]>
Commit | Line | Data |
---|---|---|
ca1092dc LP |
1 | <?xml version="1.0"?> |
2 | <!--*-nxml-*--> | |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
eea10b26 | 4 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> |
ca1092dc | 5 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
3cf1e7d6 | 6 | <refentry id="systemd-measure" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='HAVE_TPM2 HAVE_BLKID HAVE_OPENSSL'> |
ca1092dc LP |
7 | |
8 | <refentryinfo> | |
9 | <title>systemd-measure</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>systemd-measure</refentrytitle> | |
15 | <manvolnum>1</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>systemd-measure</refname> | |
cdaaa62c | 20 | <refpurpose>Pre-calculate and sign expected TPM2 PCR values for booted unified kernel images</refpurpose> |
ca1092dc LP |
21 | </refnamediv> |
22 | ||
23 | <refsynopsisdiv> | |
24 | <cmdsynopsis> | |
dfa6c32a | 25 | <command>/usr/lib/systemd/systemd-measure</command> <arg choice="opt" rep="repeat">OPTIONS</arg> |
ca1092dc LP |
26 | </cmdsynopsis> |
27 | </refsynopsisdiv> | |
28 | ||
29 | <refsect1> | |
30 | <title>Description</title> | |
31 | ||
32 | <para>Note: this command is experimental for now. While it is likely to become a regular component of | |
33 | systemd, it might still change in behaviour and interface.</para> | |
34 | ||
cdaaa62c | 35 | <para><command>systemd-measure</command> is a tool that may be used to pre-calculate and sign the |
048bcb9d ZJS |
36 | expected TPM2 PCR 11 values that should be seen when a Linux <ulink |
37 | url="https://uapi-group.org/specifications/specs/unified_kernel_image/">Unified Kernel Image | |
38 | (UKI)</ulink> based on | |
ca1092dc | 39 | <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> is |
55c041b4 LP |
40 | booted up. It accepts paths to the ELF kernel image file, initrd image file, devicetree file, kernel |
41 | command line file, | |
2deca517 LP |
42 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file, boot |
43 | splash file, and TPM2 PCR PEM public key file that make up the unified kernel image, and determines the | |
44 | PCR values expected to be in place after booting the image. Calculation starts with a zero-initialized | |
048bcb9d ZJS |
45 | PCR 11, and is executed in a fashion compatible with what <filename>systemd-stub</filename> does at boot. |
46 | The result may optionally be signed cryptographically, to allow TPM2 policies that can only be unlocked | |
47 | if a certain set of kernels is booted, for which such a PCR signature can be provided.</para> | |
48 | ||
49 | <para>It usually doesn't make sense to call this tool directly when constructing a UKI. Instead, | |
50 | <citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry> should be used; | |
51 | it will invoke <command>systemd-measure</command> and take care of embedding the resulting measurements | |
52 | into the UKI.</para> | |
ca1092dc LP |
53 | </refsect1> |
54 | ||
55 | <refsect1> | |
56 | <title>Commands</title> | |
57 | ||
58 | <para>The following commands are understood:</para> | |
59 | ||
60 | <variablelist> | |
61 | <varlistentry> | |
62 | <term><command>status</command></term> | |
63 | ||
64 | <listitem><para>This is the default command if none is specified. This queries the local system's | |
65 | TPM2 PCR 11+12+13 values and displays them. The data is written in a similar format as the | |
66 | <command>calculate</command> command below, and may be used to quickly compare expectation with | |
ec07c3c8 AK |
67 | reality.</para> |
68 | ||
69 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> | |
ca1092dc LP |
70 | </varlistentry> |
71 | ||
72 | <varlistentry> | |
73 | <term><command>calculate</command></term> | |
74 | ||
cdaaa62c | 75 | <listitem><para>Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified |
ca1092dc LP |
76 | kernel image consisting of the components specified with <option>--linux=</option>, |
