Provided by: systemd_255.4-1ubuntu8_amd64 
NAME
systemd.pcrlock, systemd.pcrlock.d - PCR measurement prediction files
SYNOPSIS
/etc/pcrlock.d/*.pcrlock
/etc/pcrlock.d/*.pcrlock.d/*.pcrlock
/run/pcrlock.d/*.pcrlock
/run/pcrlock.d/*.pcrlock.d/*.pcrlock
/var/lib/pcrlock.d/*.pcrlock
/var/lib/pcrlock.d/*.pcrlock.d/*.pcrlock
/usr/local/pcrlock.d/*.pcrlock
/usr/local/pcrlock.d/*.pcrlock.d/*.pcrlock
/usr/lib/pcrlock.d/*.pcrlock
/usr/lib/pcrlock.d/*.pcrlock.d/*.pcrlock
DESCRIPTION
*.pcrlock files define expected TPM2 PCR measurements of components involved in the boot
process. systemd-pcrlock(1) uses such pcrlock files to analyze and predict TPM2 PCR
measurements. The pcrlock files are JSON arrays that follow a subset of the TCG Common
Event Log Format (CEL-JSON)[1] specification. Specifically the "recnum", "content", and
"content_type" record fields are not used and ignored if present. Each pcrlock file
defines one set of expected, ordered PCR measurements of a specific component of the boot.
*.pcrlock files may be placed in various .d/ drop-in directories (see above for a full
list). All matching files discovered in these directories are sorted alphabetically by
their file name (without taking the actual directory they were found in into account):
pcrlock files with alphabetically earlier names are expected to cover measurements done
before those with alphabetically later names. In order to make positioning pcrlock files
in the boot process convenient the files are expected (by convention, this is not
enforced) to be named "NNN-component.pcrlock" (where NNN is a three-digit decimal number),
for example 750-enter-initrd.pcrlock.
For various components of the boot process more than one alternative pcrlock file shall be
supported (i.e. "variants"). For example to cover multiple kernels installed in parallel
in the access policy, or multiple versions of the boot loader. This can be done by placing
*.pcrlock.d/*.pcrlock in the drop-in dirs, i.e. a common directory for a specific
component, that contains one or more pcrlock files each covering one variant of the
component. Example: 650-kernel.pcrlock.d/6.5.5-200.fc38.x86_64.pcrlock and
650-kernel.pcrlock.d/6.5.7-100.fc38.x86_64.pcrlock
Use systemd-pcrlock list-components to list all pcrlock files currently installed.
Use the various lock-* commands of systemd-pcrlock to automatically generate suitable
pcrlock files for various types of resources.
WELL-KNOWN COMPONENTS
Components of the boot process may be defined freely by the administrator or OS vendor.
The following components are well-known however, and are defined by systemd. The list
below is useful for ordering local pcrlock files properly against these components of the
boot.
240-secureboot-policy.pcrlock
The SecureBoot policy, as recorded to PCR 7. May be generated via systemd-pcrlock
lock-secureboot-policy.
Added in version 255.
250-firmware-code-early.pcrlock
Firmware code measurements, as recorded to PCR 0 and 2, up to the separator
measurement (see 400-secureboot-separator.pcrlock. below). May be generated via
systemd-pcrlock lock-firmware-code.
Added in version 255.
250-firmware-config-early.pcrlock
Firmware configuration measurements, as recorded to PCR 1 and 3, up to the separator
measurement (see 400-secureboot-separator.pcrlock. below). May be generated via
systemd-pcrlock lock-firmware-config.
Added in version 255.
350-action-efi-application.pcrlock
The EFI "Application" measurement done once by the firmware. Statically defined.
Added in version 255.
400-secureboot-separator.pcrlock
The EFI "separator" measurement on PCR 7 done once by the firmware to indicate where
firmware control transitions into boot loader/OS control. Statically defined.
Added in version 255.
500-separator.pcrlock
The EFI "separator" measurements on PCRs 0-6 done once by the firmware to indicate
where firmware control transitions into boot loader/OS control. Statically defined.
Added in version 255.
550-firmware-code-late.pcrlock
Firmware code measurements, as recorded to PCR 0 and 2, after the separator
measurement (see 400-secureboot-separator.pcrlock. above). May be generated via
systemd-pcrlock lock-firmware-code.
Added in version 255.
550-firmware-config-late.pcrlock
Firmware configuration measurements, as recorded to PCR 1 and 3, after the separator
measurement (see 400-secureboot-separator.pcrlock. above). May be generated via
systemd-pcrlock lock-firmware-config.
Added in version 255.
600-gpt.pcrlock
The GPT partition table of the booted medium, as recorded to PCR 5 by the firmware.
May be generated via systemd-pcrlock lock-gpt.
Added in version 255.
620-secureboot-authority.pcrlock
The SecureBoot authority, as recorded to PCR 7. May be generated via systemd-pcrlock
lock-secureboot-authority.
Added in version 255.
700-action-efi-exit-boot-services.pcrlock
The EFI action generated when ExitBootServices() is generated, i.e. the UEFI
environment is left and the OS takes over. Covers the PCR 5 measurement. Statically
defined.
Added in version 255.
710-kernel-cmdline.pcrlock
The kernel command line, as measured by the Linux kernel to PCR 9. May be generated
via systemd-pcrlock lock-kernel-cmdline.
Added in version 255.
720-kernel-initrd.pcrlock
The kernel initrd, as measured by the Linux kernel to PCR 9. May be generated via
systemd-pcrlock lock-kernel-initrd.
Added in version 255.
750-enter-initrd.pcrlock
The measurement to PCR 11 systemd-pcrphase-initrd.service(8) makes when the initrd
initializes. Statically defined.
Added in version 255.
800-leave-initrd.pcrlock
The measurement to PCR 11 systemd-pcrphase-initrd.service(8) makes when the initrd
finishes. Statically defined.
Added in version 255.
820-machine-id.pcrlock
The measurement to PCR 15 systemd-pcrmachine.service(8) makes at boot, covering
/etc/machine-id contents. May be generated via systemd-pcrlock lock-machine-id.
Added in version 255.
830-root-file-system.pcrlock
The measurement to PCR 15 systemd-pcrfs-root.service(8) makes at boot, covering the
root file system identity. May be generated via systemd-pcrlock lock-file-system.
Added in version 255.
850-sysinit.pcrlock
The measurement to PCR 11 systemd-pcrphase-sysinit.service(8) makes when the main
userspace did basic initialization and will now proceed to start regular system
services. Statically defined.
Added in version 255.
900-ready.pcrlock
The measurement to PCR 11 systemd-pcrphase.service(8) makes when the system fully
booted up. Statically defined.
Added in version 255.
950-shutdown.pcrlock
The measurement to PCR 11 systemd-pcrphase.service(8) makes when the system begins
shutdown. Statically defined.
Added in version 255.
990-final.pcrlock
The measurement to PCR 11 systemd-pcrphase-sysinit.service(8) makes when the system is
close to finishing shutdown. Statically defined.
Added in version 255.
SEE ALSO
systemd(1), systemd-pcrlock(1)
NOTES
1. TCG Common Event Log Format (CEL-JSON)
https://trustedcomputinggroup.org/resource/canonical-event-log-format/