1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

man: document the new crypttab measurement options

This commit is contained in:
Lennart Poettering 2022-10-14 15:27:34 +02:00
parent 94c0c85e30
commit 572f78767f
2 changed files with 27 additions and 0 deletions

View File

@ -700,6 +700,28 @@
order).</para></listitem>
</varlistentry>
<varlistentry>
<term><option>tpm2-measure-pcr=</option></term>
<listitem><para>Controls whether to measure the volume key of the encrypted volume to a TPM2 PCR. If
set to "no" (which is the default) no PCR extension is done. If set to "yes" the volume key is
measured into PCR 15. If set to a decimal integer in the range 0…23 the volume key is measured into
the specified PCR. The volume key is measured along with the activated volume name and its UUID. This
functionality is particularly useful for the encrypted volume backing the root file system, as it
then allows later TPM objects to be securely bound to the root file system and hence the specific
installation.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>tpm2-measure-bank=</option></term>
<listitem><para>Selects one or more TPM2 PCR banks to measure the volume key into, as configured with
<option>tpm2-measure-pcr=</option> above. Multiple banks may be specified, separated by a colon
character. If not specified automatically determines available and used banks. Expects a message
digest name (e.g. <literal>sha1</literal>, <literal>sha256</literal>, …) as argument, to identify the
bank.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>token-timeout=</option></term>

View File

@ -324,6 +324,11 @@
<entry>14</entry>
<entry>The shim project measures its "MOK" certificates and hashes into this PCR.</entry>
</row>
<row>
<entry>15</entry>
<entry><citerefentry><refentrytitle>systemd-cryptsetup</refentrytitle><manvolnum>7</manvolnum></citerefentry> optionally measures the volume key of activated LUKS volumes into this PCR.</entry>
</row>
</tbody>
</tgroup>
</table>