mirror of
https://github.com/systemd/systemd
synced 2024-09-06 16:56:43 +00:00
Merge pull request #26023 from keszybz/man-page-updates
Man page updates
This commit is contained in:
commit
c24b0bd1df
|
@ -533,9 +533,10 @@ Subject: TPM PCR Extended
|
||||||
Defined-By: systemd
|
Defined-By: systemd
|
||||||
Support: %SUPPORT_URL%
|
Support: %SUPPORT_URL%
|
||||||
|
|
||||||
The string '@MEASURING@' has been extended into Trusted Platform Module's (TPM)
|
The Trusted Platform Module's (TPM) Platform Configuration Register (PCR)
|
||||||
Platform Configuration Register (PCR) @PCR@, on banks @BANKS@.
|
@PCR@, on banks @BANKS@, has been extended with the string '@MEASURING@'.
|
||||||
|
|
||||||
Whenever the system transitions to a new runtime phase, a different string is
|
Whenever the system transitions to a new runtime phase, the specified PCR is
|
||||||
extended into the specified PCR, to ensure that security policies for TPM-bound
|
extended with a different string, to ensure that security policies for
|
||||||
secrets and other resources are limited to specific phases of the runtime.
|
TPM-bound secrets and other resources are limited to specific phases of the
|
||||||
|
runtime.
|
||||||
|
|
|
@ -429,7 +429,7 @@
|
||||||
<programlisting>$ <command>bootctl status</command>
|
<programlisting>$ <command>bootctl status</command>
|
||||||
System:
|
System:
|
||||||
Firmware: UEFI 2.40 (<replaceable>firmware-version</replaceable>) ← firmware vendor and version
|
Firmware: UEFI 2.40 (<replaceable>firmware-version</replaceable>) ← firmware vendor and version
|
||||||
Secure Boot: disabled (setup) ← secure boot status
|
Secure Boot: disabled (setup) ← Secure Boot status
|
||||||
TPM2 Support: yes
|
TPM2 Support: yes
|
||||||
Boot into FW: supported ← does the firmware support booting into itself
|
Boot into FW: supported ← does the firmware support booting into itself
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
|
|
||||||
<refnamediv>
|
<refnamediv>
|
||||||
<refname>journalctl</refname>
|
<refname>journalctl</refname>
|
||||||
<refpurpose>Print log entries from the the systemd journal</refpurpose>
|
<refpurpose>Print log entries from the systemd journal</refpurpose>
|
||||||
</refnamediv>
|
</refnamediv>
|
||||||
|
|
||||||
<refsynopsisdiv>
|
<refsynopsisdiv>
|
||||||
|
@ -664,7 +664,8 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Forward Secure Sealing (FSS) Options</title>
|
<title>Forward Secure Sealing (FSS) Options</title>
|
||||||
|
|
||||||
<para>The following options make be used together with the <option>--setup-keys</option> command, see below.</para>
|
<para>The following options may be used together with the <option>--setup-keys</option> command described
|
||||||
|
below:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
@ -198,8 +198,8 @@
|
||||||
|
|
||||||
<para><varname>$KERNEL_INSTALL_MACHINE_ID</varname> is set for the plugins to the desired machine-id to
|
<para><varname>$KERNEL_INSTALL_MACHINE_ID</varname> is set for the plugins to the desired machine-id to
|
||||||
use. It's always a 128-bit ID. Normally it's read from <filename>/etc/machine-id</filename>, but it can
|
use. It's always a 128-bit ID. Normally it's read from <filename>/etc/machine-id</filename>, but it can
|
||||||
also be overridden via <varname>$MACHINE_ID</varname> (see below). If not specified via these methods a
|
also be overridden via <varname>$MACHINE_ID</varname> (see below). If not specified via these methods,
|
||||||
fallback value will generated by <command>kernel-install</command>, and used only for a single
|
a fallback value will generated by <command>kernel-install</command> and used only for a single
|
||||||
invocation.</para>
|
invocation.</para>
|
||||||
|
|
||||||
<para><varname>$KERNEL_INSTALL_ENTRY_TOKEN</varname> is set for the plugins to the desired entry
|
<para><varname>$KERNEL_INSTALL_ENTRY_TOKEN</varname> is set for the plugins to the desired entry
|
||||||
|
|
|
@ -228,19 +228,22 @@
|
||||||
<listitem><para>Danger: this feature might soft-brick your device if used improperly.</para>
|
<listitem><para>Danger: this feature might soft-brick your device if used improperly.</para>
|
||||||
|
|
||||||
<para>Takes one of <literal>off</literal>, <literal>manual</literal> or <literal>force</literal>.
|
<para>Takes one of <literal>off</literal>, <literal>manual</literal> or <literal>force</literal>.
|
||||||
Controls the enrollment of secure boot keys. If set to <literal>off</literal>, no action whatsoever
|
Controls the enrollment of Secure Boot keys. If set to <literal>off</literal>, no action whatsoever
|
||||||
is taken. If set to <literal>manual</literal> (the default) and the UEFI firmware is in setup-mode
|
is taken. If set to <literal>manual</literal> (the default) and the UEFI firmware is in setup-mode
|
||||||
then entries to manually enroll Secure Boot variables are created in the boot menu. If set to
|
then entries to manually enroll Secure Boot variables are created in the boot menu. If set to
|
||||||
<literal>force</literal>, in addition, if a directory named <filename>/loader/keys/auto/</filename>
|
<literal>force</literal>, in addition, if a directory named <filename>/loader/keys/auto/</filename>
|
||||||
exists on the ESP then the keys in that directory are enrolled automatically.</para>
|
exists on the ESP then the keys in that directory are enrolled automatically.</para>
|
||||||
|
|
||||||
<para>The different sets of variables can be set up under <filename>/loader/keys/<replaceable>NAME</replaceable></filename>
|
<para>The different sets of variables can be set up under
|
||||||
where <replaceable>NAME</replaceable> is the name that is going to be used as the name of the entry.
|
<filename>/loader/keys/<replaceable>NAME</replaceable></filename> where
|
||||||
This allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime.</para>
|
<replaceable>NAME</replaceable> is the name that is going to be used as the name of the entry. This
|
||||||
|
allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime.
|
||||||
|
</para>
|
||||||
|
|
||||||
<para>Supported secure boot variables are one database for authorized images, one key exchange key (KEK)
|
<para>Supported Secure Boot variables are one database for authorized images, one key exchange key
|
||||||
and one platform key (PK). For more information, refer to the <ulink url="https://uefi.org/specifications">UEFI specification</ulink>,
|
(KEK) and one platform key (PK). For more information, refer to the <ulink
|
||||||
under Secure Boot and Driver Signing. Another resource that describe the interplay of the different variables is the
|
url="https://uefi.org/specifications">UEFI specification</ulink>, under Secure Boot and Driver
|
||||||
|
Signing. Another resource that describe the interplay of the different variables is the
|
||||||
<ulink url="https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot">
|
<ulink url="https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot">
|
||||||
EDK2 documentation</ulink>.</para>
|
EDK2 documentation</ulink>.</para>
|
||||||
|
|
||||||
|
@ -294,17 +297,17 @@ sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
|
||||||
<para>Work around BitLocker requiring a recovery key when the boot loader was
|
<para>Work around BitLocker requiring a recovery key when the boot loader was
|
||||||
updated (disabled by default).</para>
|
updated (disabled by default).</para>
|
||||||
|
|
||||||
<para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found
|
<para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found and
|
||||||
and Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal>
|
Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal> EFI variable
|
||||||
EFI variable and restart the system. The firmware will then start Windows Boot Manager
|
and restart the system. The firmware will then start Windows Boot Manager directly, leaving the TPM
|
||||||
directly, leaving the TPM PCRs in expected states so that Windows can unseal the encryption
|
PCRs in expected states so that Windows can unseal the encryption key. This allows
|
||||||
key. This allows systemd-boot to be updated without having to provide the recovery key for
|
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> to
|
||||||
BitLocker drive unlocking.</para>
|
be updated without having to provide the recovery key for BitLocker drive unlocking.</para>
|
||||||
|
|
||||||
<para>Note that the PCRs that Windows uses can be configured with the
|
<para>Note that the PCRs that Windows uses can be configured with the
|
||||||
<literal>Configure TPM platform validation profile for native UEFI firmware configurations</literal>
|
<literal>Configure TPM platform validation profile for native UEFI firmware configurations</literal>
|
||||||
group policy under <literal>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</literal>.
