Provided by: systemd_256.5-2ubuntu3_amd64 bug

NAME

       systemd.pcrlock, systemd.pcrlock.d - PCR measurement prediction files

SYNOPSIS

           /etc/pcrlock.d/*.pcrlock
           /etc/pcrlock.d/*.pcrlock.d/*.pcrlock
           /run/pcrlock.d/*.pcrlock
           /run/pcrlock.d/*.pcrlock.d/*.pcrlock
           /var/lib/pcrlock.d/*.pcrlock
           /var/lib/pcrlock.d/*.pcrlock.d/*.pcrlock
           /usr/local/pcrlock.d/*.pcrlock
           /usr/local/pcrlock.d/*.pcrlock.d/*.pcrlock
           /usr/lib/pcrlock.d/*.pcrlock
           /usr/lib/pcrlock.d/*.pcrlock.d/*.pcrlock

DESCRIPTION

       *.pcrlock files define expected TPM2 PCR measurements of components involved in the boot
       process.  systemd-pcrlock(1) uses such pcrlock files to analyze and predict TPM2 PCR
       measurements. The pcrlock files are JSON arrays that follow a subset of the TCG Canonical
       Event Log Format (CEL-JSON)[1] specification. Specifically the "recnum", "content", and
       "content_type" record fields are not used and ignored if present. Each pcrlock file
       defines one set of expected, ordered PCR measurements of a specific component of the boot.

       *.pcrlock files may be placed in various .d/ drop-in directories (see above for a full
       list). All matching files discovered in these directories are sorted alphabetically by
       their file name (without taking the actual directory they were found in into account):
       pcrlock files with alphabetically earlier names are expected to cover measurements done
       before those with alphabetically later names. In order to make positioning pcrlock files
       in the boot process convenient the files are expected (by convention, this is not
       enforced) to be named "NNN-component.pcrlock" (where NNN is a three-digit decimal number),
       for example 750-enter-initrd.pcrlock.

       For various components of the boot process more than one alternative pcrlock file shall be
       supported (i.e. "variants"). For example to cover multiple kernels installed in parallel
       in the access policy, or multiple versions of the boot loader. This can be done by placing
       *.pcrlock.d/*.pcrlock in the drop-in dirs, i.e. a common directory for a specific
       component, that contains one or more pcrlock files each covering one variant of the
       component. Example: 650-kernel.pcrlock.d/6.5.5-200.fc38.x86_64.pcrlock and
       650-kernel.pcrlock.d/6.5.7-100.fc38.x86_64.pcrlock

       Use systemd-pcrlock list-components to list all pcrlock files currently installed.

       Use the various lock-* commands of systemd-pcrlock to automatically generate suitable
       pcrlock files for various types of resources.

WELL-KNOWN COMPONENTS

       Components of the boot process may be defined freely by the administrator or OS vendor.
       The following components are well-known however, and are defined by systemd. The list
       below is useful for ordering local pcrlock files properly against these components of the
       boot.

       240-secureboot-policy.pcrlock
           The SecureBoot policy, as recorded to PCR 7. May be generated via systemd-pcrlock
           lock-secureboot-policy.

           Added in version 255.

       250-firmware-code-early.pcrlock
           Firmware code measurements, as recorded to PCR 0 and 2, up to the separator
           measurement (see 400-secureboot-separator.pcrlock below). May be generated via
           systemd-pcrlock lock-firmware-code.

           Added in version 255.

       250-firmware-config-early.pcrlock
           Firmware configuration measurements, as recorded to PCR 1 and 3, up to the separator
           measurement (see 400-secureboot-separator.pcrlock below). May be generated via
           systemd-pcrlock lock-firmware-config.

           Added in version 255.

       350-action-efi-application.pcrlock
           The EFI "Application" measurement done once by the firmware. Statically defined.

           Added in version 255.

       400-secureboot-separator.pcrlock
           The EFI "separator" measurement on PCR 7 done once by the firmware to indicate where
           firmware control transitions into boot loader/OS control. Statically defined.

           Added in version 255.

       500-separator.pcrlock
           The EFI "separator" measurements on PCRs 0-6 done once by the firmware to indicate
           where firmware control transitions into boot loader/OS control. Statically defined.

           Added in version 255.

       550-firmware-code-late.pcrlock
           Firmware code measurements, as recorded to PCR 0 and 2, after the separator
           measurement (see 400-secureboot-separator.pcrlock above). May be generated via
           systemd-pcrlock lock-firmware-code.

           Added in version 255.

       550-firmware-config-late.pcrlock
           Firmware configuration measurements, as recorded to PCR 1 and 3, after the separator
           measurement (see 400-secureboot-separator.pcrlock above). May be generated via
           systemd-pcrlock lock-firmware-config.

           Added in version 255.

       600-gpt.pcrlock
           The GPT partition table of the booted medium, as recorded to PCR 5 by the firmware.
           May be generated via systemd-pcrlock lock-gpt.

           Added in version 255.

       620-secureboot-authority.pcrlock
           The SecureBoot authority, as recorded to PCR 7. May be generated via systemd-pcrlock
           lock-secureboot-authority.

           Added in version 255.

       700-action-efi-exit-boot-services.pcrlock
           The EFI action generated when ExitBootServices() is generated, i.e. when the UEFI
           environment is left and the OS takes over. Covers the PCR 5 measurement. Statically
           defined.

           Added in version 255.

       710-kernel-cmdline.pcrlock
           The kernel command line, as measured by the Linux kernel to PCR 9. May be generated
           via systemd-pcrlock lock-kernel-cmdline.

           Added in version 255.

       720-kernel-initrd.pcrlock
           The kernel initrd, as measured by the Linux kernel to PCR 9. May be generated via
           systemd-pcrlock lock-kernel-initrd.

           Added in version 255.

       750-enter-initrd.pcrlock
           The measurement to PCR 11 systemd-pcrphase-initrd.service(8) makes when the initrd
           initializes. Statically defined.

           Added in version 255.

       800-leave-initrd.pcrlock
           The measurement to PCR 11 systemd-pcrphase-initrd.service(8) makes when the initrd
           finishes. Statically defined.

           Added in version 255.

       820-machine-id.pcrlock
           The measurement to PCR 15 systemd-pcrmachine.service(8) makes at boot, covering
           /etc/machine-id contents. May be generated via systemd-pcrlock lock-machine-id.

           Added in version 255.

       830-root-file-system.pcrlock
           The measurement to PCR 15 systemd-pcrfs-root.service(8) makes at boot, covering the
           root file system identity. May be generated via systemd-pcrlock lock-file-system.

           Added in version 255.

       850-sysinit.pcrlock
           The measurement to PCR 11 systemd-pcrphase-sysinit.service(8) makes when the main
           userspace did basic initialization and will now proceed to start regular system
           services. Statically defined.

           Added in version 255.

       900-ready.pcrlock
           The measurement to PCR 11 systemd-pcrphase.service(8) makes when the system fully
           booted up. Statically defined.

           Added in version 255.

       950-shutdown.pcrlock
           The measurement to PCR 11 systemd-pcrphase.service(8) makes when the system begins
           shutdown. Statically defined.

           Added in version 255.

       990-final.pcrlock
           The measurement to PCR 11 systemd-pcrphase-sysinit.service(8) makes when the system is
           close to finishing shutdown. Statically defined.

           Added in version 255.

SEE ALSO

       systemd(1), systemd-pcrlock(1)

NOTES

        1. TCG Canonical Event Log Format (CEL-JSON)
           https://trustedcomputinggroup.org/resource/canonical-event-log-format/