2022-09-17 05:57:26 +08:00
|
|
|
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
2023-12-25 22:48:33 +08:00
|
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
2022-09-17 05:57:26 +08:00
|
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
|
2024-03-05 21:41:17 +08:00
|
|
|
<refentry id="systemd-pcrphase.service" conditional='ENABLE_BOOTLOADER HAVE_OPENSSL HAVE_TPM2'
|
2022-09-17 05:57:26 +08:00
|
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
|
|
|
|
|
|
<refentryinfo>
|
|
|
|
<title>systemd-pcrphase.service</title>
|
|
|
|
<productname>systemd</productname>
|
|
|
|
</refentryinfo>
|
|
|
|
|
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>systemd-pcrphase.service</refentrytitle>
|
|
|
|
<manvolnum>8</manvolnum>
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>systemd-pcrphase.service</refname>
|
2022-10-15 02:53:42 +08:00
|
|
|
<refname>systemd-pcrphase-sysinit.service</refname>
|
2022-09-17 05:57:26 +08:00
|
|
|
<refname>systemd-pcrphase-initrd.service</refname>
|
2022-10-17 21:20:53 +08:00
|
|
|
<refname>systemd-pcrmachine.service</refname>
|
|
|
|
<refname>systemd-pcrfs-root.service</refname>
|
|
|
|
<refname>systemd-pcrfs@.service</refname>
|
pcrphase: rename binary to pcrextend
The tool initially just measured the boot phase, but was subsequently
extended to measure file system and machine IDs, too. At AllSystemsGo
there were request to add more, and make the tool generically
accessible.
Hence, let's rename the binary (but not the pcrphase services), to make
clear the tool is not just measureing the boot phase, but a lot of other
things too.
The tool is located in /usr/lib/ and still relatively new, hence let's
just rename the binary and be done with it, while keeping the unit names
stable.
While we are at it, also move the tool out of src/boot/ and into its own
src/pcrextend/ dir, since it's not really doing boot related stuff
anymore.
2023-09-25 16:38:01 +08:00
|
|
|
<refname>systemd-pcrextend</refname>
|
2022-10-17 21:20:53 +08:00
|
|
|
<refpurpose>Measure boot phase into TPM2 PCR 11, machine ID and file system identity into PCR 15</refpurpose>
|
2022-09-17 05:57:26 +08:00
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<para><filename>systemd-pcrphase.service</filename></para>
|
2022-10-17 21:21:49 +08:00
|
|
|
<para><filename>systemd-pcrphase-sysinit.service</filename></para>
|
2022-09-17 05:57:26 +08:00
|
|
|
<para><filename>systemd-pcrphase-initrd.service</filename></para>
|
2022-10-17 21:20:53 +08:00
|
|
|
<para><filename>systemd-pcrmachine.service</filename></para>
|
|
|
|
<para><filename>systemd-pcrfs-root.service</filename></para>
|
|
|
|
<para><filename>systemd-pcrfs@.service</filename></para>
|
pcrphase: rename binary to pcrextend
The tool initially just measured the boot phase, but was subsequently
extended to measure file system and machine IDs, too. At AllSystemsGo
there were request to add more, and make the tool generically
accessible.
Hence, let's rename the binary (but not the pcrphase services), to make
clear the tool is not just measureing the boot phase, but a lot of other
things too.
The tool is located in /usr/lib/ and still relatively new, hence let's
just rename the binary and be done with it, while keeping the unit names
stable.
While we are at it, also move the tool out of src/boot/ and into its own
src/pcrextend/ dir, since it's not really doing boot related stuff
anymore.
