From 572f78767f9958559aa4a3060fc5c9a006766240 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 14 Oct 2022 15:27:34 +0200 Subject: [PATCH] man: document the new crypttab measurement options --- man/crypttab.xml | 22 ++++++++++++++++++++++ man/systemd-cryptenroll.xml | 5 +++++ 2 files changed, 27 insertions(+) diff --git a/man/crypttab.xml b/man/crypttab.xml index 896a62358d0..d587f85289f 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -700,6 +700,28 @@ order). + + + + Controls whether to measure the volume key of the encrypted volume to a TPM2 PCR. If + set to "no" (which is the default) no PCR extension is done. If set to "yes" the volume key is + measured into PCR 15. If set to a decimal integer in the range 0…23 the volume key is measured into + the specified PCR. The volume key is measured along with the activated volume name and its UUID. This + functionality is particularly useful for the encrypted volume backing the root file system, as it + then allows later TPM objects to be securely bound to the root file system and hence the specific + installation. + + + + + + Selects one or more TPM2 PCR banks to measure the volume key into, as configured with + above. Multiple banks may be specified, separated by a colon + character. If not specified automatically determines available and used banks. Expects a message + digest name (e.g. sha1, sha256, …) as argument, to identify the + bank. + + diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index e4b03936a60..a654d492a11 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -324,6 +324,11 @@ 14 The shim project measures its "MOK" certificates and hashes into this PCR. + + + 15 + systemd-cryptsetup7 optionally measures the volume key of activated LUKS volumes into this PCR. + -- 2.47.3