|
group policy under <literal>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</literal>.
|
||||||
When secure boot is enabled, changing this to PCRs <literal>0,2,7,11</literal> should be safe.
|
When Secure Boot is enabled, changing this to PCRs <literal>0,2,7,11</literal> should be safe.
|
||||||
The TPM key protector needs to be removed and then added back for the PCRs on an already
|
The TPM key protector needs to be removed and then added back for the PCRs on an already
|
||||||
encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed
|
encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed
|
||||||
up booting into Windows.</para></listitem>
|
up booting into Windows.</para></listitem>
|
||||||
|
|
|
@ -109,7 +109,9 @@ rpc: db files
|
||||||
|
|
||||||
netgroup: nis</programlisting>
|
netgroup: nis</programlisting>
|
||||||
|
|
||||||
<para>To test, use <command>glibc</command>'s <command>getent</command> tool:</para>
|
<para>To test, use <command>glibc</command>'s
|
||||||
|
<citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||||
|
tool:</para>
|
||||||
|
|
||||||
<programlisting>$ getent ahosts `hostname`
|
<programlisting>$ getent ahosts `hostname`
|
||||||
::1 STREAM omega
|
::1 STREAM omega
|
||||||
|
|
|
@ -451,12 +451,12 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>PORTABLE_PREFIXES=</varname></term>
|
<term><varname>PORTABLE_PREFIXES=</varname></term>
|
||||||
<listitem><para>Takes a space-separated list of one or more valid prefix match strings for the
|
<listitem><para>Takes a space-separated list of one or more valid prefix match strings for the
|
||||||
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> logic. This field
|
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink> logic.
|
||||||
serves two purposes: it is informational, identifying portable service images as such (and thus
|
This field serves two purposes: it is informational, identifying portable service images as such
|
||||||
allowing them to be distinguished from other OS images, such as bootable system images). It is also
|
(and thus allowing them to be distinguished from other OS images, such as bootable system images).
|
||||||
used when a portable service image is attached: the specified or implied portable service prefix is
|
It is also used when a portable service image is attached: the specified or implied portable
|
||||||
checked against the list specified here, to enforce restrictions how images may be attached to a
|
service prefix is checked against the list specified here, to enforce restrictions how images may
|
||||||
system.</para></listitem>
|
be attached to a system.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect2>
|
</refsect2>
|
||||||
|
|
|
@ -97,13 +97,14 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Module Types Provided</title>
|
<title>Module Types Provided</title>
|
||||||
|
|
||||||
<para>The module implements all four PAM operations: <option>auth</option> (reason: to allow
|
<para>The module implements all four PAM operations: <option>auth</option> (to allow authentication using
|
||||||
authentication using the encrypted data), <option>account</option> (reason: users with
|
the encrypted data), <option>account</option> (because users with
|
||||||
<filename>systemd-homed.service</filename> user accounts are described in a <ulink
|
<filename>systemd-homed.service</filename> user accounts are described in a <ulink
|
||||||
url="https://systemd.io/USER_RECORD/">JSON user record</ulink> and may be configured in more detail than
|
url="https://systemd.io/USER_RECORD/">JSON user record</ulink> and may be configured in more detail than
|
||||||
in the traditional Linux user database), <option>session</option> (user sessions must be tracked in order
|
in the traditional Linux user database), <option>session</option> (because user sessions must be tracked
|
||||||
to implement automatic release when the last session of the user is gone), <option>password</option> (to
|
in order to implement automatic release when the last session of the user is gone),
|
||||||
change the encryption password — also used for user authentication — through PAM).</para>
|
<option>password</option> (to change the encryption password — also used for user authentication —
|
||||||
|
through PAM).</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -48,7 +48,7 @@
|
||||||
and transfer them as a whole between systems. When these images are attached the local system the contained units
|
and transfer them as a whole between systems. When these images are attached the local system the contained units
|
||||||
may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
|
may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
|
||||||
depending on the selected configuration. For more details, see
|
depending on the selected configuration. For more details, see
|
||||||
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.</para>
|
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.</para>
|
||||||
|
|
||||||
<para>Specifically portable service images may be of the following kind:</para>
|
<para>Specifically portable service images may be of the following kind:</para>
|
||||||
|
|
||||||
|
@ -367,7 +367,7 @@
|
||||||
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
Images can be block images, btrfs subvolumes or directories. For more information on portable
|
Images can be block images, btrfs subvolumes or directories. For more information on portable
|
||||||
services with extensions, see the <literal>Extension Images</literal> paragraph on
|
services with extensions, see the <literal>Extension Images</literal> paragraph on
|
||||||
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.
|
<ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>Note that the same extensions have to be specified, in the same order, when attaching
|
<para>Note that the same extensions have to be specified, in the same order, when attaching
|
||||||
|
|
|
@ -427,9 +427,11 @@
|
||||||
|
|
||||||
<para>This option cannot be combined with <varname>CopyBlocks=</varname>.</para>
|
<para>This option cannot be combined with <varname>CopyBlocks=</varname>.</para>
|
||||||
|
|
||||||
<para>When <command>systemd-repart</command> is invoked with the <option>--image=</option> or
|
<para>When
|
||||||
<option>--root=</option> command line switches the source paths specified are taken relative to the
|
<citerefentry><refentrytitle>systemd-repart</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
specified root directory or disk image root.</para></listitem>
|
is invoked with the <option>--image=</option> or <option>--root=</option> command line switches the
|
||||||
|
source paths specified are taken relative to the specified root directory or disk image root.