2023-09-25 16:38:01 +08:00
|
|
|
<para><filename>/usr/lib/systemd/systemd-pcrextend</filename> <optional><replaceable>STRING</replaceable></optional></para>
|
2022-09-17 05:57:26 +08:00
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
|
2022-10-15 02:53:42 +08:00
|
|
|
<para><filename>systemd-pcrphase.service</filename>,
|
2023-01-12 00:03:48 +08:00
|
|
|
<filename>systemd-pcrphase-sysinit.service</filename>, and
|
2022-09-17 05:57:26 +08:00
|
|
|
<filename>systemd-pcrphase-initrd.service</filename> are system services that measure specific strings
|
2022-10-15 02:53:42 +08:00
|
|
|
into TPM2 PCR 11 during boot at various milestones of the boot process.</para>
|
2022-09-17 05:57:26 +08:00
|
|
|
|
2022-10-17 21:20:53 +08:00
|
|
|
<para><filename>systemd-pcrmachine.service</filename> is a system service that measures the machine ID
|
|
|
|
(see <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>) into
|
|
|
|
PCR 15.</para>
|
|
|
|
|
|
|
|
<para><filename>systemd-pcrfs-root.service</filename> and <filename>systemd-pcrfs@.service</filename> are
|
|
|
|
services that measure file system identity information (i.e. mount point, file system type, label and
|
|
|
|
UUID, partition label and UUID) into PCR 15. <filename>systemd-pcrfs-root.service</filename> does so for
|
|
|
|
the root file system, <filename>systemd-pcrfs@.service</filename> is a template unit that measures the
|
|
|
|
file system indicated by its instance identifier instead.</para>
|
|
|
|
|
2022-09-17 05:57:26 +08:00
|
|
|
<para>These services require
|
|
|
|
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> to be
|
man: fix issues reported by the manpage-l10n project
Fixes #25780.
> Man page: crypttab.5
> Issue 1: Missing fullstop
> Issue 2: I<cipher=>, I<hash=>, I<size=> → B<cipher=>, B<hash=>, B<size=>
>
> "Force LUKS mode\\&. When this mode is used, the following options are "
> "ignored since they are provided by the LUKS header on the device: "
> "I<cipher=>, I<hash=>, I<size=>"
Seems OK to me. The full stop is there and has been for at least a few years. And we use <option> for the markup, which is appropriate here.
> Man page: crypttab.5
> Issue 1: Missing fullstop
> Issue 2: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-size=>, I<size=> → B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-size=>, B<size=>
>
> "Use TrueCrypt encryption mode\\&. When this mode is used, the following "
> "options are ignored since they are provided by the TrueCrypt header on the "
> "device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-"
> "size=>, I<size=>"
Same.
> Man page: journalctl.1
> Issue 1: make be → may be
Fixed.
> Issue 2: below\\&. → below:
Fixed.
> Man page: journalctl.1
> Issue: Colon at the end?
>
> "The following commands are understood\\&. If none is specified the default "
> "is to display journal records\\&."
> msgstr ""
> "Die folgenden Befehle werden verstanden\\&. Falls keiner festgelegt ist, ist "
> "die Anzeige von Journal-Datensätzen die Vorgabe\\&."
This is a bit awkward, but I'm not sure how to fix it.
> Man page: kernel-install.8
> Issue: methods a fallback → methods fallback
It was correct, but I added a comma to make the sense clearer.
> Man page: loader.conf.5
> Issue 1: secure boot variables → Secure Boot variables
> Issue 2: one → one for (multiple times)
>
> "Supported secure boot variables are one database for authorized images, one "
> "key exchange key (KEK) and one platform key (PK)\\&. For more information, "
> "refer to the \\m[blue]B<UEFI specification>\\m[]\\&\\s-2\\u[2]\\d\\s+2, "
> "under Secure Boot and Driver Signing\\&. Another resource that describe the "
> "interplay of the different variables is the \\m[blue]B<EDK2 "
> "documentation>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&."
"one of" would sound strange. "One this and one that" is OK.
> Man page: loader.conf.5
> Issue: systemd-boot → B<systemd-boot>(7)
Fixed.
> Man page: logind.conf.5
> Issue: systemd-logind → B<systemd-logind>(8)
We use <filename>systemd-logind</> on subsequent references… I think that's good enough.
