diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-09-17 18:57:27 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2020-09-19 21:20:16 +0200 |
| commit | 329cde79c4f802f9318855cef5b6aa823e437216 (patch) | |
| tree | 206c6b4dd8793cdd763f28b319b99baee940d395 /man/systemd-nspawn.xml | |
| parent | 461836a4e9db75453045a96f2bafb9ce19b34e68 (diff) | |
| download | systemd-329cde79c4f802f9318855cef5b6aa823e437216.tar.gz | |
doc: document the new GPT partition type UUIDs
Diffstat (limited to 'man/systemd-nspawn.xml')
| -rw-r--r-- | man/systemd-nspawn.xml | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index c8fbb01d00..7c89bc4423 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -396,7 +396,15 @@ is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is found next to the image file, bearing otherwise the same name (except if the image has the <filename>.raw</filename> suffix, in which case the root hash file must not have it in its name), the root hash - is read from it and automatically used, also as formatted hexadecimal characters.</para></listitem> + is read from it and automatically used, also as formatted hexadecimal characters.</para> + + <para>Note that this configures the root hash for the root file system. Disk images may also contain + separate file systems for the <filename>/usr/</filename> hierarchy, which may be Verity protected as + well. The root hash for this protection may be configured via the + <literal>user.verity.usrhash</literal> extended file attribute or via a <filename>.usrhash</filename> + file adjacent to the disk image, following the same format and logic as for the root hash for the + root file system described here. Note that there's currently no switch to configure the root hash for + the <filename>/usr/</filename> from the command line.</para></listitem> </varlistentry> <varlistentry> @@ -408,7 +416,12 @@ string is valid and done by a public key present in the kernel keyring. If this option is not specified, but a file with the <filename>.roothash.p7s</filename> suffix is found next to the image file, bearing otherwise the same name (except if the image has the <filename>.raw</filename> suffix, in which case the signature file must - not have it in its name), the signature is read from it and automatically used.</para></listitem> + not have it in its name), the signature is read from it and automatically used.</para> + + <para>The root hash for the <filename>/usr/</filename> file system included in a disk image may be + configured via a <filename>.usrhash.p7s</filename> file adjacent to the disk image. There's currently + no switch to configure the signature of the root hash of the <filename>/usr/</filename> file system + from the command line.</para></listitem> </varlistentry> <varlistentry> |