77 | <option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>, | |
590ac4bd TF |
78 | <option>--ucode=</option>, <option>--splash=</option>, <option>--dtb=</option>, |
79 | <option>--uname=</option>, <option>--sbat=</option>, <option>--pcrpkey=</option> see below. | |
80 | Only <option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the current values of PCR | |
4e72e156 | 81 | register 11 instead.)</para> |
ec07c3c8 AK |
82 | |
83 | <xi:include href="version-info.xml" xpointer="v252"/> | |
d5f91cf7 | 84 | </listitem> |
cdaaa62c LP |
85 | </varlistentry> |
86 | ||
87 | <varlistentry> | |
88 | <term><command>sign</command></term> | |
89 | ||
90 | <listitem><para>As with the <command>calculate</command> command, pre-calculate the expected value | |
91 | seen in TPM2 PCR register 11 after boot-up of a unified kernel image. Then, cryptographically sign | |
92 | the resulting values with the private/public key pair (RSA) configured via | |
93 | <option>--private-key=</option> and <option>--public-key=</option>. This will write a JSON object to | |
8b9f0921 | 94 | standard output that contains signatures for all specified PCR banks (see the |
916db27f | 95 | <option>--bank=</option> option below), which may be used to unlock encrypted credentials (see |
cdaaa62c LP |
96 | <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>) or |
97 | LUKS volumes (see | |
8b9f0921 ZJS |
98 | <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>). |
99 | This allows binding secrets to a set of kernels for which such PCR 11 signatures can be | |
100 | provided.</para> | |
cdaaa62c LP |
101 | |
102 | <para>Note that a TPM2 device must be available for this signing to take place, even though the | |
ec07c3c8 AK |
103 | result is not tied to any TPM2 device or its state.</para> |
104 | ||
105 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> | |
ca1092dc LP |
106 | </varlistentry> |
107 | </variablelist> | |
108 | </refsect1> | |
109 | ||
110 | <refsect1> | |
111 | <title>Options</title> | |
112 | ||
113 | <para>The following options are understood:</para> | |
114 | ||
115 | <variablelist> | |
116 | <varlistentry> | |
8b9f0921 ZJS |
117 | <term><option>--linux=<replaceable>PATH</replaceable></option></term> |
118 | <term><option>--osrel=<replaceable>PATH</replaceable></option></term> | |
119 | <term><option>--cmdline=<replaceable>PATH</replaceable></option></term> | |
120 | <term><option>--initrd=<replaceable>PATH</replaceable></option></term> | |
590ac4bd | 121 | <term><option>--ucode=<replaceable>PATH</replaceable></option></term> |
8b9f0921 ZJS |
122 | <term><option>--splash=<replaceable>PATH</replaceable></option></term> |
123 | <term><option>--dtb=<replaceable>PATH</replaceable></option></term> | |
4e72e156 | 124 | <term><option>--uname=<replaceable>PATH</replaceable></option></term> |
d5f91cf7 | 125 | <term><option>--sbat=<replaceable>PATH</replaceable></option></term> |
8b9f0921 | 126 | <term><option>--pcrpkey=<replaceable>PATH</replaceable></option></term> |
ca1092dc | 127 | |
cdaaa62c LP |
128 | <listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb, |
129 | configures the files to read the unified kernel image components from. Each option corresponds with | |
130 | the equally named section in the unified kernel PE file. The <option>--linux=</option> switch expects | |
131 | the path to the ELF kernel file that the unified PE kernel will wrap. All switches except | |
aefdc112 AK |
132 | <option>--linux=</option> are optional. Each option may be used at most once.</para> |
133 | ||
134 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> | |
ca1092dc LP |
135 | </varlistentry> |
136 | ||
127b72da LP |
137 | <varlistentry> |
138 | <term><option>--current</option></term> | |
cdaaa62c LP |
139 | <listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb, |
140 | takes the PCR 11 values currently in effect for the system (which should typically reflect the hashes | |