> Man page: nss-myhostname.8
> Issue: B<getent> → B<getent>(1)
Fixed.
> Man page: nss-resolve.8
> Issue: B<systemd-resolved> → B<systemd-resolved>(8)
The first reference does this, subsequent are shorter.
> Man page: os-release.5
> Issue: Portable Services → Portable Services Documentation?
Updated.
> Man page: pam_systemd_home.8
> Issue: auth and account use "reason", while session and password do not?
Reworded.
> Man page: portablectl.1
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: repart.d.5
> Issue: The partition → the partition
Fixed.
> Man page: repart.d.5
> Issue: B<systemd-repart> → B<systemd-repart>(8)
The first reference does this. I also change this one, because it's pretty far down in the text.
> Man page: systemd.1
> Issue: kernel command line twice?
>
> "Takes a boolean argument\\&. If false disables importing credentials from "
> "the kernel command line, qemu_fw_cfg subsystem or the kernel command line\\&."
Apparently this was fixed already.
> Man page: systemd-boot.7
> Issue: enrollement → enrollment
Fixed.
> Man page: systemd-cryptenroll.1
> Issue: multiple cases: any specified → the specified
Reworded.
> Man page: systemd-cryptenroll.1
> Issue: If this this → If this
Fixed tree-wide.
> Man page: systemd-cryptsetup-generator.8
> Issue: and the initrd → and in the initrd
"Is honoured by the initrd" is OK, because we often speak about the initrd as a single unit. But in the same paragraph we also used "in the initrd", which makes the other use look sloppy. I changed it to "in the initrd" everywhere in that file.
> Man page: systemd.directives.7
> Issue: Why are these two quoted (but not others)?
>
> "B<\\*(Aqh\\*(Aq>"
>
> B<\\*(Aqs\\*(Aq>"
>
> "B<\\*(Aqy\\*(Aq>"
This is autogenerated from files… We use slightly different markup in different files, and it's just too hard to make it consistent. We gave up on this.
> Man page: systemd.exec.5
> Issue 1: B<at>(1p) → B<at>(1)
> Issue 2: B<crontab>(1p) → B<crontab>(1)
Fixed.
> Man page: systemd.exec.5
> Issue: B<select()> → B<select>(2)
Fixed.
> Man page: systemd.exec.5
> Issue: qemu → B<qemu>(1)
The man page doesn't seem to be in any of the canonical places on the web.
I added a link to online docs.
> Man page: systemd.exec.5
> Issue: variable → variables
Seems to be fixed already.
> Man page: systemd-integritysetup-generator.8
> Issue: systemd-integritysetup-generator → B<systemd-integritysetup-generator>
I changed <filename> to <command>.
> Man page: systemd-integritysetup-generator.8
> Issue: superfluous comma at the end
Already fixed.
> Man page: systemd-measure.1
> Issue: (see B<--pcr-bank=>) below → (see B<--pcr-bank=> below)
Reworded.
> Man page: systemd-measure.1
> Issue: =PATH> → =>I<PATH>
Fixed.
> Man page: systemd-measure.1.po
> Issue: B<--bank=DIGEST> → B<--bank=>I<DIGEST>
Fixed.
> Man page: systemd.netdev.5
> Issue: os the → on the
Appears to have been fixed already.
> Man page: systemd.netdev.5
> Issue: Onboard → On-board (as in previous string)
Updated.
> Man page: systemd.network.5
> Issue: B<systemd-networkd> -> B<systemd-networkd>(8)
First reference does this, subsequent do not.
> Man page: systemd.network.5
> Issue: B<netlabelctl> → B<netlabelctl>(8)
First reference does this, subsequent do not.
> Man page: systemd.network.5
> Issue: Missing verb (aquired? configured?) in the half sentence starting with "or by a "
I dropped the comma.
> Man page: systemd-nspawn.1
> Issue: All host users outside of that range → All other host users
Reworded.
> # FIXME no effect → no effect\\&.
