diff options
| author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-11-06 18:08:26 +0100 |
|---|---|---|
| committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-11-07 20:30:47 +0100 |
| commit | a1d46e3078a67b128a2eb93da7ae51d253b326f7 (patch) | |
| tree | 7b1a4994fae1b5367e84e3766f27cd4b034c0a3d /man/bootctl.xml | |
| parent | openssl-util: Set expected object type to private keys (diff) | |
| download | systemd-a1d46e3078a67b128a2eb93da7ae51d253b326f7.tar.xz systemd-a1d46e3078a67b128a2eb93da7ae51d253b326f7.zip | |
tree-wide: Introduce --certificate-source= option
This allows loading the X.509 certificate from an OpenSSL provider
instead of a file system path. This allows loading certficates directly
from hardware tokens instead of having to export them to a file on
disk first.
Diffstat (limited to 'man/bootctl.xml')
| -rw-r--r-- | man/bootctl.xml | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/man/bootctl.xml b/man/bootctl.xml index eab18f7575..3159f42347 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -529,8 +529,9 @@ <varlistentry> <term><option>--secure-boot-auto-enroll=yes|no</option></term> <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term> - <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term> + <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term> <term><option>--certificate=<replaceable>PATH</replaceable></option></term> + <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term> <listitem><para>Configure the ESP for secure boot auto-enrollment when invoking the <command>install</command> command. Takes a boolean argument. Disabled by default. Enabling this @@ -542,9 +543,12 @@ <para>When specifying this option, a certificate and private key have to be provided as well using the <option>--certificate=</option> and <option>--private-key=</option> options. The - <option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate. The - <option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL - engine or provider, as specified by <option>--private-key-source=</option> as a + <option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate or a URI + that's passed to the OpenSSL provider configured with <option>--certificate-source</option> which + takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed + by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. + The <option>--private-key=</option> option can take a path or a URI that will be passed to the + OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL signing engine or provider will be used to sign the EFI signature lists.</para> |