|
||||||
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -492,7 +494,7 @@
|
||||||
to <literal>off</literal> or <literal>data</literal>, the partition is populated with content as
|
to <literal>off</literal> or <literal>data</literal>, the partition is populated with content as
|
||||||
specified by <varname>CopyBlocks=</varname> or <varname>CopyFiles=</varname>. If set to
|
specified by <varname>CopyBlocks=</varname> or <varname>CopyFiles=</varname>. If set to
|
||||||
<literal>hash</literal>, the partition will be populated with verity hashes from the matching verity
|
<literal>hash</literal>, the partition will be populated with verity hashes from the matching verity
|
||||||
data partition. If set to <literal>signature</literal>, The partition will be populated with a JSON
|
data partition. If set to <literal>signature</literal>, the partition will be populated with a JSON
|
||||||
object containing a signature of the verity root hash of the matching verity hash partition.</para>
|
object containing a signature of the verity root hash of the matching verity hash partition.</para>
|
||||||
|
|
||||||
<para>A matching verity partition is a partition with the same verity match key (as configured with
|
<para>A matching verity partition is a partition with the same verity match key (as configured with
|
||||||
|
|
|
@ -56,7 +56,7 @@
|
||||||
|
|
||||||
<listitem><para>A reboot into the UEFI firmware setup option, if supported by the firmware.</para></listitem>
|
<listitem><para>A reboot into the UEFI firmware setup option, if supported by the firmware.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Secure boot variables enrollement if the UEFI firmware is in setup-mode and files are provided
|
<listitem><para>Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided
|
||||||
on the ESP.</para></listitem>
|
on the ESP.</para></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
@ -95,7 +95,7 @@
|
||||||
with a 'system token' stored in a persistent EFI variable and derives a random seed to use by the OS as
|
with a 'system token' stored in a persistent EFI variable and derives a random seed to use by the OS as
|
||||||
entropy pool initialization, providing a full entropy pool during early boot.</para></listitem>
|
entropy pool initialization, providing a full entropy pool during early boot.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>The boot manager allows for secure boot variables to be enrolled if the UEFI firmware is
|
<listitem><para>The boot manager allows for Secure Boot variables to be enrolled if the UEFI firmware is
|
||||||
in setup-mode. Additionally, variables can be automatically enrolled if configured.</para></listitem>
|
in setup-mode. Additionally, variables can be automatically enrolled if configured.</para></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
|
|
@ -359,7 +359,7 @@
|
||||||
<listitem><para>Takes a path to a TPM2 PCR signature file as generated by the
|
<listitem><para>Takes a path to a TPM2 PCR signature file as generated by the
|
||||||
<citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||||
tool and that may be used to allow the <command>decrypt</command> command to decrypt credentials that
|
tool and that may be used to allow the <command>decrypt</command> command to decrypt credentials that
|
||||||
are bound to specific signed PCR values. If this this is not specified explicitly, and a credential
|
are bound to specific signed PCR values. If this is not specified explicitly, and a credential
|
||||||
with a signed PCR policy is attempted to be decrypted, a suitable signature file
|
with a signed PCR policy is attempted to be decrypted, a suitable signature file
|
||||||
<filename>tpm2-pcr-signature.json</filename> is searched for in <filename>/etc/systemd/</filename>,
|
<filename>tpm2-pcr-signature.json</filename> is searched for in <filename>/etc/systemd/</filename>,
|
||||||
<filename>/run/systemd/</filename>, <filename>/usr/lib/systemd/</filename> (in this order) and
|
<filename>/run/systemd/</filename>, <filename>/usr/lib/systemd/</filename> (in this order) and
|
||||||
|
|
|
@ -288,7 +288,7 @@
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>7</entry>
|
<entry>7</entry>
|
||||||
<entry>Secure boot state; changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) changes. The shim project will measure most of its (non-MOK) certificates and SBAT data into this PCR.</entry>
|
<entry>Secure Boot state; changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) changes. The shim project will measure most of its (non-MOK) certificates and SBAT data into this PCR.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<!-- Grub measures all its commands and the kernel command line into PCR 8… -->
|
<!-- Grub measures all its commands and the kernel command line into PCR 8… -->
|
||||||
|
@ -312,7 +312,7 @@
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>12</entry>
|
<entry>12</entry>
|
||||||
<entry><citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> measures any specified kernel command line into this PCR. <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> measures any manually specified kernel command line (i.e. a kernel command line that overrides the one embedded in the unified PE image) and loaded credentials into this PCR. (Note that if <command>systemd-boot</command> and <command>systemd-stub</command> are used in combination the command line might be measured twice!)</entry>
|
<entry><citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> measures the kernel command line into this PCR. <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> measures any manually specified kernel command line (i.e. a kernel command line that overrides the one embedded in the unified PE image) and loaded credentials into this PCR. (Note that if <command>systemd-boot</command> and <command>systemd-stub</command> are used in combination the command line might be measured twice!)</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
|
@ -382,7 +382,7 @@
|
||||||
<para>The <option>--tpm2-signature=</option> option takes a path to a TPM2 PCR signature file
|
<para>The <option>--tpm2-signature=</option> option takes a path to a TPM2 PCR signature file
|
||||||
as generated by the
|
as generated by the
|
||||||
<citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||||
tool. If this this is not specified explicitly a suitable signature file
|
tool. If this is not specified explicitly a suitable signature file
|
||||||
<filename>tpm2-pcr-signature.json</filename> is searched for in <filename>/etc/systemd/</filename>,
|
<filename>tpm2-pcr-signature.json</filename> is searched for in <filename>/etc/systemd/</filename>,
|
||||||
<filename>/run/systemd/</filename>, <filename>/usr/lib/systemd/</filename> (in this order) and
|
<filename>/run/systemd/</filename>, <filename>/usr/lib/systemd/</filename> (in this order) and
|
||||||
used. If a signature file is specified or found it is used to verify if the volume can be unlocked
|
used. If a signature file is specified or found it is used to verify if the volume can be unlocked
|
||||||
|
|
|
@ -63,7 +63,7 @@
|
||||||
<literal>no</literal>, causes the generator to ignore any devices configured in
|
<literal>no</literal>, causes the generator to ignore any devices configured in
|
||||||
<filename>/etc/crypttab</filename> (<varname>luks.uuid=</varname> will still work however).
|
<filename>/etc/crypttab</filename> (<varname>luks.uuid=</varname> will still work however).
|
||||||
<varname>rd.luks.crypttab=</varname> is honored only in initrd while
|
<varname>rd.luks.crypttab=</varname> is honored only in initrd while
|
||||||
<varname>luks.crypttab=</varname> is honored by both the main system and the initrd.
|
<varname>luks.crypttab=</varname> is honored by both the main system and in the initrd.