> #. type: Plain text
> #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed
> msgid ""
> "Whichever ID mapping option is used, the same mapping will be used for users "
> "and groups IDs\\&. If B<rootidmap> is used, the group owning the bind "
> "mounted directory will have no effect"
A period is added. Not sure if there's some other issue.
> Man page: systemd-oomd.service.8
> Issue: B<systemd> → B<systemd>(1)
Done.
> Man page: systemd.path.5
> Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5)
> Issue 2: This section does not (yet?) exist
Fixed.
> Man page: systemd-pcrphase.service.8
> Issue 1: indicate phases into TPM2 PCR 11 ??
> Issue 2: Colon at the end of the paragraph?
Fixed.
> Man page: systemd-pcrphase.service.8
> Issue: final boot phase → final shutdown phase?
Updated.
> Man page: systemd-pcrphase.service.8
> Issue: for the the → for the
Fixed tree-wide.
> Man page: systemd-portabled.service.8
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: systemd-pstore.service.8
> Issue: Here and the following paragraphs: . → \\&. // Upstream: What does this comment mean? // You normally write \\&. for a full dot (full stop etc.); here you write only "." (i.e. a plain dot).
>
> "and we look up \"localhost\", nss-dns will send the following queries to "
> "systemd-resolved listening on 127.0.0.53:53: first \"localhost.foobar.com\", "
> "then \"localhost.barbar.com\", and finally \"localhost\". If (hopefully) the "
> "first two queries fail, systemd-resolved will synthesize an answer for the "
> "third query."
Looks all OK to me.
> Man page: systemd.resource-control.5
> Issue: Missing closing bracket after link to Control Groups version 1
Fixed.
> Man page: systemd-sysext.8
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: systemd.timer.5
> Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5)
> Issue 2: This section does not (yet?) exist
Fixed.
> Man page: systemd.unit.5
> Issue: that is → that are
Fixed.
> Man page: systemd-veritysetup-generator.8
> Issue: systemd-veritysetup-generator → B<systemd-veritysetup-generator>
>
> "systemd-veritysetup-generator implements B<systemd.generator>(7)\\&."
>
> "systemd-veritysetup-generator understands the following kernel command line "
> "parameters:"
Updated.
> Man page: systemd-volatile-root.service.8
> Issue: initrdyes → Initrd
Fixed.
> Man page: sysupdate.d.5
> Issue: : → \\&. (As above in TRANSFER)
Updated.
> Man page: sysupdate.d.5
> Issue: some → certain
Updated.
> Man page: sysupdate.d.5
> Issue 1: i\\&.e\\& → I\\&.e\\&
Fixed.
> Issue 2: the image → the system
"image" seems correct.
> Man page: tmpfiles.d.5
> Issue: systemd-tmpfiles → B<systemd-tmpfiles>(8)
Updated.
