diff options
author | Lennart Poettering <lennart@poettering.net> | 2022-08-18 11:10:30 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2022-09-08 16:34:27 +0200 |
commit | dc63b2c90940c683a58195f43e59e1c08178629d (patch) | |
tree | b6e502efcda23777a72fab37a8983aeec66ef2ba /man/crypttab.xml | |
parent | 02ef97cde01ef8e64799befb9583d971f1fe33e6 (diff) | |
download | systemd-dc63b2c90940c683a58195f43e59e1c08178629d.tar.gz |
cryptsetup: hook up signed PCR policies
Diffstat (limited to 'man/crypttab.xml')
-rw-r--r-- | man/crypttab.xml | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/man/crypttab.xml b/man/crypttab.xml index 0469d365ef..2a54c81595 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -686,6 +686,21 @@ </varlistentry> <varlistentry> + <term><option>tpm2-signature=</option></term> + + <listitem><para>Takes an absolute path to a TPM2 PCR JSON signature file, as produced by the + <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> + tool. This permits locking LUKS2 volumes to any PCR values for which a valid signature matching a + public key specified at key enrollment time can be provided. See + <citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for details on enrolling TPM2 PCR public keys. If this option is not specified but it is attempted to + unlock a LUKS2 volume with a signed TPM2 PCR enrollment a suitable signature file + <filename>tpm2-pcr-signature.json</filename> is searched for in <filename>/etc/systemd/</filename>, + <filename>/run/systemd/</filename>, <filename>/usr/lib/systemd/</filename> (in this + order).</para></listitem> + </varlistentry> + + <varlistentry> <term><option>token-timeout=</option></term> <listitem><para>Specifies how long to wait at most for configured security devices (i.e. FIDO2, |