diff --git a/man/systemd-pcrlock.xml b/man/systemd-pcrlock.xml
index 6204e0b353e..48a23dbf641 100644
--- a/man/systemd-pcrlock.xml
+++ b/man/systemd-pcrlock.xml
@@ -155,6 +155,19 @@
If the new prediction matches the old this command terminates quickly and executes no further
operation. (Unless is specified, see below.)
+ Starting with v256, a copy of the /var/lib/systemd/pcrlock.json policy
+ file is encoded in a credential (see
+ systemd-creds1 for
+ details) and written to the EFI System Partition or XBOOTLDR partition, in the
+ /loader/credentials/ subdirectory. There it is picked up at boot by
+ systemd-stub7 and
+ passed to the invoked initrd, where it can be used to unlock the root file system (which typically
+ contains /var/, which is where the primary copy of the policy is located, which
+ hence cannot be used to unlock the root file system). The credential file is named after the boot
+ entry token of the installation (see
+ bootctl1), which
+ is configurable via the switch, see below.
+
@@ -531,6 +544,18 @@
+
+
+
+ Sets the boot entry token to use for the file name for the pcrlock policy credential
+ in the EFI System Partition or XBOOTLDR partition. See the
+ bootctl1 option of
+ the same regarding expected values. This switch has an effect on the
+ make-policy command only.
+
+
+
+
@@ -553,6 +578,9 @@
systemd-cryptsetup@.service8systemd-repart8systemd-pcrmachine.service8
+ systemd-creds1
+ systemd-stub7
+ bootctl1