2023-01-11 23:45:59 +08:00
|
|
|
used in a unified kernel image (UKI). They execute no operation when the stub has not been used to invoke
|
|
|
|
the kernel. The stub will measure the invoked kernel and associated vendor resources into PCR 11 before
|
2023-01-12 00:03:48 +08:00
|
|
|
handing control to it; once userspace is invoked these services then will extend TPM2 PCR 11 with certain
|
2022-10-17 21:20:53 +08:00
|
|
|
literal strings indicating phases of the boot process. During a regular boot process PCR 11 is extended
|
|
|
|
with the following strings:</para>
|
2022-09-17 05:57:26 +08:00
|
|
|
|
|
|
|
<orderedlist>
|
2023-01-12 00:03:48 +08:00
|
|
|
<listitem><para><literal>enter-initrd</literal> — early when the initrd initializes, before activating
|
|
|
|
system extension images for the initrd. It acts as a barrier between the time where the kernel
|
|
|
|
initializes and where the initrd starts operating and enables system extension images, i.e. code
|
2023-05-17 18:24:04 +08:00
|
|
|
shipped outside of the UKI. (This extension happens when the
|
|
|
|
<citerefentry><refentrytitle>systemd-pcrphase-initrd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
service is started.)</para></listitem>
|
2023-01-12 00:03:48 +08:00
|
|
|
|
|
|
|
<listitem><para><literal>leave-initrd</literal> — when the initrd is about to transition into the host
|
2023-05-17 18:24:04 +08:00
|
|
|
file system. It acts as barrier between initrd code and host OS code. (This extension happens when the
|
|
|
|
<filename>systemd-pcrphase-initrd.service</filename> service is stopped.)</para></listitem>
|
2023-01-12 00:03:48 +08:00
|
|
|
|
|
|
|
<listitem><para><literal>sysinit</literal> — when basic system initialization is complete (which
|
|
|
|
includes local file systems having been mounted), and the system begins starting regular system
|
2023-05-17 18:24:04 +08:00
|
|
|
services. (This extension happens when the
|
|
|
|
<citerefentry><refentrytitle>systemd-pcrphase-sysinit.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
service is started.)</para></listitem>
|
2023-01-12 00:03:48 +08:00
|
|
|
|
|
|
|
<listitem><para><literal>ready</literal> — during later boot-up, after remote file systems have been
|
|
|
|
activated (i.e. after <filename>remote-fs.target</filename>), but before users are permitted to log in
|
|
|
|
(i.e. before <filename>systemd-user-sessions.service</filename>). It acts as barrier between the time
|
|
|
|
where unprivileged regular users are still prohibited to log in and where they are allowed to log in.
|
2023-05-17 18:24:04 +08:00
|
|
|
(This extension happens when the <filename>systemd-pcrphase.service</filename> service is started.)
|
2023-01-12 00:03:48 +08:00
|
|
|
</para></listitem>
|
|
|
|
|
|
|
|
<listitem><para><literal>shutdown</literal> — when the system shutdown begins. It acts as barrier
|
|
|
|
between the time the system is fully up and running and where it is about to shut down. (This extension
|
2023-05-17 18:24:04 +08:00
|
|
|
happens when the <filename>systemd-pcrphase.service</filename> service is stopped.)</para></listitem>
|
2023-01-12 00:03:48 +08:00
|
|
|
|
|
|
|
<listitem><para><literal>final</literal> — at the end of system shutdown. It acts as barrier between
|
|
|
|
the time the service manager still runs and when it transitions into the final shutdown phase where
|
2023-05-17 18:24:04 +08:00
|
|
|
service management is not available anymore. (This extension happens when the
|
|
|
|
<citerefentry><refentrytitle>systemd-pcrphase-sysinit.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
service is stopped.)</para></listitem>
|
2022-09-17 05:57:26 +08:00
|
|
|
</orderedlist>
|
|
|
|
|
2023-01-12 00:03:48 +08:00
|
|
|
<para>During a regular system lifecycle, PCR 11 is extended with the strings
|
|
|
|
<literal>enter-initrd</literal>, <literal>leave-initrd</literal>, <literal>sysinit</literal>,
|
|
|
|
<literal>ready</literal>, <literal>shutdown</literal>, and <literal>final</literal>.</para>
|
2022-09-17 05:57:26 +08:00
|
|
|
|
|
|
|
<para>Specific phases of the boot process may be referenced via the series of strings measured, separated
|
2023-01-12 00:03:48 +08:00
|
|
|
by colons (the "phase path"). For example, the phase path for the regular system runtime is
|
2022-10-15 02:53:42 +08:00
|
|
|
<literal>enter-initrd:leave-initrd:sysinit:ready</literal>, while the one for the initrd is just
|
2023-01-12 00:03:48 +08:00
|
|
|
<literal>enter-initrd</literal>. The phase path for the boot phase before the initrd is an empty string;
|
|
|
|
because that's hard to pass around a single colon (<literal>:</literal>) may be used instead. Note that
|
|
|
|
the aforementioned six strings are just the default strings and individual systems might measure other
|
|
|
|
strings at other times, and thus implement different and more fine-grained boot phases to bind policy
|
|
|
|
to.</para>
|
2022-09-17 05:57:26 +08:00
|
|
|
|
2023-01-12 00:03:48 +08:00
|
|
|
<para>By binding policy of TPM2 objects to a specific phase path it is possible to restrict access to
|
|
|
|
them to specific phases of the boot process, for example making it impossible to access the root file
|
|
|
|
system's encryption key after the system transitioned from the initrd into the host root file system.