141 | of the currently booted kernel). This can be used in place of <option>--linux=</option> and the other | |
ec07c3c8 AK |
142 | switches listed above.</para> |
143 | ||
144 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> | |
127b72da LP |
145 | </varlistentry> |
146 | ||
ca1092dc | 147 | <varlistentry> |
8b9f0921 | 148 | <term><option>--bank=<replaceable>DIGEST</replaceable></option></term> |
ca1092dc LP |
149 | |
150 | <listitem><para>Controls the PCR banks to pre-calculate the PCR values for – in case | |
cdaaa62c LP |
151 | <command>calculate</command> or <command>sign</command> is invoked –, or the banks to show in the |
152 | <command>status</command> output. May be used more then once to specify multiple banks. If not | |
153 | specified, defaults to the four banks <literal>sha1</literal>, <literal>sha256</literal>, | |
ec07c3c8 AK |
154 | <literal>sha384</literal>, <literal>sha512</literal>.</para> |
155 | ||
156 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> | |
cdaaa62c LP |
157 | </varlistentry> |
158 | ||
159 | <varlistentry> | |
8b9f0921 ZJS |
160 | <term><option>--private-key=<replaceable>PATH</replaceable></option></term> |
161 | <term><option>--public-key=<replaceable>PATH</replaceable></option></term> | |
ed896a5b | 162 | <term><option>--certificate=<replaceable>PATH</replaceable></option></term> |
cdaaa62c LP |
163 | |
164 | <listitem><para>These switches take paths to a pair of PEM encoded RSA key files, for use with | |
2deca517 LP |
165 | the <command>sign</command> command.</para> |
166 | ||
167 | <para>Note the difference between the <option>--pcrpkey=</option> and <option>--public-key=</option> | |
168 | switches. The former selects the data to include in the <literal>.pcrpkey</literal> PE section of the | |
169 | unified kernel image, the latter picks the public key of the key pair used to sign the resulting PCR | |
170 | 11 values. The former is the key that the booted system will likely use to lock disk and credential | |
171 | encryption to, the latter is the key used for unlocking such resources again. Hence, typically the | |
a434e25f LP |
172 | same PEM key should be supplied in both cases.</para> |
173 | ||
174 | <para>If the <option>--public-key=</option> is not specified but <option>--private-key=</option> is | |
ec07c3c8 AK |
175 | specified the public key is automatically derived from the private key.</para> |
176 | ||
ed896a5b LB |
177 | <para><option>--certificate=</option> can be used to specify an X.509 certificate as an alternative |
178 | to <option>--public-key=</option> since v256.</para> | |
179 | ||
ec07c3c8 | 180 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> |
cdaaa62c LP |
181 | </varlistentry> |
182 | ||
ed896a5b LB |
183 | <varlistentry> |
184 | <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term> | |
185 | <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term> | |
186 | <term><option>--certificate=<replaceable>PATH</replaceable></option></term> | |
187 | ||
188 | <listitem><para>As an alternative to <option>--public-key=</option> for the | |
189 | <command>sign</command> command, these switches can be used to sign with an hardware token. The | |
190 | private key option can take a path or a URI that will be passed to the OpenSSL engine or | |
191 | provider, as specified by <option>--private-key-source=</option> as a type:name tuple, such as | |
192 | engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign.</para> | |
193 | ||
194 | <xi:include href="version-info.xml" xpointer="v256"/></listitem> | |
195 | </varlistentry> | |
196 | ||
cdaaa62c | 197 | <varlistentry> |
9bfabe14 | 198 | <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term> |
cdaaa62c LP |
199 | |
200 | <listitem><para>Controls which TPM2 device to use. Expects a device node path referring to the TPM2 | |
201 | chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal> | |
202 | may be specified, in order to automatically determine the device node of a suitable TPM2 device (of | |
