From 9a7d568845164a5d9621a2028c4a8333928e2e2a Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Fri, 14 Jul 2023 18:36:20 -0400 Subject: [PATCH] man: update systemd-cryptenroll man page with details on --tpm2-pcrs format change The previous commit extended the accepted format of --tpm2-pcrs to allow specifying the hash algorithm (i.e. PCR bank) and hash digest value, this updates the man page with those changes. (cherry picked from commit 1782b0b88ce531a674102445cdf95f86e6b54cae) Related: RHEL-16182 --- man/systemd-cryptenroll.xml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index 5ddaab40bc..3f36f320b6 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -379,13 +379,22 @@ PCR Configures the TPM2 PCRs (Platform Configuration Registers) to bind to when - enrollment is requested via . Takes a list of PCR names or numeric - indices in the range 0…23. Multiple PCR indexes are separated by +. If not - specified, the default is to use PCR 7 only. If an empty string is specified, binds the enrollment to - no PCRs at all. See the table above for a list of available PCRs. + enrollment is requested via . Takes a list of PCR entries, where each + entry starts with a name or numeric index in the range 0…23, optionally followed by + : and a hash algorithm name (specifying the PCR bank), optionally followed by + = and a hash digest value. Multiple PCR entries are separated by + +. If not specified, the default is to use PCR 7 only. If an empty string is + specified, binds the enrollment to no PCRs at all. See the table above for a list of available + PCRs. Example: specifies that PCR registers 4, 1, and 5 should be used. + Example: specifies that PCR register 7 from the SHA256 + bank should be used. + Example: + specifies that PCR register 4 from the SHA1 bank should be used, and a hash digest value of + 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 will be used instead of reading the current PCR + value.