal>list</literal> may be used to enumerate
	159	all suitable TPM2 devices currently discovered.</para></listitem>
ca1092dc LP	160	</varlistentry>
ca1092dc LP	161
6ca00163 LP	162	<varlistentry>
	163	<term><option>--phase=</option><replaceable>PHASE</replaceable></term>
	164
0923b425	165	<listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a
6ca00163 LP	166	series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot
	167	process. Each of the specified strings is measured by the
	168	<filename>systemd-pcrphase-initrd.service</filename> and
	169	<citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	170	into PCR 11 during different milestones of the boot process. This switch may be specified multiple
	171	times to calculate PCR values for multiple boot phases at once. If not used defaults to
	172	<literal>enter-initrd</literal>, <literal>enter-initrd:leave-initrd</literal>,
047273e6 LP	173	<literal>enter-initrd:leave-initrd:sysinit</literal>,
	174	<literal>enter-initrd:leave-initrd:sysinit:ready</literal>, i.e. calculates expected PCR values for
	175	the boot phase in the initrd, during early boot, during later boot, and during system runtime, but
	176	excluding the phases before the initrd or when shutting down. This setting is honoured both by
	177	<command>calculate</command> and <command>sign</command>. When used with the latter it's particularly
	178	useful for generating PCR signatures that can only be used for unlocking resources during specific
	179	parts of the boot process.</para>
6ca00163 LP	180
	181	<para>For further details about PCR boot phases, see
	182	<citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
	183	</varlistentry>
	184
c06b6d46 LP	185	<xi:include href="standard-options.xml" xpointer="json" />
c06b6d46 LP	186	<xi:include href="standard-options.xml" xpointer="no-pager" />
ca1092dc LP	187	<xi:include href="standard-options.xml" xpointer="help" />
	188	<xi:include href="standard-options.xml" xpointer="version" />
	189	</variablelist>
	190	</refsect1>
	191
	192	<refsect1>
	193	<title>Examples</title>
	194
	195	<example>
	196	<title>Generate a unified kernel image, and calculate the expected TPM PCR 11 value</title>
	197
	198	<programlisting># objcopy \
	199	--add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
	200	--add-section .osrel=os-release.txt --change-section-vma .osrel=0x20000 \
	201	--add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
	202	--add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
	203	--add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
	204	--add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
	205	/usr/lib/systemd/boot/efi/linuxx64.efi.stub \
	206	foo.efi
	207	# systemd-measure calculate \
	208	--linux=vmlinux \
cdaaa62c	209	--osrel=os-release.txt \
ca1092dc LP	210	--cmdline=cmdline.txt \
	211	--initrd=initrd.cpio \
	212	--splash=splash.bmp \
	213	--dtb=devicetree.dtb
	214	11:sha1=d775a7b4482450ac77e03ee19bda90bd792d6ec7
	215	11:sha256=bc6170f9ce28eb051ab465cd62be8cf63985276766cf9faf527ffefb66f45651
	216	11:sha384=1cf67dff4757e61e5a73d2a21a6694d668629bbc3761747d493f7f49ad720be02fd07263e1f93061243aec599d1ee4b4
	217	11:sha512=8e79acd3ddbbc8282e98091849c3530f996303c8ac8e87a3b2378b71c8b3a6e86d5c4f41ecea9e1517090c3e8ec0c714821032038f525f744960bcd082d937da
	218	</programlisting>
	219	</example>
cdaaa62c LP	220
cdaaa62c LP	221	<example>
2deca517 LP	222	<title>Generate a private/public key pair, and a unified kernel image, and a TPM PCR 11 signature for
2deca517 LP	223	it, and embed the signature and the public key in the image</title>
cdaaa62c LP	224
	225	<programlisting># openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem
	226	# openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
cdaaa62c LP	227	# systemd-measure sign \
	228	--linux=vmlinux \
	229	--osrel=os-release.txt \
	230	--cmdline=cmdline.txt \
	231	--initrd=initrd.cpio \
	232	--splash=splash.bmp \
	233	--dtb=devicetree.dtb \
2deca517	234	--pcrpkey=tpm2-pcr-public.pem \
cdaaa62c LP	235	--bank=sha1 \
	236	--bank=sha256 \
	237	--private-key=tpm2-pcr-private.pem \
2deca517 LP	238	--public-key=tpm2-pcr-public.pem > tpm2-pcr-signature.json
	239	# objcopy \
	240	--add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
	241	--add-section .osrel=os-release.txt --change-section-vma .osrel=0x20000 \
	242	--add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
	243	--add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
	244	--add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
	245	--add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
01924355 VK	246	--add-section .pcrsig=tpm2-pcr-signature.json --change-section-vma .pcrsig=0x80000 \
01924355 VK	247	--add-section .pcrpkey=tpm2-pcr-public.pem --change-section-vma .pcrpkey=0x90000 \
2deca517 LP	248	/usr/lib/systemd/boot/efi/linuxx64.efi.stub \
2deca517 LP	249	foo.efi</programlisting>
cdaaa62c LP	250
	251	<para>Later on, enroll the signed PCR policy on a LUKS volume:</para>
	252
	253	<programlisting># systemd-cryptenroll --tpm2-device=auto --tpm2-public-key=tpm2-pcr-public.pem --tpm2-signature=tpm2-pcr-signature.json /dev/sda5</programlisting>
	254
	255	<para>And then unlock the device with the signature:</para>
	256
	257	<programlisting># /usr/lib/systemd/systemd-cryptsetup attach myvolume /dev/sda5 - tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature.json</programlisting>
2deca517 LP	258
	259	<para>Note that when the generated unified kernel image <filename>foo.efi</filename> is booted the
	260	signature and public key files will be placed at locations <command>systemd-cryptenroll</command> and
	261	<command>systemd-cryptsetup</command> will look for anyway, and thus these paths do not actually need to
	262	be specified.</para>
cdaaa62c	263	</example>
ca1092dc LP	264	</refsect1>
	265
	266	<refsect1>
	267	<title>Exit status</title>
	268
	269	<para>On success, 0 is returned, a non-zero failure code otherwise.</para>
	270	</refsect1>
	271
	272	<refsect1>
	273	<title>See Also</title>
	274	<para>
	275	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	276	<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
cdaaa62c LP	277	<citerefentry project='man-pages'><refentrytitle>objcopy</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
cdaaa62c LP	278	<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
708d7524 LP	279	<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
708d7524 LP	280	<citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>1</manvolnum></citerefentry>
ca1092dc LP	281	</para>
	282	</refsect1>
	283
	284	</refentry>