man/systemd-tpm2-setup.service.xml

   1 <?xml version="1.0"?>
   2 <!--*-nxml-*-->
   3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   4   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
   5 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
   6 <refentry id="systemd-tpm2-setup.service" conditional='ENABLE_BOOTLOADER'
   7           xmlns:xi="http://www.w3.org/2001/XInclude">
   8
   9   <refentryinfo>
  10     <title>systemd-tpm2-setup.service</title>
  11     <productname>systemd</productname>
  12   </refentryinfo>
  13
  14   <refmeta>
  15     <refentrytitle>systemd-tpm2-setup.service</refentrytitle>
  16     <manvolnum>8</manvolnum>
  17   </refmeta>
  18
  19   <refnamediv>
  20     <refname>systemd-tpm2-setup.service</refname>
  21     <refname>systemd-tpm2-setup-early.service</refname>
  22     <refname>systemd-tpm2-setup</refname>
  23     <refpurpose>Set up the TPM2 Storage Root Key (SRK) at boot</refpurpose>
  24   </refnamediv>
  25
  26   <refsynopsisdiv>
  27     <para><filename>systemd-tpm2-setup.service</filename></para>
  28     <para><filename>/usr/lib/systemd/systemd-tpm2-setup</filename></para>
  29   </refsynopsisdiv>
  30
  31   <refsect1>
  32     <title>Description</title>
  33
  34     <para><filename>systemd-tpm2-setup.service</filename> and
  35     <filename>systemd-tpm2-setup-early.service</filename> are services that generate the Storage Root Key
  36     (SRK) if it has not been generated yet, and stores it in the TPM.</para>
  37
  38     <para>The services will store the public key of the SRK key pair in a PEM file in
  39     <filename>/run/systemd/tpm2-srk-public-key.pem</filename> and
  40     <filename>/var/lib/systemd/tpm2-srk-public-key.pem</filename>. They will also store it in TPM2B_PUBLIC
  41     format in <filename>/run/systemd/tpm2-srk-public-key.tpm2_public</filename> and
  42     <filename>/var/lib/systemd/tpm2-srk-public-key.tpm2b_public</filename>.</para>
  43
  44     <para><filename>systemd-tpm2-setup-early.service</filename> runs very early at boot (possibly in the
  45     initrd), and writes the SRK public key to <filename>/run/systemd/tpm2-srk-public-key.*</filename> (as
  46     <filename>/var/</filename> is generally not accessible this early yet), while
  47     <filename>systemd-tpm2-setup.service</filename> runs during a later boot phase and saves the public key
  48     to <filename>/var/lib/systemd/tpm2-srk-public-key.*</filename>.</para>
  49   </refsect1>
  50
  51   <refsect1>
  52     <title>Files</title>
  53
  54     <variablelist>
  55       <varlistentry>
  56         <term><filename>/run/systemd/tpm2-srk-public-key.pem</filename></term>
  57         <term><filename>/run/systemd/tpm2-srk-public-key.tpm2b_public</filename></term>
  58
  59         <listitem><para>The SRK public key in PEM and TPM2B_PUBLIC format, written during early boot.</para>
  60
  61         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
  62       </varlistentry>
  63
  64       <varlistentry>
  65         <term><filename>/var/lib/systemd/tpm2-srk-public-key.pem</filename></term>
  66         <term><filename>/var/lib/systemd/tpm2-srk-public-key.tpm2_public</filename></term>
  67
  68         <listitem><para>The SRK public key in PEM and TPM2B_PUBLIC format, written during later boot (once
  69         <filename>/var/</filename> is available).</para>
  70
  71         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
  72       </varlistentry>
  73     </variablelist>
  74   </refsect1>
  75
  76   <refsect1>
  77     <title>See Also</title>
  78     <para><simplelist type="inline">
  79       <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
  80     </simplelist></para>
  81   </refsect1>
  82 </refentry>