From 4b28fbe37b02e0df2bd746303108a5e3ed089209 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 14 Oct 2022 15:27:34 +0200 Subject: [PATCH] man: document the new crypttab measurement options (cherry picked from commit 572f78767f9958559aa4a3060fc5c9a006766240) Related: RHEL-16182 --- man/crypttab.xml | 22 ++++++++++++++++++++++ man/systemd-cryptenroll.xml | 5 +++++ 2 files changed, 27 insertions(+) diff --git a/man/crypttab.xml b/man/crypttab.xml index cbbb8ab2a9..1dd9bb1bb6 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -700,6 +700,28 @@ order). + + + + Controls whether to measure the volume key of the encrypted volume to a TPM2 PCR. If + set to "no" (which is the default) no PCR extension is done. If set to "yes" the volume key is + measured into PCR 15. If set to a decimal integer in the range 0…23 the volume key is measured into + the specified PCR. The volume key is measured along with the activated volume name and its UUID. This + functionality is particularly useful for the encrypted volume backing the root file system, as it + then allows later TPM objects to be securely bound to the root file system and hence the specific + installation. + + + + + + Selects one or more TPM2 PCR banks to measure the volume key into, as configured with + above. Multiple banks may be specified, separated by a colon + character. If not specified automatically determines available and used banks. Expects a message + digest name (e.g. sha1, sha256, …) as argument, to identify the + bank. + + diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index ad338cdcc5..f08d95c6fb 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -324,6 +324,11 @@ 14 The shim project measures its "MOK" certificates and hashes into this PCR. + + + 15 + systemd-cryptsetup7 optionally measures the volume key of activated LUKS volumes into this PCR. +