docs: Document available crypto disks checks

Document the --cryptodisk-only argument. Also, document the
"cryptocheck" command invoked when that argument is processed.

Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/docs/grub.texi b/docs/grub.texi
index 2b3d536d326ab754760bc7d466b781cb02d5347b..48438c2b6fac5ca551b97c5432c398186a7629e1 100644 (file)
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4475,6 +4475,8 @@ This module provides library support for writing to a storage disk.
 @node diskfilter_module
 @section diskfilter
 This module provides library support for reading a disk RAID array.
+It also provides support for the command @command{cryptocheck}.
+@xref{cryptocheck} for more information.
 
 @node div_module
 @section div
@@ -6427,6 +6429,7 @@ you forget a command, you can run the command @command{help}
 * configfile::                  Load a configuration file
 * cpuid::                       Check for CPU features
 * crc::                         Compute or check CRC32 checksums
+* cryptocheck::                 Check if a device is encrypted
 * cryptomount::                 Mount a crypto device
 * cutmem::                      Remove memory regions
 * date::                        Display or set current date and time
@@ -6737,6 +6740,16 @@ Alias for @code{hashsum --hash crc32 arg @dots{}}. See command @command{hashsum}
 (@pxref{hashsum}) for full description.
 @end deffn
 
+@node cryptocheck
+@subsection cryptocheck
+
+@deffn Command cryptocheck device
+Check if a given diskfilter device is backed by encrypted devices
+(@pxref{cryptomount} for additional information).
+
+The command examines all backing devices, physical volumes, of a specified
+logical volume, like LVM2, and fails when at least one of them is unencrypted.
+@end deffn
 
 @node cryptomount
 @subsection cryptomount
@@ -7666,7 +7679,8 @@ unbootable. @xref{Using digital signatures}, for more information.
 
 @deffn Command search @
  [@option{--file}|@option{--label}|@option{--fs-uuid}] @
- [@option{--set} [var]] [@option{--no-floppy}|@option{--efidisk-only}] name
+ [@option{--set} [var]] [@option{--no-floppy}|@option{--efidisk-only}|@option{--cryptodisk-only}] @
+ name
 Search devices by file (@option{-f}, @option{--file}), filesystem label
 (@option{-l}, @option{--label}), or filesystem UUID (@option{-u},
 @option{--fs-uuid}).
@@ -7681,6 +7695,14 @@ devices, which can be slow.
 The (@option{--efidisk-only}) option prevents searching any other devices then
 EFI disks. This is typically used when chainloading to local EFI partition.
 
+The (@option{--cryptodisk-only}) option prevents searching any devices other
+than encrypted disks. This is typically used when booting from an encrypted
+file system to ensure that no code gets executed from an unencrypted device
+having the same filesystem UUID or label.
+
+This option implicitly invokes the command @command{cryptocheck}, if it is
+available (@pxref{cryptocheck} for additional information).
+
 The @samp{search.file}, @samp{search.fs_label}, and @samp{search.fs_uuid}
 commands are aliases for @samp{search --file}, @samp{search --label}, and
 @samp{search --fs-uuid} respectively.