man: document new machine-id/fs measurement options

2025-05-27 21:05:55 +03:00 · 2022-10-17 15:20:53 +02:00 · 2022-10-17 15:20:53 +02:00 · 2bd33c909c
commit 2bd33c909c
parent 6c51b49ce0
3 changed files with 64 additions and 6 deletions
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@ -966,7 +966,10 @@ manpages = [
 ['systemd-path', '1', [], ''],
 ['systemd-pcrphase.service',
  '8',
-  ['systemd-pcrphase',
+  ['systemd-pcrfs-root.service',
+   'systemd-pcrfs@.service',
+   'systemd-pcrmachine.service',
+   'systemd-pcrphase',
   'systemd-pcrphase-initrd.service',
   'systemd-pcrphase-sysinit.service'],
  'HAVE_GNU_EFI'],
--- a/man/systemd-pcrphase.service.xml
+++ b/man/systemd-pcrphase.service.xml
@ -20,15 +20,21 @@
    <refname>systemd-pcrphase.service</refname>
    <refname>systemd-pcrphase-sysinit.service</refname>
    <refname>systemd-pcrphase-initrd.service</refname>
+    <refname>systemd-pcrmachine.service</refname>
+    <refname>systemd-pcrfs-root.service</refname>
+    <refname>systemd-pcrfs@.service</refname>
    <refname>systemd-pcrphase</refname>
-    <refpurpose>Measure boot phase into TPM2 PCR 11</refpurpose>
+    <refpurpose>Measure boot phase into TPM2 PCR 11, machine ID and file system identity into PCR 15</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>systemd-pcrphase.service</filename></para>
    <para><filename>systemd-pcrphase-sysinit.service</filename></para>
    <para><filename>systemd-pcrphase-initrd.service</filename></para>
-    <para><filename>/usr/lib/systemd/system-pcrphase</filename> <replaceable>STRING</replaceable></para>
+    <para><filename>systemd-pcrmachine.service</filename></para>
+    <para><filename>systemd-pcrfs-root.service</filename></para>
+    <para><filename>systemd-pcrfs@.service</filename></para>
+    <para><filename>/usr/lib/systemd/system-pcrphase</filename> <optional><replaceable>STRING</replaceable></optional></para>
  </refsynopsisdiv>

  <refsect1>
@ -39,13 +45,23 @@
    <filename>systemd-pcrphase-initrd.service</filename> are system services that measure specific strings
    into TPM2 PCR 11 during boot at various milestones of the boot process.</para>

+    <para><filename>systemd-pcrmachine.service</filename> is a system service that measures the machine ID
+    (see <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>) into
+    PCR 15.</para>
+
+    <para><filename>systemd-pcrfs-root.service</filename> and <filename>systemd-pcrfs@.service</filename> are
+    services that measure file system identity information (i.e. mount point, file system type, label and
+    UUID, partition label and UUID) into PCR 15. <filename>systemd-pcrfs-root.service</filename> does so for
+    the root file system, <filename>systemd-pcrfs@.service</filename> is a template unit that measures the
+    file system indicated by its instance identifier instead.</para>
+
    <para>These services require
    <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> to be
    used in a unified kernel image (UKI). They execute no operation when the stub has not been used to invoke
    the kernel. The stub will measure the invoked kernel and associated vendor resources into PCR 11 before
    handing control to it; once userspace is invoked these services then will extend TPM2 PCR 11 with certain
-    literal strings indicating phases of the boot process. During a regular boot process the following
-    strings are used:</para>
+    literal strings indicating phases of the boot process. During a regular boot process PCR 11 is extended
+    with the following strings:</para>

    <orderedlist>
      <listitem><para><literal>enter-initrd</literal> — early when the initrd initializes, before activating
@ -102,6 +118,14 @@
    <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> to
    pre-calculate expected PCR 11 values for specific boot phases (via the <option>--phase=</option> switch).
    </para>
+
+    <para><filename>systemd-pcrfs-root.service</filename> and <filename>systemd-pcrfs@.service</filename> are
+    automatically pulled into the initial transaction by
+    <citerefentry><refentrytitle>systemd-gpt-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    for the root and <filename>/var/</filename> file
+    systems. <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    will do this for all mounts with the <option>x-systemd.pcrfs</option> mount option in
+    <filename>/etc/fstab</filename>.</para>
  </refsect1>

  <refsect1>
@ -137,6 +161,21 @@
        TPM2 device will cause the invocation to fail.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>--machine-id</option></term>
+
+        <listitem><para>Instead of measuring a word specified on the command line into PCR 11, measure the
+        host's machine ID into PCR 15.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--file-system=</option></term>
+
+        <listitem><para>Instead of measuring a word specified on the command line into PCR 11, measure
+        identity information of the specified file system into PCR 15. The parameter must be the path to the
+        established mount point of the file system to measure.</para></listitem>
+      </varlistentry>
+
      <xi:include href="standard-options.xml" xpointer="help" />
      <xi:include href="standard-options.xml" xpointer="version" />

@ -148,7 +187,9 @@
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemd-gpt-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

--- a/man/systemd.mount.xml
+++ b/man/systemd.mount.xml
@ -366,6 +366,20 @@
        <varname>Options=</varname> setting in a unit file.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>x-systemd.pcrfs</option></term>
+
+        <listitem><para>Measures file system identity information (mount point, type, label, UUID, partition
+        label, partition UUID) into PCR 15 after the file system has been mounted. This ensures the
+        <citerefentry><refentrytitle>systemd-pcrfs@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        or <filename>systemd-pcrfs-root.service</filename> services are pulled in by the mount unit.</para>
+
+        <para>Note that this option can only be used in <filename>/etc/fstab</filename>, and will be ignored
+        when part of the <varname>Options=</varname> setting in a unit file. It is also implied for the root
+        and <filename>/usr/</filename> partitions dicovered by
+        <citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><option>x-systemd.rw-only</option></term>