man: document new rootfs support for pcrlock policies

2025-03-11 20:58:27 +03:00 · 2023-11-21 22:07:59 +01:00 · 2023-11-21 22:07:59 +01:00 · 452486cdf6
commit 452486cdf6
parent c048d1d28d
1 changed files with 28 additions and 0 deletions
--- a/man/systemd-pcrlock.xml
+++ b/man/systemd-pcrlock.xml
@ -155,6 +155,19 @@
        <para>If the new prediction matches the old this command terminates quickly and executes no further
        operation. (Unless <option>--force</option> is specified, see below.)</para>

+        <para>Starting with v256, a copy of the <filename>/var/lib/systemd/pcrlock.json</filename> policy
+        file is encoded in a credential (see
+        <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
+        details) and written to the EFI System Partition or XBOOTLDR partition, in the
+        <filename>/loader/credentials/</filename> subdirectory. There it is picked up at boot by
+        <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> and
+        passed to the invoked initrd, where it can be used to unlock the root file system (which typically
+        contains <filename>/var/</filename>, which is where the primary copy of the policy is located, which
+        hence cannot be used to unlock the root file system). The credential file is named after the boot
+        entry token of the installation (see
+        <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>), which
+        is configurable via the <option>--entry-token=</option> switch, see below.</para>
+
        <xi:include href="version-info.xml" xpointer="v255"/>
        </listitem>
      </varlistentry>
@ -531,6 +544,18 @@
        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>--entry-token=</option></term>
+
+        <listitem><para>Sets the boot entry token to use for the file name for the pcrlock policy credential
+        in the EFI System Partition or XBOOTLDR partition. See the
+        <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> option of
+        the same regarding expected values. This switch has an effect on the
+        <command>make-policy</command> command only.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
      <xi:include href="standard-options.xml" xpointer="json" />
      <xi:include href="standard-options.xml" xpointer="no-pager" />
      <xi:include href="standard-options.xml" xpointer="help" />
@ -553,6 +578,9 @@
      <member><citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-repart</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-pcrmachine.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
     </simplelist></para>
  </refsect1>