From 3ae48d071cc7d039e1bd58d073bf4cba8724849b Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 22 Nov 2024 10:10:11 +0100 Subject: [PATCH 1/2] man: add enrollment type sections to cryptenroll man page We have the same sections in the --help text, hence we even more so should have them in the man page. --- man/systemd-cryptenroll.xml | 87 +++++++++++++++++++++++++++---------- 1 file changed, 64 insertions(+), 23 deletions(-) diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index 63d378fbc62..8ac98a6cf7f 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -265,32 +265,11 @@ - Options + Unlocking - The following options are understood: + The following options are understood that may be used to unlock the device in preparation of the enrollment operations: - - - - Enroll a regular password/passphrase. This command is mostly equivalent to - cryptsetup luksAddKey, however may be combined with - in one call, see below. - - - - - - - - Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are - computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The - key uses a character set that is easy to type in, and may be scanned off screen via a QR code. - - - - - @@ -328,7 +307,45 @@ + + + + Simple Enrollment + + The following options are understood that may be used to enroll simple user input based + unlocking: + + + + + + Enroll a regular password/passphrase. This command is mostly equivalent to + cryptsetup luksAddKey, however may be combined with + in one call, see below. + + + + + + + + Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are + computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The + key uses a character set that is easy to type in, and may be scanned off screen via a QR code. + + + + + + + + + PKCS#11 Enrollment + + The following option is understood that may be used to enroll PKCS#11 tokens: + + @@ -361,7 +378,15 @@ + + + + FIDO2 Enrollment + + The following options are understood that may be used to enroll PKCS#11 tokens: + + Specify COSE algorithm used in credential generation. The default value is @@ -461,7 +486,15 @@ + + + + TPM2 Enrollment + + The following options are understood that may be used to enroll TPM2 devices: + + @@ -636,7 +669,15 @@ + + + + Other Options + + The following additional options are understood: + + From cc6baba7200bd8171b6beff446b4009dad5c4230 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 22 Nov 2024 10:11:04 +0100 Subject: [PATCH 2/2] cryptenroll: it's called PKCS#11, not PKCS11 In the --help text we really should use the official spelling, just like in the man page. --- src/cryptenroll/cryptenroll.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index e1f72a35298..dccb320c5dc 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -193,7 +193,7 @@ static int help(void) { "\n%3$sSimple Enrollment:%4$s\n" " --password Enroll a user-supplied password\n" " --recovery-key Enroll a recovery key\n" - "\n%3$sPKCS11 Enrollment:%4$s\n" + "\n%3$sPKCS#11 Enrollment:%4$s\n" " --pkcs11-token-uri=URI\n" " Specify PKCS#11 security token URI\n" "\n%3$sFIDO2 Enrollment:%4$s\n"