[thirdparty/systemd.git] / man / systemd-tpm2-setup.service.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-tpm2-setup.service" conditional='ENABLE_BOOTLOADER'
          xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-tpm2-setup.service</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-tpm2-setup.service</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-tpm2-setup.service</refname>
    <refname>systemd-tpm2-setup-early.service</refname>
    <refname>systemd-tpm2-setup</refname>
    <refpurpose>Set up the TPM2 Storage Root Key (SRK) at boot</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>systemd-tpm2-setup.service</filename></para>
    <para><filename>/usr/lib/systemd/systemd-tpm2-setup</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><filename>systemd-tpm2-setup.service</filename> and
    <filename>systemd-tpm2-setup-early.service</filename> are services that generate the Storage Root Key
    (SRK) if it hasn't been generated yet, and stores it in the TPM.</para>

    <para>The services will store the public key of the SRK key pair in a PEM file in
    <filename>/run/systemd/tpm2-srk-public-key.pem</filename> and
    <filename>/var/lib/systemd/tpm2-srk-public-key.pem</filename>. It will also store it in TPM2B_PUBLIC
    format in <filename>/run/systemd/tpm2-srk-public-key.tpm2_public</filename> and
    <filename>/var/lib/systemd/tpm2-srk-public-key.tpm2b_public</filename>.</para>

    <para><filename>systemd-tpm2-setup-early.service</filename> runs very early at boot (possibly in the
    initrd), and writes the SRK public key to <filename>/run/systemd/tpm2-srk-public-key.*</filename> (as
    <filename>/var/</filename> is generally not accessible this early yet), while
    <filename>systemd-tpm2-setup.service</filename> runs during a later boot phase and saves the public key
    to <filename>/var/lib/systemd/tpm2-srk-public-key.*</filename>.</para>
  </refsect1>

  <refsect1>
    <title>Files</title>

    <variablelist>
      <varlistentry>
        <term><filename>/run/systemd/tpm2-srk-public-key.pem</filename></term>
        <term><filename>/run/systemd/tpm2-srk-public-key.tpm2b_public</filename></term>

        <listitem><para>The SRK public key in PEM and TPM2B_PUBLIC format, written during early boot.</para>

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><filename>/var/lib/systemd/tpm2-srk-public-key.pem</filename></term>
        <term><filename>/var/lib/systemd/tpm2-srk-public-key.tpm2_public</filename></term>

        <listitem><para>The SRK public key in PEM and TPM2B_PUBLIC format, written during later boot (once
        <filename>/var/</filename> is available).</para>

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>
</refentry>
Commit	Line	Data
2e64cb71 LP	1	<?xml version="1.0"?>
	2	<!---nxml--->
	3	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26	4	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
2e64cb71 LP	5	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
	6	<refentry id="systemd-tpm2-setup.service" conditional='ENABLE_BOOTLOADER'
	7	xmlns:xi="http://www.w3.org/2001/XInclude">
	8
	9	<refentryinfo>
	10	<title>systemd-tpm2-setup.service</title>
	11	<productname>systemd</productname>
	12	</refentryinfo>
	13
	14	<refmeta>
	15	<refentrytitle>systemd-tpm2-setup.service</refentrytitle>
	16	<manvolnum>8</manvolnum>
	17	</refmeta>
	18
	19	<refnamediv>
	20	<refname>systemd-tpm2-setup.service</refname>
	21	<refname>systemd-tpm2-setup-early.service</refname>
	22	<refname>systemd-tpm2-setup</refname>
	23	<refpurpose>Set up the TPM2 Storage Root Key (SRK) at boot</refpurpose>
	24	</refnamediv>
	25
	26	<refsynopsisdiv>
	27	<para><filename>systemd-tpm2-setup.service</filename></para>
	28	<para><filename>/usr/lib/systemd/systemd-tpm2-setup</filename></para>
	29	</refsynopsisdiv>
	30
	31	<refsect1>
	32	<title>Description</title>
	33
	34	<para><filename>systemd-tpm2-setup.service</filename> and
	35	<filename>systemd-tpm2-setup-early.service</filename> are services that generate the Storage Root Key
	36	(SRK) if it hasn't been generated yet, and stores it in the TPM.</para>
	37
	38	<para>The services will store the public key of the SRK key pair in a PEM file in
	39	<filename>/run/systemd/tpm2-srk-public-key.pem</filename> and
fbe7db47 LP	40	<filename>/var/lib/systemd/tpm2-srk-public-key.pem</filename>. It will also store it in TPM2B_PUBLIC
	41	format in <filename>/run/systemd/tpm2-srk-public-key.tpm2_public</filename> and
	42	<filename>/var/lib/systemd/tpm2-srk-public-key.tpm2b_public</filename>.</para>
2e64cb71 LP	43
2e64cb71 LP	44	<para><filename>systemd-tpm2-setup-early.service</filename> runs very early at boot (possibly in the
fbe7db47	45	initrd), and writes the SRK public key to <filename>/run/systemd/tpm2-srk-public-key.*</filename> (as
2e64cb71 LP	46	<filename>/var/</filename> is generally not accessible this early yet), while
2e64cb71 LP	47	<filename>systemd-tpm2-setup.service</filename> runs during a later boot phase and saves the public key
fbe7db47	48	to <filename>/var/lib/systemd/tpm2-srk-public-key.*</filename>.</para>
2e64cb71 LP	49	</refsect1>
	50
	51	<refsect1>
	52	<title>Files</title>
	53
	54	<variablelist>
	55	<varlistentry>
	56	<term><filename>/run/systemd/tpm2-srk-public-key.pem</filename></term>
fbe7db47	57	<term><filename>/run/systemd/tpm2-srk-public-key.tpm2b_public</filename></term>
2e64cb71	58
fbe7db47	59	<listitem><para>The SRK public key in PEM and TPM2B_PUBLIC format, written during early boot.</para>
b8f7a537 AK	60
b8f7a537 AK	61	<xi:include href="version-info.xml" xpointer="v255"/></listitem>
2e64cb71 LP	62	</varlistentry>
	63
	64	<varlistentry>
	65	<term><filename>/var/lib/systemd/tpm2-srk-public-key.pem</filename></term>
fbe7db47	66	<term><filename>/var/lib/systemd/tpm2-srk-public-key.tpm2_public</filename></term>
2e64cb71	67
fbe7db47	68	<listitem><para>The SRK public key in PEM and TPM2B_PUBLIC format, written during later boot (once
b8f7a537 AK	69	<filename>/var/</filename> is available).</para>
	70
	71	<xi:include href="version-info.xml" xpointer="v255"/></listitem>
2e64cb71 LP	72	</varlistentry>
	73	</variablelist>
	74	</refsect1>
	75
	76	<refsect1>
	77	<title>See Also</title>
	78	<para>
	79	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	80	</para>
	81	</refsect1>
	82	</refentry>