@@ -131,29 +131,35 @@ CHANGES WITH 255 in spe:
131131 replace the old mount (if any), instead of overmounting it.
132132
133133 * Units now have MemoryPeak, MemorySwapPeak, MemorySwapCurrent and
134- MemoryZSwapCurrent properties, which respectively contain the values of
135- the cgroup v2's memory.peak, memory.swap.peak, memory.swap.current and
136- memory.zswap.current properties.
134+ MemoryZSwapCurrent properties, which respectively contain the values
135+ of the cgroup v2's memory.peak, memory.swap.peak, memory.swap.current
136+ and memory.zswap.current properties. This information is also show in
137+ "systemctl status" output, if available.
137138
138139 TPM2 Support + Disk Encryption & Authentication:
139140
140141 * systemd-cryptenroll now allows specifying a PCR bank and explicit hash
141142 value in the --tpm2-pcrs= option.
142143
143- * systemd-cryptenroll now allows specifying a TPM2 key handle to be used
144- instead of the default SRK via the new --tpm2-seal-key-handle= option.
144+ * systemd-cryptenroll now allows specifying a TPM2 key handle (nv
145+ index) to be used instead of the default SRK via the new
146+ --tpm2-seal-key-handle= option.
145147
146- * systemd-cryptenroll now allows enrolling using only a TPM2 public key,
147- without access to the TPM2 itself, which enables remote sealing.
148+ * systemd-cryptenroll now allows TPM2 enrollment using only a TPM2
149+ public key (in TPM2B_PUBLIC format) – without access to the TPM2
150+ device itself – which enables offline sealing of LUKS images for a
151+ specific TPM2 chip, as long as the SRK public key is known. Pass the
152+ public to the tool via the new --tpm2-device-key= switch.
148153
149154 * systemd-cryptsetup is now installed in /usr/bin/ and is no longer an
150155 internal-only executable.
151156
152157 * The TPM2 Storage Root Key will now be set up, if not already present,
153- by a new systemd-tpm2-setup.service early boot service. The SRK will be
154- stored in PEM format and TPM2_PUBLIC format for easier access. A new
155- srk verb has been added to systemd-analyze to allow extracting it on
156- demand if it is already set up.
158+ by a new systemd-tpm2-setup.service early boot service. The SRK will
159+ be stored in PEM format and TPM2_PUBLIC format (the latter is useful
160+ for systemd-cryptenroll --tpm2-device-key=, as mentioned above) for
161+ easier access. A new "srk" verb has been added to systemd-analyze to
162+ allow extracting it on demand if it is already set up.
157163
158164 * The internal systemd-pcrphase executable has been renamed to
159165 systemd-pcrextend.
@@ -244,11 +250,13 @@ CHANGES WITH 255 in spe:
244250 * The 90-loaderentry kernel-install hook now supports installing device
245251 trees.
246252
247- * kernel-install now supports --json, --root, --image and --image-policy
248- options for the inspect verb.
253+ * kernel-install now supports the --json= , --root= , --image= and
254+ --image-policy= options for the inspect verb.
249255
250- * kernel-install now supports new list and add-all verbs. The latter will
251- install all the kernels it can find to the ESP.
256+ * kernel-install now supports new list and add-all verbs. The former
257+ lists all installed kernel images (if those are available in
258+ /usr/lib/modules/). The latter will install all the kernels it can
259+ find to the ESP.
252260
253261 systemd-repart:
254262
@@ -273,8 +281,9 @@ CHANGES WITH 255 in spe:
273281 files, to indicate which directories in the target partition should be
274282 btrfs subvolumes.
275283
276- * A new --tpm2-device-key= option can be used to encrypt a disk against
277- a remote TPM2 using its public key.
284+ * A new --tpm2-device-key= option can be used to lock a disk against a
285+ specific TPM2 public key. This matches the same switch the
286+ systemd-cryptenroll tool now supports (see above).
278287
279288 Journal:
280289
0 commit comments