|
|
|
|
</para>
|
2022-09-17 05:57:26 +08:00
|
|
|
|
|
|
|
<para>Use
|
|
|
|
<citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> to
|
2023-01-12 00:03:48 +08:00
|
|
|
pre-calculate expected PCR 11 values for specific boot phases (via the <option>--phase=</option> switch).
|
|
|
|
</para>
|
2022-10-17 21:20:53 +08:00
|
|
|
|
|
|
|
<para><filename>systemd-pcrfs-root.service</filename> and <filename>systemd-pcrfs@.service</filename> are
|
|
|
|
automatically pulled into the initial transaction by
|
2023-02-09 21:30:43 +08:00
|
|
|
<citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
2022-10-17 21:20:53 +08:00
|
|
|
for the root and <filename>/var/</filename> file
|
|
|
|
systems. <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
will do this for all mounts with the <option>x-systemd.pcrfs</option> mount option in
|
|
|
|
<filename>/etc/fstab</filename>.</para>
|
2022-09-17 05:57:26 +08:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Options</title>
|
|
|
|
|
pcrphase: rename binary to pcrextend
The tool initially just measured the boot phase, but was subsequently
extended to measure file system and machine IDs, too. At AllSystemsGo
there were request to add more, and make the tool generically
accessible.
Hence, let's rename the binary (but not the pcrphase services), to make
clear the tool is not just measureing the boot phase, but a lot of other
things too.
The tool is located in /usr/lib/ and still relatively new, hence let's
just rename the binary and be done with it, while keeping the unit names
stable.
While we are at it, also move the tool out of src/boot/ and into its own
src/pcrextend/ dir, since it's not really doing boot related stuff
anymore.
2023-09-25 16:38:01 +08:00
|
|
|
<para>The <filename>/usr/lib/systemd/system-pcrextend</filename> executable may also be invoked from the
|
2022-09-17 05:57:26 +08:00
|
|
|
command line, where it expects the word to extend into PCR 11, as well as the following switches:</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><option>--bank=</option></term>
|
|
|
|
|
|
|
|
<listitem><para>Takes the PCR banks to extend the specified word into. If not specified the tool
|
|
|
|
automatically determines all enabled PCR banks and measures the word into all of
|
2023-08-23 00:52:36 +08:00
|
|
|
them.</para>
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
2022-09-17 05:57:26 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
2023-09-25 16:51:56 +08:00
|
|
|
<varlistentry>
|
|
|
|
<term><option>--pcr=</option></term>
|
|
|
|
|
|
|
|
<listitem><para>Takes the index of the PCR to extend. If <option>--machine-id</option> or
|
|
|
|
<option>--file-system=</option> are specified defaults to 15, otherwise defaults to 11.</para>
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2022-09-17 05:57:26 +08:00
|
|
|
<varlistentry>
|
2024-04-12 17:12:15 +08:00
|
|
|
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
|
2022-09-17 05:57:26 +08:00
|
|
|
|
|
|
|
<listitem><para>Controls which TPM2 device to use. Expects a device node path referring to the TPM2
|
|
|
|
chip (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal>
|
|
|
|
may be specified, in order to automatically determine the device node of a suitable TPM2 device (of
|
|
|
|
which there must be exactly one). The special value <literal>list</literal> may be used to enumerate
|
2023-08-23 00:52:36 +08:00
|
|
|
all suitable TPM2 devices currently discovered.</para>
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
2022-09-17 05:57:26 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
2022-12-16 01:07:20 +08:00
|
|
|
<varlistentry>
|
|
|
|
<term><option>--graceful</option></term>
|
|
|
|
|
|
|
|
<listitem><para>If no TPM2 firmware, kernel subsystem, kernel driver or device support is found, exit