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -75,7 +75,7 @@
|
||||||
part of the boot process as if it was listed in <filename>/etc/crypttab</filename>. This option may
|
part of the boot process as if it was listed in <filename>/etc/crypttab</filename>. This option may
|
||||||
be specified more than once in order to set up multiple devices. <varname>rd.luks.uuid=</varname> is
|
be specified more than once in order to set up multiple devices. <varname>rd.luks.uuid=</varname> is
|
||||||
honored only in the initrd, while <varname>luks.uuid=</varname> is honored by both the main system
|
honored only in the initrd, while <varname>luks.uuid=</varname> is honored by both the main system
|
||||||
and the initrd.</para>
|
and in the initrd.</para>
|
||||||
|
|
||||||
<para>If <filename>/etc/crypttab</filename> contains entries with the same UUID, then the name,
|
<para>If <filename>/etc/crypttab</filename> contains entries with the same UUID, then the name,
|
||||||
keyfile and options specified there will be used. Otherwise, the device will have the name
|
keyfile and options specified there will be used. Otherwise, the device will have the name
|
||||||
|
@ -101,7 +101,7 @@
|
||||||
<manvolnum>5</manvolnum></citerefentry> field <replaceable>volume-name</replaceable>.</para>
|
<manvolnum>5</manvolnum></citerefentry> field <replaceable>volume-name</replaceable>.</para>
|
||||||
|
|
||||||
<para><varname>rd.luks.name=</varname> is honored only in the initrd, while
|
<para><varname>rd.luks.name=</varname> is honored only in the initrd, while
|
||||||
<varname>luks.name=</varname> is honored by both the main system and the initrd.</para>
|
<varname>luks.name=</varname> is honored by both the main system and in the initrd.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -203,7 +203,7 @@
|
||||||
|
|
||||||
<para><varname>rd.luks.options=</varname> is honored only by initial
|
<para><varname>rd.luks.options=</varname> is honored only by initial
|
||||||
RAM disk (initrd) while <varname>luks.options=</varname> is
|
RAM disk (initrd) while <varname>luks.options=</varname> is
|
||||||
honored by both the main system and the initrd.</para>
|
honored by both the main system and in the initrd.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
|
@ -27,8 +27,8 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para><filename>systemd-integritysetup-generator</filename> is a generator that translates <filename>/etc/integritytab</filename> entries into
|
<para><command>systemd-integritysetup-generator</command> is a generator that translates
|
||||||
native systemd units early at boot. This will create
|
<filename>/etc/integritytab</filename> entries into native systemd units early at boot. This will create
|
||||||
<citerefentry><refentrytitle>systemd-integritysetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-integritysetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
units as necessary.</para>
|
units as necessary.</para>
|
||||||
|
|
||||||
|
|
|
@ -78,12 +78,13 @@
|
||||||
seen in TPM2 PCR register 11 after boot-up of a unified kernel image. Then, cryptographically sign
|
seen in TPM2 PCR register 11 after boot-up of a unified kernel image. Then, cryptographically sign
|
||||||
the resulting values with the private/public key pair (RSA) configured via
|
the resulting values with the private/public key pair (RSA) configured via
|
||||||
<option>--private-key=</option> and <option>--public-key=</option>. This will write a JSON object to
|
<option>--private-key=</option> and <option>--public-key=</option>. This will write a JSON object to
|
||||||
standard output that contains signatures for all specified PCR banks (see
|
standard output that contains signatures for all specified PCR banks (see the
|
||||||
<option>--pcr-bank=</option>) below, which may be used to unlock encrypted credentials (see
|
<option>--pcr-bank=</option> option below), which may be used to unlock encrypted credentials (see
|
||||||
<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>) or
|
<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>) or
|
||||||
LUKS volumes (see
|
LUKS volumes (see
|
||||||
<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>). This
|
<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
|
||||||
allows binding secrets to a set of kernels for which such PCR 11 signatures can be provided.</para>
|
This allows binding secrets to a set of kernels for which such PCR 11 signatures can be
|
||||||
|
provided.</para>
|
||||||
|
|
||||||
<para>Note that a TPM2 device must be available for this signing to take place, even though the
|
<para>Note that a TPM2 device must be available for this signing to take place, even though the
|
||||||
result is not tied to any TPM2 device or its state.</para></listitem>
|
result is not tied to any TPM2 device or its state.</para></listitem>
|
||||||
|
@ -98,13 +99,13 @@
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--linux=PATH</option></term>
|
<term><option>--linux=<replaceable>PATH</replaceable></option></term>
|
||||||
<term><option>--osrel=PATH</option></term>
|
<term><option>--osrel=<replaceable>PATH</replaceable></option></term>
|
||||||
<term><option>--cmdline=PATH</option></term>
|
<term><option>--cmdline=<replaceable>PATH</replaceable></option></term>
|
||||||
<term><option>--initrd=PATH</option></term>
|
<term><option>--initrd=<replaceable>PATH</replaceable></option></term>
|
||||||
<term><option>--splash=PATH</option></term>
|
<term><option>--splash=<replaceable>PATH</replaceable></option></term>
|
||||||
<term><option>--dtb=PATH</option></term>
|
<term><option>--dtb=<replaceable>PATH</replaceable></option></term>
|
||||||
<term><option>--pcrpkey=PATH</option></term>
|
<term><option>--pcrpkey=<replaceable>PATH</replaceable></option></term>
|
||||||
|
|
||||||
<listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
|
<listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
|
||||||
configures the files to read the unified kernel image components from. Each option corresponds with
|
configures the files to read the unified kernel image components from. Each option corresponds with
|
||||||
|
@ -122,7 +123,7 @@
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--bank=DIGEST</option></term>
|
<term><option>--bank=<replaceable>DIGEST</replaceable></option></term>
|
||||||
|
|
||||||
<listitem><para>Controls the PCR banks to pre-calculate the PCR values for – in case
|
<listitem><para>Controls the PCR banks to pre-calculate the PCR values for – in case
|
||||||
<command>calculate</command> or <command>sign</command> is invoked –, or the banks to show in the
|
<command>calculate</command> or <command>sign</command> is invoked –, or the banks to show in the
|
||||||
|
@ -132,8 +133,8 @@
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--private-key=PATH</option></term>
|
<term><option>--private-key=<replaceable>PATH</replaceable></option></term>
|
||||||
<term><option>--public-key=PATH</option></term>
|
<term><option>--public-key=<replaceable>PATH</replaceable></option></term>
|
||||||
|
|
||||||
<listitem><para>These switches take paths to a pair of PEM encoded RSA key files, for use with
|
<listitem><para>These switches take paths to a pair of PEM encoded RSA key files, for use with
|
||||||
the <command>sign</command> command.</para>
|
the <command>sign</command> command.</para>
|
||||||
|
|
|
@ -1374,7 +1374,7 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><para>If <option>noidmap</option> is used, any user <option>z</option> in the range
|
<listitem><para>If <option>noidmap</option> is used, any user <option>z</option> in the range
|
||||||
<option>0 … y</option> seen from inside of the container is mapped to <option>x + z</option> in the
|
<option>0 … y</option> seen from inside of the container is mapped to <option>x + z</option> in the
|
||||||
<option>x … x + y</option> range on the host. All host users outside of that range are mapped to
|
<option>x … x + y</option> range on the host. Other host users are mapped to
|
||||||
<option>nobody</option> inside the container.</para></listitem>
|
<option>nobody</option> inside the container.</para></listitem>
|
||||||
<listitem><para>If <option>idmap</option> is used, any user <option>z</option> in the UID range
|
<listitem><para>If <option>idmap</option> is used, any user <option>z</option> in the UID range
|
||||||
<option>0 … y</option> as seen from inside the container is mapped to the same <option>z</option>
|
<option>0 … y</option> as seen from inside the container is mapped to the same <option>z</option>
|
||||||
|
|
|
@ -36,7 +36,8 @@
|
||||||
<para>You can enable monitoring and actions on units by setting <varname>ManagedOOMSwap=</varname> and
|
<para>You can enable monitoring and actions on units by setting <varname>ManagedOOMSwap=</varname> and
|
||||||
<varname>ManagedOOMMemoryPressure=</varname> in the unit configuration, see
|
<varname>ManagedOOMMemoryPressure=</varname> in the unit configuration, see
|
||||||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
<command>systemd-oomd</command> retrieves information about such units from <command>systemd</command>
|
<command>systemd-oomd</command> retrieves information about such units from
|
||||||
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||||
when it starts and watches for subsequent changes.</para>
|
when it starts and watches for subsequent changes.</para>
|
||||||
|
|
||||||
<para>Cgroups of units with <varname>ManagedOOMSwap=</varname> or
|
<para>Cgroups of units with <varname>ManagedOOMSwap=</varname> or
|
||||||
|
|
|
@ -35,75 +35,73 @@
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para><filename>systemd-pcrphase.service</filename>,
