systemd-pcrlock.8: Some remarks and a patch with editorial changes for this man page
Bjarni Ingi Gislason
bjarniig at simnet.is
Sat Jul 4 00:31:25 BST 2026
Package: systemd-tpm
Version: 261.1-2
Severity: minor
Tags: patch upstream
Additional remarks.
Mails from me to "submit at bugs.debian.org" are no longer acknowledged. A
Debian maintainer told me, that he would contact the mail administrator
about me not wanting to send bugs upstream.
-.-
Dear Maintainer,
>From "/usr/share/doc/debian/bug-reporting.txt.gz":
Don't file bugs upstream
If you file a bug in Debian, don't send a copy to the upstream software
maintainers yourself, as it is possible that the bug exists only in
Debian. If necessary, the maintainer of the package will forward the
bug upstream.
-.-
For forwarding bug reports to upstream see:
https://www.debian.org/Bugs/Developer#forward
-.-
"Handling bug reports" in
http://people.debian.org/~enrico/dcg/ch03s02.html
-.-
I do not send reports upstream if I have to get an account there.
The Debian maintainers have one already.
If I get a negative (or no) response from upstream, I send henceforth
bugs to Debian.
-.-
* What led up to the situation?
Checking for defects with a new version
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=0 -ww -z < "man page"
[Use
grep -n -e ' $' -e '\\~$' -e ' \\f.$' -e ' \\"' <file>
to find (most) trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
Output from "test-nroff -mandoc -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=0 -ww -z ":
troff:<stdin>:259: warning [page 1, line 211]: cannot break line in l adjust mode; overset by 1n [-w break]
troff:<stdin>:261: warning [page 1, line 213]: cannot break line in l adjust mode; overset by 1n [-w break]
troff:<stdin>:291: warning [page 1, line 240]: cannot break line in l adjust mode; overset by 1n [-w break]
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: forky/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 7.0.13+deb14-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages systemd-tpm depends on:
ii libc6 2.42-17
ii libssl3t64 3.6.3-1
ii libsystemd-shared 261.1-2
ii libtss2-esys-3.0.2-0t64 4.1.3-6
ii libtss2-mu-4.0.1-0t64 4.1.3-6
ii libtss2-rc0t64 4.1.3-6
ii libtss2-tcti-device0t64 4.1.3-6
systemd-tpm recommends no packages.
systemd-tpm suggests no packages.
-- no debconf information
-------------- next part --------------
Input file is systemd-pcrlock.8
Output from "mandoc -T lint systemd-pcrlock.8": (shortened list)
42 STYLE: input text line longer than 80 bytes
15 STYLE: input text line longer than 80 bytes:
1 WARNING: missing date, using ""
5 WARNING: skipping paragraph macro
-.-.
Output from
test-groff mandoc -t -Kutf8 -ww -z systemd-pcrlock.8: (shortened list)
1 .TH missing third argument; consider document modification date in ISO 8601 format (YYYY-MM-DD)
3 cannot break line in l adjust mode; overset by 1n [-w break]
-.-.
Change '-' (\-) to '\(en' (en-dash) for a (numeric) range.
GNU gnulib has recently (2023-06-18) updated its
"build_aux/update-copyright" to recognize "\(en" in man pages.
'-' is rendered as a hyphen (u2010) in UTF-8 encoding.
systemd-pcrlock.8:443:this will override which PCRs to include in the prediction and policy. If unspecified this defaults to PCRs 0\(en5, 7, 11, 13\(en15. Note that these commands will not include any PCRs in the prediction/policy (even if specified explicitly) if there are measurements in the event log that do not match the current PCR value, or there are unrecognized measurements in the event log, or components define measurements not seen in the event log.
-.-.
Strings longer than 3/4 of a standard line length (80).
Use "\:" to split the string at the end of an output line, for example a
long URL (web address).
This is a groff extension.
