diff options
| author | Dan Streetman <ddstreet@ieee.org> | 2023-07-21 21:49:16 +0200 |
|---|---|---|
| committer | Dan Streetman <ddstreet@ieee.org> | 2023-11-07 18:20:54 +0100 |
| commit | c3a2a681bed77ce4f9218cd28405994ab5263077 (patch) | |
| tree | 03469a90fb1083b40e68d6f01d22d3063fd84742 /man/systemd-cryptenroll.xml | |
| parent | tpm2: update test-tpm2 for tpm2_calculate_seal() (diff) | |
| download | systemd-c3a2a681bed77ce4f9218cd28405994ab5263077.tar.xz systemd-c3a2a681bed77ce4f9218cd28405994ab5263077.zip | |
cryptenroll: add support for calculated TPM2 enrollment
Instead of enrolling the local TPM to a luks volume, use the public key from a
TPM to enroll it into the luks volume. This is useful when enrolling a TPM that
is not currently accessible, for example if the TPM is located on a different
system.
Diffstat (limited to 'man/systemd-cryptenroll.xml')
| -rw-r--r-- | man/systemd-cryptenroll.xml | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index 3d0efc9bf7..ad32bf68f2 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -412,6 +412,28 @@ </varlistentry> <varlistentry> + <term><option>--tpm2-device-key=</option><replaceable>PATH</replaceable></term> + + <listitem><para>Enroll a TPM2 security chip using its public key. Expects a path referring to the + TPM2 public key in TPM2B_PUBLIC format. This cannot be used with <option>--tpm2-device=</option>, as + it performs the same operation, but without connecting to the TPM2 security chip; instead the + enrollment is calculated using the provided TPM2 key. This is useful in situations where the TPM2 + security chip is not available at the time of enrollment.</para> + + <para>The key, in most cases, should be the Storage Root Key (SRK) from the TPM2 security chip. If a + key from a different handle (not the SRK) is used, you must specify its handle index using + <option>--tpm2-seal-key-handle=</option>.</para> + + <para>You may use tpm2-tss tools to get the SRK from the TPM2 security chip with <citerefentry + project='mankier'><refentrytitle>tpm2_readpublic</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + for example:</para> + + <programlisting>tpm2_readpublic -c 0x81000001 -o srk.pub</programlisting> + + <xi:include href="version-info.xml" xpointer="v255"/></listitem> + </varlistentry> + + <varlistentry> <term><option>--tpm2-seal-key-handle=</option><replaceable>HANDLE</replaceable></term> <listitem><para>Configures which parent key to use for sealing, using the TPM handle (index) of the |