|
<para><filename>systemd-pcrphase.service</filename>,
|
||||||
<filename>systemd-pcrphase-sysinit.service</filename> and
|
<filename>systemd-pcrphase-sysinit.service</filename>, and
|
||||||
<filename>systemd-pcrphase-initrd.service</filename> are system services that measure specific strings
|
<filename>systemd-pcrphase-initrd.service</filename> are system services that measure specific strings
|
||||||
into TPM2 PCR 11 during boot at various milestones of the boot process.</para>
|
into TPM2 PCR 11 during boot at various milestones of the boot process.</para>
|
||||||
|
|
||||||
<para>These services require
|
<para>These services require
|
||||||
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> to be
|
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> to be
|
||||||
used in a unified kernel image (UKI) setup. They execute no operation when invoked when the stub has not
|
used in a unified kernel image (UKI). They execute no operation when the stub has not been used to invoke
|
||||||
been used to invoke the kernel. The stub will measure the invoked kernel and associated vendor resources
|
the kernel. The stub will measure the invoked kernel and associated vendor resources into PCR 11 before
|
||||||
into PCR 11 before handing control to it; once userspace is invoked these services then will extend
|
handing control to it; once userspace is invoked these services then will extend TPM2 PCR 11 with certain
|
||||||
certain literal strings indicating various phases of the boot process into TPM2 PCR 11. During a regular
|
literal strings indicating phases of the boot process. During a regular boot process the following
|
||||||
boot process the following strings are extended into PCR 11.</para>
|
strings are used:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem><para><literal>enter-initrd</literal> is extended into PCR 11 early when the initrd
|
<listitem><para><literal>enter-initrd</literal> — early when the initrd initializes, before activating
|
||||||
initializes, before activating system extension images for the initrd. It is supposed to act as barrier
|
system extension images for the initrd. It acts as a barrier between the time where the kernel
|
||||||
between the time where the kernel initializes, and where the initrd starts operating and enables
|
initializes and where the initrd starts operating and enables system extension images, i.e. code
|
||||||
system extension images, i.e. code shipped outside of the UKI. (This string is extended at start of
|
shipped outside of the UKI. (This extension happens when
|
||||||
<filename>systemd-pcrphase-initrd.service</filename>.)</para></listitem>
|
<filename>systemd-pcrphase-initrd.service</filename> is started.)</para></listitem>
|
||||||
|
|
||||||
<listitem><para><literal>leave-initrd</literal> is extended into PCR 11 when the initrd is about to
|
<listitem><para><literal>leave-initrd</literal> — when the initrd is about to transition into the host
|
||||||
transition into the host file system, i.e. when it achieved its purpose. It is supposed to act as
|
file system. It acts as barrier between initrd code and host OS code. (This extension happens when
|
||||||
barrier between kernel/initrd code and host OS code. (This string is extended at stop of
|
<filename>systemd-pcrphase-initrd.service</filename> is stopped.)</para></listitem>
|
||||||
<filename>systemd-pcrphase-initrd.service</filename>.)</para></listitem>
|
|
||||||
|
|
||||||
<listitem><para><literal>sysinit</literal> is extended into PCR 11 when basic system initialization is
|
<listitem><para><literal>sysinit</literal> — when basic system initialization is complete (which
|
||||||
complete (which includes local file systems have been mounted), and the system begins starting regular
|
includes local file systems having been mounted), and the system begins starting regular system
|
||||||
system services. (This string is extended at start of
|
services. (This extension happens when <filename>systemd-pcrphase-sysinit.service</filename> is
|
||||||
<filename>systemd-pcrphase-sysinit.service</filename>.)</para></listitem>
|
started.)</para></listitem>
|
||||||
|
|
||||||
<listitem><para><literal>ready</literal> is extended into PCR 11 during later boot-up, after remote
|
<listitem><para><literal>ready</literal> — during later boot-up, after remote file systems have been
|
||||||
file systems have been activated (i.e. after <filename>remote-fs.target</filename>), but before users
|
activated (i.e. after <filename>remote-fs.target</filename>), but before users are permitted to log in
|
||||||
are permitted to log in (i.e. before <filename>systemd-user-sessions.service</filename>). It is
|
(i.e. before <filename>systemd-user-sessions.service</filename>). It acts as barrier between the time
|
||||||
supposed to act as barrier between the time where unprivileged regular users are still prohibited to
|
where unprivileged regular users are still prohibited to log in and where they are allowed to log in.
|
||||||
log in and where they are allowed to log in. (This string is extended at start of
|
(This extension happens when <filename>systemd-pcrphase.service</filename> is started.)
|
||||||
<filename>systemd-pcrphase.service</filename>.)</para></listitem>
|
</para></listitem>
|
||||||
|
|
||||||
<listitem><para><literal>shutdown</literal> is extended into PCR 11 when system shutdown begins. It is
|
<listitem><para><literal>shutdown</literal> — when the system shutdown begins. It acts as barrier
|
||||||
supposed to act as barrier between the time the system is fully up and running and where it is about to
|
between the time the system is fully up and running and where it is about to shut down. (This extension
|
||||||
shut down. (This string is extended at stop of
|
happens when <filename>systemd-pcrphase.service</filename> is stopped.)</para></listitem>
|
||||||
<filename>systemd-pcrphase.service</filename>.)</para></listitem>
|
|
||||||
|
|
||||||
<listitem><para><literal>final</literal> is extended into PCR 11 at the end of system shutdown. It is
|
|
||||||
supposed to act as barrier between the time the service manager still runs and when it transitions into
|
|
||||||
the final boot phase where service management is not available anymore. (This string is extended at
|
|
||||||
stop of <filename>systemd-pcrphase-sysinit.service</filename>.)</para></listitem>
|
|
||||||
|
|
||||||
|
<listitem><para><literal>final</literal> — at the end of system shutdown. It acts as barrier between
|
||||||
|
the time the service manager still runs and when it transitions into the final shutdown phase where
|
||||||
|
service management is not available anymore. (This extension happens when
|
||||||
|
<filename>systemd-pcrphase-sysinit.service</filename> is stopped.)</para></listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>During a regular system lifecycle, the strings <literal>enter-initrd</literal> →
|
<para>During a regular system lifecycle, PCR 11 is extended with the strings
|
||||||
<literal>leave-initrd</literal> → <literal>sysinit</literal> → <literal>ready</literal> →
|
<literal>enter-initrd</literal>, <literal>leave-initrd</literal>, <literal>sysinit</literal>,
|
||||||
<literal>shutdown</literal> → <literal>final</literal> are extended into PCR 11, one after the
|
<literal>ready</literal>, <literal>shutdown</literal>, and <literal>final</literal>.</para>
|
||||||
other.</para>
|
|
||||||
|
|
||||||
<para>Specific phases of the boot process may be referenced via the series of strings measured, separated
|
<para>Specific phases of the boot process may be referenced via the series of strings measured, separated
|
||||||
by colons (the "boot path"). For example, the boot path for the regular system runtime is
|
by colons (the "phase path"). For example, the phase path for the regular system runtime is
|
||||||
<literal>enter-initrd:leave-initrd:sysinit:ready</literal>, while the one for the initrd is just
|
<literal>enter-initrd:leave-initrd:sysinit:ready</literal>, while the one for the initrd is just
|
||||||
<literal>enter-initrd</literal>. The boot path for the the boot phase before the initrd, is an empty
|
<literal>enter-initrd</literal>. The phase path for the boot phase before the initrd is an empty string;
|
||||||
string; because that's hard to pass around a single colon (<literal>:</literal>) may be used
|
because that's hard to pass around a single colon (<literal>:</literal>) may be used instead. Note that
|
||||||
instead. Note that the aforementioned six strings are just the default strings and individual systems
|
the aforementioned six strings are just the default strings and individual systems might measure other
|
||||||
might measure other strings at other times, and thus implement different and more fine-grained boot
|
strings at other times, and thus implement different and more fine-grained boot phases to bind policy
|
||||||
phases to bind policy to.</para>
|
to.</para>
|
||||||
|
|
||||||
<para>By binding policy of TPM2 objects to a specific boot path it is possible to restrict access to them
|
<para>By binding policy of TPM2 objects to a specific phase path it is possible to restrict access to
|
||||||
to specific phases of the boot process, for example making it impossible to access the root file system's
|
them to specific phases of the boot process, for example making it impossible to access the root file
|
||||||
encryption key after the system transitioned from the initrd into the host root file system.</para>
|
system's encryption key after the system transitioned from the initrd into the host root file system.
