49 lines
2.7 KiB
Diff
49 lines
2.7 KiB
Diff
From 9a7d568845164a5d9621a2028c4a8333928e2e2a Mon Sep 17 00:00:00 2001
|
|
From: Dan Streetman <ddstreet@ieee.org>
|
|
Date: Fri, 14 Jul 2023 18:36:20 -0400
|
|
Subject: [PATCH] man: update systemd-cryptenroll man page with details on
|
|
--tpm2-pcrs format change
|
|
|
|
The previous commit extended the accepted format of --tpm2-pcrs to allow
|
|
specifying the hash algorithm (i.e. PCR bank) and hash digest value, this
|
|
updates the man page with those changes.
|
|
|
|
(cherry picked from commit 1782b0b88ce531a674102445cdf95f86e6b54cae)
|
|
|
|
Related: RHEL-16182
|
|
---
|
|
man/systemd-cryptenroll.xml | 17 +++++++++++++----
|
|
1 file changed, 13 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
|
|
index 5ddaab40bc..3f36f320b6 100644
|
|
--- a/man/systemd-cryptenroll.xml
|
|
+++ b/man/systemd-cryptenroll.xml
|
|
@@ -379,13 +379,22 @@
|
|
<term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term>
|
|
|
|
<listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind to when
|
|
- enrollment is requested via <option>--tpm2-device=</option>. Takes a list of PCR names or numeric
|
|
- indices in the range 0…23. Multiple PCR indexes are separated by <literal>+</literal>. If not
|
|
- specified, the default is to use PCR 7 only. If an empty string is specified, binds the enrollment to
|
|
- no PCRs at all. See the table above for a list of available PCRs.</para>
|
|
+ enrollment is requested via <option>--tpm2-device=</option>. Takes a list of PCR entries, where each
|
|
+ entry starts with a name or numeric index in the range 0…23, optionally followed by
|
|
+ <literal>:</literal> and a hash algorithm name (specifying the PCR bank), optionally followed by
|
|
+ <literal>=</literal> and a hash digest value. Multiple PCR entries are separated by
|
|
+ <literal>+</literal>. If not specified, the default is to use PCR 7 only. If an empty string is
|
|
+ specified, binds the enrollment to no PCRs at all. See the table above for a list of available
|
|
+ PCRs.</para>
|
|
|
|
<para>Example: <option>--tpm2-pcrs=boot-loader-code+platform-config+boot-loader-config</option>
|
|
specifies that PCR registers 4, 1, and 5 should be used.</para>
|
|
+ <para>Example: <option>--tpm2-pcrs=7:sha256</option> specifies that PCR register 7 from the SHA256
|
|
+ bank should be used.</para>
|
|
+ <para>Example: <option>--tpm2-pcrs=4:sha1=0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275</option>
|
|
+ specifies that PCR register 4 from the SHA1 bank should be used, and a hash digest value of
|
|
+ 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 will be used instead of reading the current PCR
|
|
+ value.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|