man: document where PID 1 imports credentials from

author Lennart Poettering <lennart@poettering.net>

Fri, 30 Jun 2023 09:46:16 +0000 (11:46 +0200)

committer Lennart Poettering <lennart@poettering.net>

Tue, 4 Jul 2023 21:18:59 +0000 (23:18 +0200)
author Lennart Poettering <lennart@poettering.net>
Fri, 30 Jun 2023 09:46:16 +0000 (11:46 +0200)
committer Lennart Poettering <lennart@poettering.net>
Tue, 4 Jul 2023 21:18:59 +0000 (23:18 +0200)
diff --git a/man/systemd.xml b/man/systemd.xml

index 2cffe01aff10515d12e630eba196d0ace961a8c5..754aadbb6aac386ba64c5d4c4841bc7d7f59a39c 100644 (file)
--- a/man/systemd.xml
+++ b/man/systemd.xml
@@ -1051,7 +1051,40 @@
    <refsect1>
      <title>System credentials</title>
  
-    <para>The service manager when run as PID 1 reads the following system credentials:</para>
+    <para>During initialization the service manager will import credentials from various sources into the
+    system's set of credentials, which can then be propagated into services and consumed by
+    generators:</para>
+
+    <itemizedlist>
+      <listitem><para>When the service manager first initializes it will read system credentials from SMBIOS
+      Type 11 vendor strings
+      <varname>io.systemd.credential:<replaceable>name</replaceable>=<replaceable>value</replaceable></varname>,
+      and
+      <varname>io.systemd.credential.binary:<replaceable>name</replaceable>=<replaceable>value</replaceable></varname>.</para></listitem>
+
+      <listitem><para>At the same time it will import credentials from QEMU <literal>fw_cfg</literal>. (Note
+      that the SMBIOS mechanism is generally preferred, because it is faster and generic.)</para></listitem>
+
+      <listitem><para>Credentials may be passed via the kernel command line, using the
+      <varname>systemd.set-credential=</varname> parameter, see above.</para></listitem>
+
+      <listitem><para>Credentials may be passed from the UEFI environment via
+      <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
+
+      <listitem><para>When the service manager is invoked during the initrd → host transition it will import
+      all files in <filename>/run/credentials/@initrd/</filename> as system credentials.</para></listitem>
+    </itemizedlist>
+
+    <para>Invoke
+    <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry> as
+    follows to see the list of credentials passed into the system:</para>
+
+    <programlisting># systemd-creds --system list</programlisting>
+
+    <para>For further information see <ulink url="https://systemd.io/CREDENTIALS">System and Service
+    Credentials</ulink> documentation.</para>
+
+    <para>The service manager when run as PID 1 consumes the following system credentials:</para>
  
      <variablelist class='system-credentials'>
        <varlistentry>
author	Lennart Poettering <lennart@poettering.net>
	Fri, 30 Jun 2023 09:46:16 +0000 (11:46 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 4 Jul 2023 21:18:59 +0000 (23:18 +0200)