mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
man: document the new crypttab measurement options
This commit is contained in:
parent
94c0c85e30
commit
572f78767f
@ -700,6 +700,28 @@
|
||||
order).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>tpm2-measure-pcr=</option></term>
|
||||
|
||||
<listitem><para>Controls whether to measure the volume key of the encrypted volume to a TPM2 PCR. If
|
||||
set to "no" (which is the default) no PCR extension is done. If set to "yes" the volume key is
|
||||
measured into PCR 15. If set to a decimal integer in the range 0…23 the volume key is measured into
|
||||
the specified PCR. The volume key is measured along with the activated volume name and its UUID. This
|
||||
functionality is particularly useful for the encrypted volume backing the root file system, as it
|
||||
then allows later TPM objects to be securely bound to the root file system and hence the specific
|
||||
installation.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>tpm2-measure-bank=</option></term>
|
||||
|
||||
<listitem><para>Selects one or more TPM2 PCR banks to measure the volume key into, as configured with
|
||||
<option>tpm2-measure-pcr=</option> above. Multiple banks may be specified, separated by a colon
|
||||
character. If not specified automatically determines available and used banks. Expects a message
|
||||
digest name (e.g. <literal>sha1</literal>, <literal>sha256</literal>, …) as argument, to identify the
|
||||
bank.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>token-timeout=</option></term>
|
||||
|
||||
|
@ -324,6 +324,11 @@
|
||||
<entry>14</entry>
|
||||
<entry>The shim project measures its "MOK" certificates and hashes into this PCR.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>15</entry>
|
||||
<entry><citerefentry><refentrytitle>systemd-cryptsetup</refentrytitle><manvolnum>7</manvolnum></citerefentry> optionally measures the volume key of activated LUKS volumes into this PCR.</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
Loading…
Reference in New Issue
Block a user