|
||||||
|
</para>
|
||||||
|
|
||||||
<para>Use
|
<para>Use
|
||||||
<citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> to
|
<citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> to
|
||||||
pre-calculate expected PCR 11 values for specific boot phases (via the <option>--phase=</option> switch).</para>
|
pre-calculate expected PCR 11 values for specific boot phases (via the <option>--phase=</option> switch).
|
||||||
|
</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -35,8 +35,8 @@
|
||||||
<para>Most of <command>systemd-portabled</command>'s functionality is accessible through the
|
<para>Most of <command>systemd-portabled</command>'s functionality is accessible through the
|
||||||
<citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> command.</para>
|
<citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> command.</para>
|
||||||
|
|
||||||
<para>See <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> for details about
|
<para>See the <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>
|
||||||
the concepts this service implements.</para>
|
for details about the concepts this service implements.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -98,16 +98,16 @@
|
||||||
suitable for shipping resources that are processed by subsystems running in earliest boot. Specifically,
|
suitable for shipping resources that are processed by subsystems running in earliest boot. Specifically,
|
||||||
OS extension images are not suitable for shipping system services or
|
OS extension images are not suitable for shipping system services or
|
||||||
<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
definitions. See <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> for a simple
|
definitions. See the <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>
|
||||||
mechanism for shipping system services in disk images, in a similar fashion to OS extensions. Note the
|
for a simple mechanism for shipping system services in disk images, in a similar fashion to OS
|
||||||
different isolation on these two mechanisms: while system extension directly extend the underlying OS
|
extensions. Note the different isolation on these two mechanisms: while system extension directly extend
|
||||||
image with additional files that appear in a way very similar to as if they were shipped in the OS image
|
the underlying OS image with additional files that appear in a way very similar to as if they were
|
||||||
itself and thus imply no security isolation, portable services imply service level sandboxing in one way
|
shipped in the OS image itself and thus imply no security isolation, portable services imply service
|
||||||
or another. The <filename>systemd-sysext.service</filename> service is guaranteed to finish start-up
|
level sandboxing in one way or another. The <filename>systemd-sysext.service</filename> service is
|
||||||
before <filename>basic.target</filename> is reached; i.e. at the time regular services initialize (those
|
guaranteed to finish start-up before <filename>basic.target</filename> is reached; i.e. at the time
|
||||||
which do not use <varname>DefaultDependencies=no</varname>), the files and directories system extensions
|
regular services initialize (those which do not use <varname>DefaultDependencies=no</varname>), the files
|
||||||
provide are available in <filename>/usr/</filename> and <filename>/opt/</filename> and may be
|
and directories system extensions provide are available in <filename>/usr/</filename> and
|
||||||
accessed.</para>
|
<filename>/opt/</filename> and may be accessed.</para>
|
||||||
|
|
||||||
<para>Note that there is no concept of enabling/disabling installed system extension images: all
|
<para>Note that there is no concept of enabling/disabling installed system extension images: all
|
||||||
installed extension images are automatically activated at boot. However, you can place an empty directory
|
installed extension images are automatically activated at boot. However, you can place an empty directory
|
||||||
|
|
|
@ -27,8 +27,8 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para><filename>systemd-veritysetup-generator</filename> is a generator that translates kernel command line options
|
<para><command>systemd-veritysetup-generator</command> is a generator that translates kernel command line
|
||||||
configuring verity protected block devices into native systemd units early at boot and when
|
options configuring verity protected block devices into native systemd units early at boot and when
|
||||||
configuration of the system manager is reloaded. This will create
|
configuration of the system manager is reloaded. This will create
|
||||||
<citerefentry><refentrytitle>systemd-veritysetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-veritysetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
units as necessary.</para>
|
units as necessary.</para>
|
||||||
|
@ -36,14 +36,14 @@
|
||||||
<para>Currently, only two verity devices may be set up with this generator, backing the root and <filename>/usr</filename> file systems of the
|
<para>Currently, only two verity devices may be set up with this generator, backing the root and <filename>/usr</filename> file systems of the
|
||||||
OS.</para>
|
OS.</para>
|
||||||
|
|
||||||
<para><filename>systemd-veritysetup-generator</filename> implements
|
<para><command>systemd-veritysetup-generator</command> implements
|
||||||
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Kernel Command Line</title>
|
<title>Kernel Command Line</title>
|
||||||
|
|
||||||
<para><filename>systemd-veritysetup-generator</filename>
|
<para><command>systemd-veritysetup-generator</command>
|
||||||
understands the following kernel command line parameters:</para>
|
understands the following kernel command line parameters:</para>
|
||||||
|
|
||||||
<variablelist class='kernel-commandline-options'>
|
<variablelist class='kernel-commandline-options'>
|
||||||
|
@ -98,7 +98,8 @@
|
||||||
<term><varname>systemd.verity_usr_hash=</varname></term>
|
<term><varname>systemd.verity_usr_hash=</varname></term>
|
||||||
<term><varname>systemd.verity_usr_options=</varname></term>
|
<term><varname>systemd.verity_usr_options=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Equivalent to their counterparts for the root file system as described above, but apply to the <filename>/usr/</filename> file system instead.</para></listitem>
|
<listitem><para>Equivalent to their counterparts for the root file system as described above, but
|
||||||
|
apply to the <filename>/usr/</filename> file system instead.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
|
@ -37,10 +37,10 @@
|
||||||
stateless systems.</para>
|
stateless systems.</para>
|
||||||
|
|
||||||
<para>This service is only enabled if full volatile mode is selected, for example by specifying
|
<para>This service is only enabled if full volatile mode is selected, for example by specifying
|
||||||
<literal>systemd.volatile=yes</literal> on the kernel command line. This service runs only in the initrdyes,
|
<literal>systemd.volatile=yes</literal> on the kernel command line. This service runs only in the initrd,
|
||||||
before the system transitions to the host's root directory. Note that this service is not used if
|
before the system transitions to the host's root directory. Note that this service is not used if
|
||||||
<literal>systemd.volatile=state</literal> is used, as in that mode the root directory is
|
<literal>systemd.volatile=state</literal> is used, as in that mode the root directory is non-volatile.
