From b7c36073f9a645967feba035e21468976b567adb Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 17 Oct 2022 15:20:53 +0200 Subject: [PATCH] man: document new machine-id/fs measurement options (cherry picked from commit 2bd33c909c0cf02a2a794ac83d66e8b32879c25d) Related: RHEL-16182 --- man/rules/meson.build | 5 ++- man/systemd-pcrphase.service.xml | 57 +++++++++++++++++++++++++++----- man/systemd.mount.xml | 14 ++++++++ 3 files changed, 67 insertions(+), 9 deletions(-) diff --git a/man/rules/meson.build b/man/rules/meson.build index c7045840f2..65a16b1e2a 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -971,7 +971,10 @@ manpages = [ ['systemd-path', '1', [], ''], ['systemd-pcrphase.service', '8', - ['systemd-pcrphase', + ['systemd-pcrfs-root.service', + 'systemd-pcrfs@.service', + 'systemd-pcrmachine.service', + 'systemd-pcrphase', 'systemd-pcrphase-initrd.service', 'systemd-pcrphase-sysinit.service'], 'HAVE_GNU_EFI'], diff --git a/man/systemd-pcrphase.service.xml b/man/systemd-pcrphase.service.xml index 9b7cc80b3a..95b0e05269 100644 --- a/man/systemd-pcrphase.service.xml +++ b/man/systemd-pcrphase.service.xml @@ -20,15 +20,21 @@ systemd-pcrphase.service systemd-pcrphase-sysinit.service systemd-pcrphase-initrd.service + systemd-pcrmachine.service + systemd-pcrfs-root.service + systemd-pcrfs@.service systemd-pcrphase - Measure boot phase into TPM2 PCR 11 + Measure boot phase into TPM2 PCR 11, machine ID and file system identity into PCR 15 systemd-pcrphase.service systemd-pcrphase-sysinit.service systemd-pcrphase-initrd.service - /usr/lib/systemd/system-pcrphase STRING + systemd-pcrmachine.service + systemd-pcrfs-root.service + systemd-pcrfs@.service + /usr/lib/systemd/system-pcrphase STRING @@ -39,13 +45,23 @@ systemd-pcrphase-initrd.service are system services that measure specific strings into TPM2 PCR 11 during boot at various milestones of the boot process. + systemd-pcrmachine.service is a system service that measures the machine ID + (see machine-id5) into + PCR 15. + + systemd-pcrfs-root.service and systemd-pcrfs@.service are + services that measure file system identity information (i.e. mount point, file system type, label and + UUID, partition label and UUID) into PCR 15. systemd-pcrfs-root.service does so for + the root file system, systemd-pcrfs@.service is a template unit that measures the + file system indicated by its instance identifier instead. + These services require systemd-stub7 to be - used in a unified kernel image (UKI) setup. They execute no operation when invoked when the stub has not - been used to invoke the kernel. The stub will measure the invoked kernel and associated vendor resources - into PCR 11 before handing control to it; once userspace is invoked these services then will extend - certain literal strings indicating various phases of the boot process into TPM2 PCR 11. During a regular - boot process the following strings are extended into PCR 11. + used in a unified kernel image (UKI). They execute no operation when the stub has not been used to invoke + the kernel. The stub will measure the invoked kernel and associated vendor resources into PCR 11 before + handing control to it; once userspace is invoked these services then will extend TPM2 PCR 11 with certain + literal strings indicating phases of the boot process. During a regular boot process PCR 11 is extended + with the following strings: enter-initrd is extended into PCR 11 early when the initrd @@ -104,6 +120,14 @@ Use systemd-measure1 to pre-calculate expected PCR 11 values for specific boot phases (via the switch). + + systemd-pcrfs-root.service and systemd-pcrfs@.service are + automatically pulled into the initial transaction by + systemd-gpt-generator8 + for the root and /var/ file + systems. systemd-fstab-generator8 + will do this for all mounts with the mount option in + /etc/fstab. @@ -139,6 +163,21 @@ TPM2 device will cause the invocation to fail. + + + + Instead of measuring a word specified on the command line into PCR 11, measure the + host's machine ID into PCR 15. + + + + + + Instead of measuring a word specified on the command line into PCR 11, measure + identity information of the specified file system into PCR 15. The parameter must be the path to the + established mount point of the file system to measure. + + @@ -150,7 +189,9 @@ systemd1, systemd-stub7, - systemd-measure1 + systemd-measure1, + systemd-gpt-generator8, + systemd-fstab-generator8 diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml index 773ca04cd6..3dbc623f44 100644 --- a/man/systemd.mount.xml +++ b/man/systemd.mount.xml @@ -366,6 +366,20 @@ Options= setting in a unit file. + + + + Measures file system identity information (mount point, type, label, UUID, partition + label, partition UUID) into PCR 15 after the file system has been mounted. This ensures the + systemd-pcrfs@.service8 + or systemd-pcrfs-root.service services are pulled in by the mount unit. + + Note that this option can only be used in /etc/fstab, and will be ignored + when part of the Options= setting in a unit file. It is also implied for the root + and /usr/ partitions dicovered by + systemd-gpt-auto-generator8. + +