From: Lennart Poettering Date: Mon, 2 Mar 2026 21:57:56 +0000 (+0100) Subject: docs: document the "verity" NvPCR measurements X-Git-Tag: v260-rc2~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=66a43b02e6e6d0e5c6ef0834ea757eb7e331bbd9;p=thirdparty%2Fsystemd.git docs: document the "verity" NvPCR measurements I forgot this when I posted 32f405074a3aa221982ad92a7f61560b9f6a2b03, let's add it now. --- diff --git a/docs/TPM2_PCR_MEASUREMENTS.md b/docs/TPM2_PCR_MEASUREMENTS.md index 53317b73274..571a4c10772 100644 --- a/docs/TPM2_PCR_MEASUREMENTS.md +++ b/docs/TPM2_PCR_MEASUREMENTS.md @@ -293,3 +293,18 @@ volume name, a ":" separator, the UUID of the LUKS superblock, a ":" separator, a brief string identifying the unlock mechanism, a ":" separator, and finally the LUKS slot number used. Example string: `cryptsetup-keyslot:root:1e023a55-60f9-4b6b-9b80-67438dc5f065:tpm2:1` + +## PCR/NvPCR Measurements Made by `systemd-veritysetup` + image dissection logic (Userspace) + +### NvPCR `verity` (base+2), Verity root hash + signature info of activated Verity images + +The `systemd-veritysetup@.service` service as well as any component using the +image dissection logic (i.e. `RootImage=` in unit files, or `systemd-nspawn +--image=`, `systemd-tmpfiles --image=` and similar) will measure information +about activated Verity images before they are activated. + +→ **Measured hash** covers the string `verity:`, followed by the Verity device +name, followed by `:`, followed by a hexadecimal formatted string indicating +the root hash of the Verity image, followed by `:`, followed by a comma +separatec list of PKCS#7 signature key's serial (formatted in hexadecimal), `/`, and +key issuer (formatted in Base64).