|
||||||
non-volatile.</para>
|
</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -727,9 +727,9 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||||
<para>Note that this setting only has an effect on the unit's processes themselves (or any processes
|
<para>Note that this setting only has an effect on the unit's processes themselves (or any processes
|
||||||
directly or indirectly forked off them). It has no effect on processes potentially invoked on request
|
directly or indirectly forked off them). It has no effect on processes potentially invoked on request
|
||||||
of them through tools such as <citerefentry
|
of them through tools such as <citerefentry
|
||||||
project='man-pages'><refentrytitle>at</refentrytitle><manvolnum>1p</manvolnum></citerefentry>,
|
project='man-pages'><refentrytitle>at</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||||
<citerefentry
|
<citerefentry
|
||||||
project='man-pages'><refentrytitle>crontab</refentrytitle><manvolnum>1p</manvolnum></citerefentry>,
|
project='man-pages'><refentrytitle>crontab</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>, or
|
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>, or
|
||||||
arbitrary IPC services.</para></listitem>
|
arbitrary IPC services.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -934,7 +934,7 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||||
<entry>LimitNOFILE=</entry>
|
<entry>LimitNOFILE=</entry>
|
||||||
<entry>ulimit -n</entry>
|
<entry>ulimit -n</entry>
|
||||||
<entry>Number of File Descriptors</entry>
|
<entry>Number of File Descriptors</entry>
|
||||||
<entry>Don't use. Be careful when raising the soft limit above 1024, since <function>select()</function> cannot function with file descriptors above 1023 on Linux. Nowadays, the hard limit defaults to 524288, a very high value compared to historical defaults. Typically applications should increase their soft limit to the hard limit on their own, if they are OK with working with file descriptors above 1023, i.e. do not use <function>select()</function>. Note that file descriptors are nowadays accounted like any other form of memory, thus there should not be any need to lower the hard limit. Use <varname>MemoryMax=</varname> to control overall service memory use, including file descriptor memory.</entry>
|
<entry>Don't use. Be careful when raising the soft limit above 1024, since <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry> cannot function with file descriptors above 1023 on Linux. Nowadays, the hard limit defaults to 524288, a very high value compared to historical defaults. Typically applications should increase their soft limit to the hard limit on their own, if they are OK with working with file descriptors above 1023, i.e. do not use <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>. Note that file descriptors are nowadays accounted like any other form of memory, thus there should not be any need to lower the hard limit. Use <varname>MemoryMax=</varname> to control overall service memory use, including file descriptor memory.</entry>
|
||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<entry>LimitAS=</entry>
|
<entry>LimitAS=</entry>
|
||||||
|
@ -3173,11 +3173,13 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
|
||||||
11) with a prefix of <literal>io.systemd.credential:</literal> or
|
11) with a prefix of <literal>io.systemd.credential:</literal> or
|
||||||
<literal>io.systemd.credential.binary:</literal>. In both cases a key/value pair separated by
|
<literal>io.systemd.credential.binary:</literal>. In both cases a key/value pair separated by
|
||||||
<literal>=</literal> is expected, in the latter case the right-hand side is Base64 decoded when
|
<literal>=</literal> is expected, in the latter case the right-hand side is Base64 decoded when
|
||||||
parsed (thus permitting binary data to be passed in). Example qemu switch: <literal>-smbios
|
parsed (thus permitting binary data to be passed in). Example
|
||||||
|
<ulink url="https://www.qemu.org/docs/master/system/index.html">qemu</ulink>
|
||||||
|
switch: <literal>-smbios
|
||||||
type=11,value=io.systemd.credential:xx=yy</literal>, or <literal>-smbios
|
type=11,value=io.systemd.credential:xx=yy</literal>, or <literal>-smbios
|
||||||
type=11,value=io.systemd.credential.binary:rick=TmV2ZXIgR29ubmEgR2l2ZSBZb3UgVXA=</literal>. Alternatively,
|
type=11,value=io.systemd.credential.binary:rick=TmV2ZXIgR29ubmEgR2l2ZSBZb3UgVXA=</literal>. Alternatively,
|
||||||
use the <command>qemu</command> <literal>fw_cfg</literal> node
|
use the <command>qemu</command> <literal>fw_cfg</literal> node
|
||||||
<literal>opt/io.systemd.credentials/</literal>. Example qemu switch: <literal>-fw_cfg
|
<literal>opt/io.systemd.credentials/</literal>. Example <command>qemu</command> switch: <literal>-fw_cfg
|
||||||
name=opt/io.systemd.credentials/mycred,string=supersecret</literal>. They may also be specified on
|
name=opt/io.systemd.credentials/mycred,string=supersecret</literal>. They may also be specified on
|
||||||
the kernel command line using the <literal>systemd.set_credential=</literal> switch (see
|
the kernel command line using the <literal>systemd.set_credential=</literal> switch (see
|
||||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>) and from
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>) and from
|
||||||
|
|
|
@ -1116,7 +1116,7 @@
|
||||||
links.</para>
|
links.</para>
|
||||||
|
|
||||||
<programlisting>[Link]
|
<programlisting>[Link]
|
||||||
NamePolicy=kernel database onboard slot path
|
NamePolicy=kernel database on-board slot path
|
||||||
MACAddressPolicy=persistent</programlisting>
|
MACAddressPolicy=persistent</programlisting>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
|
|
|
@ -2297,7 +2297,7 @@ allow my_server_t localnet_peer_t:peer recv;</programlisting>
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>[DHCPPrefixDelegation] Section Options</title>
|
<title>[DHCPPrefixDelegation] Section Options</title>
|
||||||
<para>The [DHCPPrefixDelegation] section configures subnet prefixes of the delegated prefixes
|
<para>The [DHCPPrefixDelegation] section configures subnet prefixes of the delegated prefixes
|
||||||
acquired by a DHCPv6 client, or by a DHCPv4 client through the 6RD option on another interface.
|
acquired by a DHCPv6 client or by a DHCPv4 client through the 6RD option on another interface.
|
||||||
The settings in this section are used only when the <varname>DHCPPrefixDelegation=</varname>
|
The settings in this section are used only when the <varname>DHCPPrefixDelegation=</varname>
|
||||||
setting in the [Network] section is enabled.</para>
|
setting in the [Network] section is enabled.</para>
|
||||||
|
|
||||||
|
|
|
@ -210,7 +210,7 @@
|
||||||
<title>See Also</title>
|
<title>See Also</title>
|
||||||
<para>Environment variables with details on the trigger will be set for triggered units. See the
|
<para>Environment variables with details on the trigger will be set for triggered units. See the
|
||||||
<literal>Environment Variables Set on Triggered Units</literal> section in
|
<literal>Environment Variables Set on Triggered Units</literal> section in
|
||||||
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
for more details.</para>
|
for more details.</para>
|
||||||
<para>
|
<para>
|
||||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||||
|
|
|
@ -1139,8 +1139,9 @@ DeviceAllow=/dev/loop-control
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>systemd 252</term>
|
<term>systemd 252</term>
|
||||||
<listitem><para> Options for controlling the Legacy Control Group Hierarchy (<ulink
|
<listitem><para> Options for controlling the Legacy Control Group Hierarchy (<ulink
|
||||||
url="https://docs.kernel.org/admin-guide/cgroup-v1/index.html">Control Groups version 1</ulink> are
|
url="https://docs.kernel.org/admin-guide/cgroup-v1/index.html">Control Groups version 1</ulink>)
|
||||||
now fully deprecated: <varname>CPUShares=<replaceable>weight</replaceable></varname>,
|
are now fully deprecated:
|
||||||
|
<varname>CPUShares=<replaceable>weight</replaceable></varname>,
|
||||||
<varname>StartupCPUShares=<replaceable>weight</replaceable></varname>,
|
<varname>StartupCPUShares=<replaceable>weight</replaceable></varname>,
|
||||||
<varname>MemoryLimit=<replaceable>bytes</replaceable></varname>,
|
<varname>MemoryLimit=<replaceable>bytes</replaceable></varname>,
|
||||||
<varname>BlockIOAccounting=</varname>,
|
<varname>BlockIOAccounting=</varname>,
|
||||||
|
@ -1150,8 +1151,7 @@ DeviceAllow=/dev/loop-control
|
||||||
<replaceable>weight</replaceable></varname>,
|
<replaceable>weight</replaceable></varname>,
|
||||||
<varname>BlockIOReadBandwidth=<replaceable>device</replaceable>
|
<varname>BlockIOReadBandwidth=<replaceable>device</replaceable>
|
||||||
<replaceable>bytes</replaceable></varname>,
|
<replaceable>bytes</replaceable></varname>,
|
||||||
<varname>BlockIOWriteBandwidth=<replaceable>device</replaceable>
|
<varname>BlockIOWriteBandwidth=<replaceable>device</replaceable> <replaceable>bytes</replaceable></varname>.