|
|
|
|
with exit status 0 (i.e. indicate success). If this is not specified any attempt to measure without a
|
2023-08-23 00:52:36 +08:00
|
|
|
TPM2 device will cause the invocation to fail.</para>
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
2022-12-16 01:07:20 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
2022-10-17 21:20:53 +08:00
|
|
|
<varlistentry>
|
|
|
|
<term><option>--machine-id</option></term>
|
|
|
|
|
|
|
|
<listitem><para>Instead of measuring a word specified on the command line into PCR 11, measure the
|
2023-08-23 00:52:36 +08:00
|
|
|
host's machine ID into PCR 15.</para>
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
2022-10-17 21:20:53 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><option>--file-system=</option></term>
|
|
|
|
|
|
|
|
<listitem><para>Instead of measuring a word specified on the command line into PCR 11, measure
|
|
|
|
identity information of the specified file system into PCR 15. The parameter must be the path to the
|
2023-08-23 00:52:36 +08:00
|
|
|
established mount point of the file system to measure.</para>
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
2022-10-17 21:20:53 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
2022-09-17 05:57:26 +08:00
|
|
|
<xi:include href="standard-options.xml" xpointer="help" />
|
|
|
|
<xi:include href="standard-options.xml" xpointer="version" />
|
|
|
|
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
2023-09-25 17:09:34 +08:00
|
|
|
<refsect1>
|
|
|
|
<title>Files</title>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2023-09-29 17:59:40 +08:00
|
|
|
<term><filename>/run/log/systemd/tpm2-measure.log</filename></term>
|
2023-09-25 17:09:34 +08:00
|
|
|
|
|
|
|
<listitem><para>Measurements are logged into an event log file maintained in
|
2023-09-29 17:59:40 +08:00
|
|
|
<filename>/run/log/systemd/tpm2-measure.log</filename>, which contains a <ulink
|
2023-09-25 17:09:34 +08:00
|
|
|
url="https://www.rfc-editor.org/rfc/rfc7464.html">JSON-SEQ</ulink> series of objects that follow the
|
|
|
|
general structure of the <ulink
|
2024-05-08 14:02:52 +08:00
|
|
|
url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Canonical Event Log
|
2023-09-25 17:09:34 +08:00
|
|
|
Format (CEL-JSON)</ulink> event objects (but lack the <literal>recnum</literal>
|
|
|
|
field).</para>
|
|
|
|
|
|
|
|
<para>A <constant>LOCK_EX</constant> BSD file lock (<citerefentry
|
|
|
|
project='man-pages'><refentrytitle>flock</refentrytitle><manvolnum>2</manvolnum></citerefentry>) on
|
|
|
|
the log file is acquired while the measurement is made and the file is updated. Thus, applications
|
|
|
|
that intend to acquire a consistent quote from the TPM with the associated snapshot of the event log
|
2023-10-01 17:27:59 +08:00
|
|
|
should acquire a <constant>LOCK_SH</constant> lock while doing so.</para>
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
2023-09-25 17:09:34 +08:00
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
2022-09-17 05:57:26 +08:00
|
|
|
<refsect1>
|
|
|
|
<title>See Also</title>
|
2023-12-23 02:09:32 +08:00
|
|
|
<para><simplelist type="inline">
|
|
|
|
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
|
|
<member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
|
|
|
<member><citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
|
|
<member><citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
|
|
<member><citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
|
|
<member><ulink url="https://systemd.io/TPM2_PCR_MEASUREMENTS">TPM2 PCR Measurements Made by systemd</ulink></member>
|
|
|
|
</simplelist></para>
|
2022-09-17 05:57:26 +08:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
</refentry>
|