239 /var/lib/pcrlock\&.d/250\-firmware\-code\-early\&.pcrlock\&.d/generated\&.pcrlock
241 /var/lib/pcrlock\&.d/550\-firmware\-code\-late\&.pcrlock\&.d/generated\&.pcrlock\&.
261 /var/lib/pcrlock\&.d/250\-firmware\-config\-early\&.pcrlock\&.d/generated\&.pcrlock
263 /var/lib/pcrlock\&.d/550\-firmware\-config\-late\&.pcrlock\&.d/generated\&.pcrlock\&.
281 /var/lib/pcrlock\&.d/230\-secureboot\-policy\&.pcrlock\&.d/generated\&.pcrlock\&.
293 /var/lib/pcrlock\&.d/620\-secureboot\-authority\&.pcrlock\&.d/generated\&.pcrlock\&.
305 /var/lib/pcrlock\&.d/600\-gpt\&.pcrlock\&.d/generated\&.pcrlock\&.
373 /var/lib/pcrlock\&.d/840\-file\-system\-\fIpath\fR\&.pcrlock\&.
387 /var/lib/pcrlock\&.d/710\-kernel\-cmdline\&.pcrlock/generated\&.pcrlock\&.
401 /var/lib/pcrlock\&.d/720\-kernel\-initrd\&.pcrlock/generated\&.pcrlock\&.
599 \%https://trustedcomputinggroup.org/resource/canonical-event-log-format/
-.-.
Wrong distance (not two spaces, not a new line character (\n)) between
sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
Mark a final abbreviation point as such by suffixing it with "\&".
Some sentences (etc.) do not begin on a new line.
Split (sometimes) lines after a punctuation mark; before a conjunction.
Lines with only one (or two) space(s) between sentences could be split,
so latter sentences begin on a new line.
Use
#!/usr/bin/sh
sed -e '/^\./n' \
-e 's/\([[:alpha:]]\)\. */\1.\n/g' $1
to split lines after a sentence period.
Check result with the difference between the formatted outputs.
See also the attachment "general.bugs"
[List of affected lines removed.]
-.-.
Split lines longer than 80 characters (fill completely
an A4 sized page line on a terminal)
into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
[List of affected lines removed.]
Longest line is number 143 with 563 characters
Predicts the PCR state on future boots\&. This will analyze the TPM2 event log as described above, recognize components, and then generate all possible resulting PCR values for all combinations of component variants\&. Note that no prediction is made for PCRs whose value does not match the event log records, for which unrecognized measurements are discovered or for which components are defined that cannot be found in the event log\&. This is a safety measure to ensure that any generated access policy can be fulfilled correctly on current and future boots\&.
-.-.
Remove unnecessary double font change (e.g., \fR\fI) in a row or (better)
use a two-fonts macro.
[List with affected lines removed.]
564:\fB\-\-json=\fR\fB\fIMODE\fR\fR
-.-.
Put a parenthetical sentence, phrase on a separate line,
if not part of a code.
See man-pages(7), item "semantic newline".
systemd-pcrlock.8:32:is a tool that may be used to analyze and predict TPM2 PCR measurements, and generate TPM2 access policies from the prediction which it stores in a TPM2 NV index (i\&.e\&. in the TPM2 non\-volatile memory)\&. This may then be used to restrict access to TPM2 objects (such as disk encryption keys) to system boot\-ups in which only specific, trusted components are used\&.
systemd-pcrlock.8:83:\fBsystemd.pcrlock\fR(5)) that each define expected measurements for one component of the boot process, permitting alternative variants for each\&. (Variants may be used to bless multiple kernel versions or boot loader versions at the same time\&.)