|
||||||
<replaceable>bytes</replaceable></varname>.
|
|
||||||
Please switch to the unified cgroup hierarchy.</para></listitem>
|
Please switch to the unified cgroup hierarchy.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
|
@ -368,7 +368,7 @@
|
||||||
<title>See Also</title>
|
<title>See Also</title>
|
||||||
<para>Environment variables with details on the trigger will be set for triggered units. See the
|
<para>Environment variables with details on the trigger will be set for triggered units. See the
|
||||||
<literal>Environment Variables Set on Triggered Units</literal> section in
|
<literal>Environment Variables Set on Triggered Units</literal> section in
|
||||||
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
for more details.</para>
|
for more details.</para>
|
||||||
<para>
|
<para>
|
||||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||||
|
|
|
@ -432,7 +432,7 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>[Transfer] Section Options</title>
|
<title>[Transfer] Section Options</title>
|
||||||
|
|
||||||
<para>This section defines general properties of this transfer:</para>
|
<para>This section defines general properties of this transfer.</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -485,7 +485,7 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>[Source] Section Options</title>
|
<title>[Source] Section Options</title>
|
||||||
|
|
||||||
<para>This section defines properties of the transfer source:</para>
|
<para>This section defines properties of the transfer source.</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -535,7 +535,7 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>[Target] Section Options</title>
|
<title>[Target] Section Options</title>
|
||||||
|
|
||||||
<para>This section defines properties of the transfer target:</para>
|
<para>This section defines properties of the transfer target.</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -546,7 +546,8 @@
|
||||||
<constant>subvolume</constant>. For details about the resource types, see above. This option is
|
<constant>subvolume</constant>. For details about the resource types, see above. This option is
|
||||||
mandatory.</para>
|
mandatory.</para>
|
||||||
|
|
||||||
<para>Note that only some combinations of source and target resource types are supported, see above.</para></listitem>
|
<para>Note that only certain combinations of source and target resource types are supported, see
|
||||||
|
above.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -625,7 +626,7 @@
|
||||||
<ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
|
<ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
|
||||||
Specification</ulink>, similar to the <varname>PartitionNoAuto=</varname> and
|
Specification</ulink>, similar to the <varname>PartitionNoAuto=</varname> and
|
||||||
<varname>PartitionGrowFileSystem=</varname> flags described above. If the target type is
|
<varname>PartitionGrowFileSystem=</varname> flags described above. If the target type is
|
||||||
<constant>regular-file</constant>, the writable bit is removed from the access mode. If the the
|
<constant>regular-file</constant>, the writable bit is removed from the access mode. If the
|
||||||
target type is <constant>subvolume</constant>, the subvolume will be marked read-only as a
|
target type is <constant>subvolume</constant>, the subvolume will be marked read-only as a
|
||||||
whole. Finally, if the target <varname>Type=</varname> is selected as <constant>directory</constant>,
|
whole. Finally, if the target <varname>Type=</varname> is selected as <constant>directory</constant>,
|
||||||
the "immutable" file attribute is set, see <citerefentry
|
the "immutable" file attribute is set, see <citerefentry
|
||||||
|
@ -675,7 +676,7 @@
|
||||||
|
|
||||||
<para>If the target <varname>Type=</varname> is selected as <constant>partition</constant>, the number
|
<para>If the target <varname>Type=</varname> is selected as <constant>partition</constant>, the number
|
||||||
of concurrent versions to keep is additionally restricted by the number of partition slots of the
|
of concurrent versions to keep is additionally restricted by the number of partition slots of the
|
||||||
right type in the partition table. i.e. if there are only 2 partition slots for the selected
|
right type in the partition table. I.e. if there are only 2 partition slots for the selected
|
||||||
partition type, setting this value larger than 2 is without effect, since no more than 2 concurrent
|
partition type, setting this value larger than 2 is without effect, since no more than 2 concurrent
|
||||||
versions could be stored in the image anyway.</para></listitem>
|
versions could be stored in the image anyway.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
|
@ -88,8 +88,9 @@ A+ /path-or-glob/to/append/acls/recursively - - - - POSIX
|
||||||
<filename>/sys/</filename> or <filename>/proc/</filename>, as well as some other directories below
|
<filename>/sys/</filename> or <filename>/proc/</filename>, as well as some other directories below
|
||||||
<filename>/var/</filename>).</para>
|
<filename>/var/</filename>).</para>
|
||||||
|
|
||||||
<para><command>systemd-tmpfiles</command> uses this configuration to create volatile files and
|
<para><citerefentry><refentrytitle>systemd-tmpfiles</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
directories during boot and to do periodic cleanup afterwards. See
|
uses this configuration to create volatile files and directories during boot and to do periodic cleanup
|
||||||
|
afterwards. See
|
||||||
<citerefentry><refentrytitle>systemd-tmpfiles</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
<citerefentry><refentrytitle>systemd-tmpfiles</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
||||||
the description of <filename>systemd-tmpfiles-setup.service</filename>,
|
the description of <filename>systemd-tmpfiles-setup.service</filename>,
|
||||||
<filename>systemd-tmpfiles-clean.service</filename>, and associated units.</para>
|
<filename>systemd-tmpfiles-clean.service</filename>, and associated units.</para>
|
||||||
|
|
|
@ -866,7 +866,7 @@
|
||||||
the "whole" block device in case a partition block device is specified. The devices will be sorted
|
the "whole" block device in case a partition block device is specified. The devices will be sorted
|
||||||
by their device node major number as primary ordering key and the minor number as secondary
|
by their device node major number as primary ordering key and the minor number as secondary
|
||||||
ordering key (i.e. they are shown in the order they'd be locked). Note that the number of lines
|
ordering key (i.e. they are shown in the order they'd be locked). Note that the number of lines
|
||||||
printed here can be less than the the number of <option>--device=</option> and
|
printed here can be less than the number of <option>--device=</option> and
|
||||||
<option>--backing=</option> switches specified in case these resolve to the same "whole"
|
<option>--backing=</option> switches specified in case these resolve to the same "whole"
|
||||||
devices.</para></listitem>
|
devices.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
Loading…
Reference in a new issue