203 | which there must be exactly one). The special value <literal>list</literal> may be used to enumerate | |
ec07c3c8 AK |
204 | all suitable TPM2 devices currently discovered.</para> |
205 | ||
206 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> | |
ca1092dc LP |
207 | </varlistentry> |
208 | ||
6ca00163 | 209 | <varlistentry> |
9bfabe14 | 210 | <term><option>--phase=<replaceable>PHASE</replaceable></option></term> |
6ca00163 | 211 | |
0923b425 | 212 | <listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a |
6ca00163 LP |
213 | series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot |
214 | process. Each of the specified strings is measured by the | |
32295fa0 LP |
215 | <filename>systemd-pcrphase-initrd.service</filename>, |
216 | <filename>systemd-pcrphase-sysinit.service</filename>, and | |
6ca00163 LP |
217 | <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
218 | into PCR 11 during different milestones of the boot process. This switch may be specified multiple | |
219 | times to calculate PCR values for multiple boot phases at once. If not used defaults to | |
220 | <literal>enter-initrd</literal>, <literal>enter-initrd:leave-initrd</literal>, | |
047273e6 LP |
221 | <literal>enter-initrd:leave-initrd:sysinit</literal>, |
222 | <literal>enter-initrd:leave-initrd:sysinit:ready</literal>, i.e. calculates expected PCR values for | |
223 | the boot phase in the initrd, during early boot, during later boot, and during system runtime, but | |
224 | excluding the phases before the initrd or when shutting down. This setting is honoured both by | |
225 | <command>calculate</command> and <command>sign</command>. When used with the latter it's particularly | |
226 | useful for generating PCR signatures that can only be used for unlocking resources during specific | |
227 | parts of the boot process.</para> | |
6ca00163 LP |
228 | |
229 | <para>For further details about PCR boot phases, see | |
ec07c3c8 AK |
230 | <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> |
231 | ||
232 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> | |
6ca00163 LP |
233 | </varlistentry> |
234 | ||
a5c690a8 | 235 | <varlistentry> |
9bfabe14 | 236 | <term><option>--append=<replaceable>PATH</replaceable></option></term> |
a5c690a8 LP |
237 | |
238 | <listitem><para>When generating a PCR JSON signature (via the <command>sign</command> command), | |
239 | combine it with a previously generated PCR JSON signature, and output it as one. The specified path | |
240 | must refer to a regular file that contains a valid JSON PCR signature object. The specified file is | |
241 | not modified. It will be read first, then the newly generated signature appended to it, and the | |
242 | resulting object is written to standard output. Use this to generate a single JSON object consisting | |
243 | from signatures made with a number of signing keys (for example, to have one key per boot phase). The | |
244 | command will suppress duplicates: if a specific signature is already included in a JSON signature | |
ec07c3c8 AK |
245 | object it is not added a second time.</para> |
246 | ||
247 | <xi:include href="version-info.xml" xpointer="v253"/></listitem> | |
a5c690a8 LP |
248 | </varlistentry> |
249 | ||
c06b6d46 LP |
250 | <xi:include href="standard-options.xml" xpointer="json" /> |
251 | <xi:include href="standard-options.xml" xpointer="no-pager" /> | |
ca1092dc LP |
252 | <xi:include href="standard-options.xml" xpointer="help" /> |
253 | <xi:include href="standard-options.xml" xpointer="version" /> | |
254 | </variablelist> | |
255 | </refsect1> | |
256 | ||
257 | <refsect1> | |
258 | <title>Examples</title> | |
259 | ||
260 | <example> | |
261 | <title>Generate a unified kernel image, and calculate the expected TPM PCR 11 value</title> | |
262 | ||
048bcb9d ZJS |
263 | <programlisting>$ ukify --output=vmlinux.efi \ |
264 | --os-release=@os-release.txt \ | |
265 | --cmdline=@cmdline.txt \ | |
266 | --splash=splash.bmp \ | |