systemd-pcrlock.8:86:It uses these inputs to generate a combined event log, validating it against the PCR states\&. It then attempts to recognize event log records and matches them against the defined components\&. For each PCR where this can be done comprehensively (i\&.e\&. where all listed records and all defined components have been matched) this may then be used to predict future PCR measurements, taking the alternative variants defined for each component into account\&. This prediction may then be converted into a TPM2 access policy (consisting of TPM2
systemd-pcrlock.8:90:items), which is then stored in an NV index in the TPM2\&. This may be used to then lock secrets (such as disk encryption keys) to these policies (via a TPM2
systemd-pcrlock.8:157:The NV index contents may be changed (and thus the policy stored in it updated) by providing an access PIN\&. This PIN is normally generated automatically and stored in encrypted form (with an access policy binding it to the NV index itself) in the aforementioned JSON policy file\&. This PIN may be chosen by the user, via the
systemd-pcrlock.8:252:This functionality should be used with care as in most scenarios a minor firmware configuration change should not invalidate access policies to TPM2 objects\&. Also note that some systems measure unstable and unpredictable information (e\&.g\&. current CPU voltages, temperatures, as part of SMBIOS data) to these PCRs, which means this form of lockdown cannot be used reliably on such systems\&. Use this functionality only if the system and hardware is well known and does not suffer by these limitations, for example in virtualized environments\&.
systemd-pcrlock.8:410:file based on raw binary data\&. The data is either read from the specified file or from STDIN (if none is specified)\&. This requires that
systemd-pcrlock.8:414:or to STDOUT (if none is specified)\&.
systemd-pcrlock.8:443:this will override which PCRs to include in the prediction and policy\&. If unspecified this defaults to PCRs 0\-5, 7, 11, 13\-15\&. Note that these commands will not include any PCRs in the prediction/policy (even if specified explicitly) if there are measurements in the event log that do not match the current PCR value, or there are unrecognized measurements in the event log, or components define measurements not seen in the event log\&.
systemd-pcrlock.8:476:tool is invoked from a fully booted system after boot\-up and before shutdown\&. This means various components that are defined for shutdown have not been measured yet, and should not be searched for\&. This option allows one to restrict which components are considered for analysis (taking only components before some point into account, ignoring components after them)\&. The expected string is ordered against the filenames of the components defined\&. Any components with a lexicographically later name are ignored\&. This logic applies to the
systemd-pcrlock.8:490:750\-enter\-initrd\&.pcrlock) until (and including) the main runtime of the system (as
-.-.
Only one space character is after a possible end of sentence
(after a punctuation, that can end a sentence).
Start a new sentence on a new line.
[List of affected lines removed.]
-.-.
Remove quotes when there is a printable
but no space character between them
and the quotes are not for emphasis (markup),
for example as an argument to a macro.
systemd-pcrlock.8:2:.TH "SYSTEMD\-PCRLOCK" "8" "" "systemd 261.1" "systemd-pcrlock"
systemd-pcrlock.8:22:.SH "NAME"
systemd-pcrlock.8:24:.SH "SYNOPSIS"
systemd-pcrlock.8:27:.SH "DESCRIPTION"
systemd-pcrlock.8:107:.SH "COMMANDS"
systemd-pcrlock.8:418:.SH "OPTIONS"
systemd-pcrlock.8:595:.SH "NOTES"
-.-.
Remove excessive "\&" when it has no functional purpose.
123:\m[blue]\fBTCG Canonical Event Log Format (CEL\-JSON)\fR\m[]\&\s-2\u[1]\d\s+2\&.
-.-.
Use "\-" instead of "-" (rendered as a hyphen (u2010) in UTF-8 encoding)
in web addresses.
599:\%https://trustedcomputinggroup.org/resource/canonical-event-log-format/
-.-.
Change comment lines of type '.\" ====', '.\" ---', and an empty
'.\"' line) to a single period, as they contain no information and waste
work each time they are processed.
3:.\" -----------------------------------------------------------------
5:.\" -----------------------------------------------------------------
6:.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
9:.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12:.\" -----------------------------------------------------------------
14:.\" -----------------------------------------------------------------
19:.\" -----------------------------------------------------------------
21:.\" -----------------------------------------------------------------
-.-.
