diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/bootctl.xml | 12 | ||||
| -rw-r--r-- | man/systemd-measure.xml | 20 | ||||
| -rw-r--r-- | man/systemd-repart.xml | 25 | ||||
| -rw-r--r-- | man/systemd-sbsign.xml | 9 | ||||
| -rw-r--r-- | man/ukify.xml | 11 |
5 files changed, 62 insertions, 15 deletions
diff --git a/man/bootctl.xml b/man/bootctl.xml index eab18f7575..3159f42347 100644 --- a/man/bootctl.xml +++ b/man/bootctl.xml @@ -529,8 +529,9 @@ <varlistentry> <term><option>--secure-boot-auto-enroll=yes|no</option></term> <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term> - <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term> + <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term> <term><option>--certificate=<replaceable>PATH</replaceable></option></term> + <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term> <listitem><para>Configure the ESP for secure boot auto-enrollment when invoking the <command>install</command> command. Takes a boolean argument. Disabled by default. Enabling this @@ -542,9 +543,12 @@ <para>When specifying this option, a certificate and private key have to be provided as well using the <option>--certificate=</option> and <option>--private-key=</option> options. The - <option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate. The - <option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL - engine or provider, as specified by <option>--private-key-source=</option> as a + <option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate or a URI + that's passed to the OpenSSL provider configured with <option>--certificate-source</option> which + takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed + by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. + The <option>--private-key=</option> option can take a path or a URI that will be passed to the + OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL signing engine or provider will be used to sign the EFI signature lists.</para> diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml index 83dc64f0ce..1caca9cab0 100644 --- a/man/systemd-measure.xml +++ b/man/systemd-measure.xml @@ -104,6 +104,16 @@ <xi:include href="version-info.xml" xpointer="v252"/></listitem> </varlistentry> + + <varlistentry> + <term><command>pcrpkey</command></term> + + <listitem><para>This commands prints the public key either given with <option>--public-key=</option>, + or extracted from the certificate given with <option>--certificate=</option> or the private key given + with <option>--private-key=</option>.</para> + + <xi:include href="version-info.xml" xpointer="v257"/></listitem> + </varlistentry> </variablelist> </refsect1> @@ -188,8 +198,9 @@ <varlistentry> <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term> - <term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term> - <term><option>--certificate=<replaceable>PATH</replaceable></option></term> + <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term> + <term><option>--certificate=<replaceable>PATH/URI</replaceable></option></term> + <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term> <listitem><para>As an alternative to <option>--public-key=</option> for the <command>sign</command> command, these switches can be used to sign with an hardware token. The @@ -197,6 +208,11 @@ provider, as specified by <option>--private-key-source=</option> as a type:name tuple, such as engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign.</para> + <para>The <option>--certificate=</option> option also takes a path or a URI that will be passed to + the OpenSSL provider, as specified by <option>--certificate-source=</option> as a + <literal>type:name</literal> tuple, such as <literal>provider:pkcs11</literal>. Note that unlike + <option>--private-key-source=</option> this option only supports providers and not engines.</para> + <xi:include href="version-info.xml" xpointer="v256"/></listitem> </varlistentry> diff --git a/man/systemd-repart.xml b/man/systemd-repart.xml index 1e6ffaa70f..575be14912 100644 --- a/man/systemd-repart.xml +++ b/man/systemd-repart.xml @@ -348,9 +348,9 @@ <varlistentry> <term><option>--private-key=</option></term> - <listitem><para>Takes a file system path. Configures the signing key to use when creating verity - signature partitions with the <varname>Verity=signature</varname> setting in partition files. - </para> + <listitem><para>Takes a file system path or an engine or provider specific designation. Configures + the signing key to use when creating verity signature partitions with the + <varname>Verity=signature</varname> setting in partition files.</para> <xi:include href="version-info.xml" xpointer="v252"/></listitem> </varlistentry> @@ -361,7 +361,7 @@ <listitem><para>Takes one of <literal>file</literal>, <literal>engine</literal> or <literal>provider</literal>. In the latter two cases, it is followed by the name of a provider or engine, separated by colon, that will be passed to OpenSSL's "engine" or "provider" logic. - Configures the signing mechanism to use when creating verity signature partitions with the + Configures how to load the private key to use when creating verity signature partitions with the <varname>Verity=signature</varname> setting in partition files.</para> <xi:include href="version-info.xml" xpointer="v256"/></listitem> @@ -370,14 +370,25 @@ <varlistentry> <term><option>--certificate=</option></term> - <listitem><para>Takes a file system path. Configures the PEM encoded X.509 certificate to use when - creating verity signature partitions with the <varname>Verity=signature</varname> setting in - partition files.</para> + <listitem><para>Takes a file system path or a provider specific designation. Configures the PEM + encoded X.509 certificate to use when creating verity signature partitions with the + <varname>Verity=signature</varname> setting in partition files.</para> <xi:include href="version-info.xml" xpointer="v252"/></listitem> </varlistentry> <varlistentry> + <term><option>--certificate-source=</option></term> + + <listitem><para>Takes one of <literal>file</literal>, or <literal>provider</literal>. In the latter + case, it is followed by the name of a provider, separated by colon, that will be passed to OpenSSL's + "provider" logic. Configures how to load the X.509 certificate to use when creating verity signature + partitions with the <varname>Verity=signature</varname> setting in partition files.</para> + + <xi:include href="version-info.xml" xpointer="v257"/></listitem> + </varlistentry> + + <varlistentry> <term><option>--tpm2-device=</option></term> <term><option>--tpm2-pcrs=</option></term> diff --git a/man/systemd-sbsign.xml b/man/systemd-sbsign.xml index 1e42d601d6..1248377845 100644 --- a/man/systemd-sbsign.xml +++ b/man/systemd-sbsign.xml @@ -85,11 +85,16 @@ <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term> <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term> <term><option>--certificate=<replaceable>PATH</replaceable></option></term> + <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term> <listitem><para>Set the Secure Boot private key and certificate for use with the <command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded - X.509 certificate. The <option>--private-key=</option> option can take a path or a URI that will be - passed to the OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a + X.509 certificate or a URI that's passed to the OpenSSL provider configured with + <option>--certificate-source</option>. The <option>--certificate-source</option> takes one of + <literal>file</literal> or <literal>provider</literal>, with the latter being followed by a specific + provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. The + <option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL + engine or provider, as specified by <option>--private-key-source=</option> as a <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL signing engine or provider will be used to sign the PE binary.</para> diff --git a/man/ukify.xml b/man/ukify.xml index c57644e640..14dbb2a954 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -528,6 +528,17 @@ </varlistentry> <varlistentry> + <term><varname>CertificateProvider=<replaceable>PROVIDER</replaceable></varname></term> + <term><option>--certificate-provider=<replaceable>PROVIDER</replaceable></option></term> + + <listitem><para>An OpenSSL provider to be used for loading the certificate used to sign the + resulting binary and PCR measurements. This option can only be used when using + <command>systemd-sbsign</command> as the signing tool.</para> + + <xi:include href="version-info.xml" xpointer="v257"/></listitem> + </varlistentry> + + <varlistentry> <term><varname>SignKernel=<replaceable>BOOL</replaceable></varname></term> <term><option>--sign-kernel</option></term> <term><option>--no-sign-kernel</option></term> |