267 | --devicetree=devicetree.dtb \ | |
e069c57f JJ |
268 | --measure \ |
269 | vmlinux initrd.cpio | |
ca1092dc LP |
270 | 11:sha1=d775a7b4482450ac77e03ee19bda90bd792d6ec7 |
271 | 11:sha256=bc6170f9ce28eb051ab465cd62be8cf63985276766cf9faf527ffefb66f45651 | |
048bcb9d ZJS |
272 | 11:sha384=1cf67dff4757e61e5...7f49ad720be02fd07263e1f93061243aec599d1ee4b4 |
273 | 11:sha512=8e79acd3ddbbc8282...0c3e8ec0c714821032038f525f744960bcd082d937da | |
ca1092dc | 274 | </programlisting> |
048bcb9d ZJS |
275 | |
276 | <para><citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
277 | internally calls <command>systemd-measure</command>. The output with hashes is from | |
278 | <command>systemd-measure</command>.</para> | |
ca1092dc | 279 | </example> |
cdaaa62c LP |
280 | |
281 | <example> | |
048bcb9d | 282 | <title>Generate a private/public key pair, a unified kernel image, and a TPM PCR 11 signature for |
2deca517 | 283 | it, and embed the signature and the public key in the image</title> |
cdaaa62c | 284 | |
048bcb9d ZJS |
285 | <programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem |
286 | ..+.+++++++++......+.........+......+.......+....+.....+.+...+.......... | |
287 | $ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem | |
cdaaa62c LP |
288 | # systemd-measure sign \ |
289 | --linux=vmlinux \ | |
290 | --osrel=os-release.txt \ | |
291 | --cmdline=cmdline.txt \ | |
292 | --initrd=initrd.cpio \ | |
293 | --splash=splash.bmp \ | |
294 | --dtb=devicetree.dtb \ | |
2deca517 | 295 | --pcrpkey=tpm2-pcr-public.pem \ |
cdaaa62c LP |
296 | --bank=sha1 \ |
297 | --bank=sha256 \ | |
298 | --private-key=tpm2-pcr-private.pem \ | |
7a17e41d | 299 | --public-key=tpm2-pcr-public.pem >tpm2-pcr-signature.json |
048bcb9d ZJS |
300 | # ukify --output=vmlinuz.efi \ |
301 | --os-release=@os-release.txt \ | |
302 | --cmdline=@cmdline.txt \ | |
303 | --splash=splash.bmp \ | |
304 | --devicetree=devicetree.dtb \ | |
305 | --pcr-private-key=tpm2-pcr-private.pem \ | |
306 | --pcr-public-key=tpm2-pcr-public.pem \ | |
307 | --pcr-banks=sha1,sha256 \ | |
e069c57f | 308 | vmlinux initrd.cpio</programlisting> |
cdaaa62c LP |
309 | |
310 | <para>Later on, enroll the signed PCR policy on a LUKS volume:</para> | |
311 | ||
048bcb9d ZJS |
312 | <programlisting># systemd-cryptenroll --tpm2-device=auto \ |
313 | --tpm2-public-key=tpm2-pcr-public.pem \ | |
314 | --tpm2-signature=tpm2-pcr-signature.json \ | |
315 | /dev/sda5</programlisting> | |
cdaaa62c LP |
316 | |
317 | <para>And then unlock the device with the signature:</para> | |
318 | ||
fb8d67cd | 319 | <programlisting># systemd-cryptsetup attach \ |
048bcb9d ZJS |
320 | volume5 /dev/sda5 - \ |
321 | tpm2-device=auto,tpm2-signature=/path/to/tpm2-pcr-signature.json</programlisting> | |
2deca517 | 322 | |
048bcb9d | 323 | <para>Note that when the generated unified kernel image <filename>vmlinux.efi</filename> is booted, the |
2deca517 LP |
324 | signature and public key files will be placed at locations <command>systemd-cryptenroll</command> and |
325 | <command>systemd-cryptsetup</command> will look for anyway, and thus these paths do not actually need to | |
326 | be specified.</para> | |
cdaaa62c | 327 | </example> |
7eb51b8e LP |
328 | |
329 | <example> | |
330 | <title>Introduce a second public key, signing the same kernel PCR measurements, but only for the initrd boot phase</title> | |
331 | ||
332 | <para>This example extends the previous one, but we now introduce a second signing key that is only | |
333 | used to sign PCR policies restricted to the initrd boot phase. This can be used to lock down root | |
334 | volumes in a way that they can only be unlocked before the transition to the host system. Thus we have | |
335 | two classes of secrets or credentials: one that can be unlocked during the entire runtime, and the | |
336 | other that can only be used in the initrd.</para> | |
337 | ||
048bcb9d ZJS |
338 | <programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem |
339 | .+........+.+........+.......+...+...+........+....+......+..+.......... | |
340 | $ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem | |
341 | $ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private.pem | |
342 | ..+.......++........+........+......+........+....+.....+.+..+.......... | |
343 | $ openssl rsa -pubout -in tpm2-pcr-initrd-private.pem -out tpm2-pcr-initrd-public.pem | |
344 | # ukify --output vmlinux-1.2.3.efi \ | |
345 | --os-release=@os-release.txt \ | |
346 | --cmdline=@cmdline.txt \ | |
7eb51b8e | 347 | --splash=splash.bmp \ |
048bcb9d ZJS |
348 | --devicetree=devicetree.dtb \ |
349 | --pcr-private-key=tpm2-pcr-private.pem \ | |
350 | --pcr-public-key=tpm2-pcr-public.pem \ | |
351 | --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \ | |
352 | --pcr-banks=sha1,sha256 \ | |
353 | --pcr-private-key=tpm2-pcr-initrd-private.pem \ | |
354 | --pcr-public-key=tpm2-pcr-initrd-public.pem \ | |
355 | --phases=enter-initrd \ | |
356 | vmlinux-1.2.3 initrd.cpio \ | |
357 | --uname=1.2.3 | |
358 | + /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \ | |
359 | --osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \ | |
360 | --splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \ | |
361 | --private-key=tpm2-pcr-private.pem --public-key=tpm2-pcr-public.pem \ | |
362 | --phase=enter-initrd --phase=enter-initrd:leave-initrd \ | |
363 | --phase=enter-initrd:leave-initrd:sysinit \ | |
364 | --phase=enter-initrd:leave-initrd:sysinit:ready | |
365 | + /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \ | |
366 | --osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \ | |
367 | --splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \ | |
368 | --private-key=tpm2-pcr-initrd-private.pem \ | |
369 | --public-key=tpm2-pcr-initrd-public.pem \ | |
370 | --phase=enter-initrd | |
371 | Wrote unsigned vmlinux-1.2.3.efi | |
372 | </programlisting> | |
373 | ||
374 | <para><command>ukify</command> prints out both invocations of <command>systemd-measure</command> as | |
375 | informative output (the lines starting with <literal>+</literal>); this allows us to see how | |
376 | <command>systemd-measure</command> is called. It then merges the output of both invocations into the | |
377 | <literal>.pcrsig</literal> section. <command>systemd-measure</command> may also do this merge itself | |
378 | using the <option>--append=</option> option.</para> | |
379 | ||
380 | <para>Note that in this example the <literal>.pcrpkey</literal> PE section contains the key specified | |
381 | by the first <option>--pcr-private-key=</option> option, covering all boot phases. The | |
382 | <literal>.pcrpkey</literal> section is used in the default policies of | |
383 | <command>systemd-cryptenroll</command> and <command>systemd-creds</command>. To use the stricter policy | |
384 | bound to <filename>tpm-pcr-initrd-public.pem</filename>, specify <option>--tpm2-public-key=</option> on | |
385 | the command line of those tools.</para> | |
7eb51b8e | 386 | </example> |
ca1092dc LP |
387 | </refsect1> |
388 | ||
389 | <refsect1> | |
390 | <title>Exit status</title> | |
391 | ||
392 | <para>On success, 0 is returned, a non-zero failure code otherwise.</para> | |
393 | </refsect1> | |
394 | ||
395 | <refsect1> | |
396 | <title>See Also</title> | |
13a69c12 DT |
397 | <para><simplelist type="inline"> |
398 | <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> | |
399 | <member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member> | |
400 | <member><citerefentry><refentrytitle>ukify</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> | |
401 | <member><citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> | |
402 | <member><citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> | |
403 | <member><citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member> | |
404 | </simplelist></para> | |
ca1092dc LP |
405 | </refsect1> |
406 | ||
407 | </refentry> |