Output from "test-nroff -mandoc -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=0 -ww -z ":
troff:<stdin>:261: warning [page 1, line 211]: cannot break line in l adjust mode; overset by 1n [-w break]
troff:<stdin>:263: warning [page 1, line 213]: cannot break line in l adjust mode; overset by 1n [-w break]
troff:<stdin>:293: warning [page 1, line 240]: cannot break line in l adjust mode; overset by 1n [-w break]
-.-
Generally:
Split (sometimes) lines after a punctuation mark; before a conjunction.
Adjustment and hyphenation are unnecessary (and just waste resources) in
nroff mode for man pages, add
.if n \{\
. nh
. nr HY 0
. ad l
. ds AD l
.\}
-.-
Tables:
Use the preprocessor 'tbl' to make tables.
Put data, that are wider than the header in the (centered) last column,
in a "T{...\nT}" block(, when the table gets wider than the output line).
Table headings, that are wider than any data in the corresponding
column, do not need to be centered, so left adjustment (l, L) is
sufficient.
-------------- next part --------------
--- systemd-pcrlock.8 2026-07-03 22:25:01.421319455 +0000
+++ systemd-pcrlock.8.new 2026-07-03 23:26:10.770363768 +0000
@@ -1,31 +1,30 @@
'\" t
-.TH "SYSTEMD\-PCRLOCK" "8" "" "systemd 261.1" "systemd-pcrlock"
-.\" -----------------------------------------------------------------
+.TH SYSTEMD\-PCRLOCK 8 "" "systemd 261.1" systemd-pcrlock
+.
.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.
+.
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
-.\" -----------------------------------------------------------------
+.
.\" * set default formatting
-.\" -----------------------------------------------------------------
+.
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
-.\" -----------------------------------------------------------------
+.
.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
+.
+.SH NAME
systemd-pcrlock, systemd-pcrlock-file-system.service, systemd-pcrlock-firmware-code.service, systemd-pcrlock-firmware-config.service, systemd-pcrlock-machine-id.service, systemd-pcrlock-make-policy.service, systemd-pcrlock-secureboot-authority.service, systemd-pcrlock-secureboot-policy.service \- Analyze and predict TPM2 PCR states and generate an access policy from the prediction
-.SH "SYNOPSIS"
+.SH SYNOPSIS
.HP \w'\fB/usr/lib/systemd/systemd\-pcrlock\fR\ 'u
\fB/usr/lib/systemd/systemd\-pcrlock\fR [OPTIONS...]
-.SH "DESCRIPTION"
-.PP
+.SH DESCRIPTION
Note: this command is experimental for now\&. While it is likely to become a regular component of systemd, it might still change in behaviour and interface\&.
.PP
\fBsystemd\-pcrlock\fR
@@ -104,8 +103,7 @@ switches of these tools\&.
The access policy logic requires a TPM2 device that implements the
"PolicyAuthorizeNV"
command, i\&.e\&. implements TPM 2\&.0 version 1\&.38 or newer\&.
-.SH "COMMANDS"
-.PP
+.SH COMMANDS
The following commands are understood:
.PP
\fBlog\fR
@@ -120,7 +118,7 @@ Added in version 255\&.
\fBcel\fR
.RS 4
This reads the combined TPM2 event log and writes it to STDOUT in
-\m[blue]\fBTCG Canonical Event Log Format (CEL\-JSON)\fR\m[]\&\s-2\u[1]\d\s+2\&.
+\m[blue]\fBTCG Canonical Event Log Format (CEL\-JSON)\fR\m[]\s-2\u[1]\d\s+2.
.sp
Added in version 255\&.
.RE
@@ -258,9 +256,15 @@ systemd\-pcrlock\-firmware\-config\&.ser
unit is enabled it will automatically generate a pcrlock file from the new measurements\&.
.sp
This writes/removes the files
-/var/lib/pcrlock\&.d/250\-firmware\-config\-early\&.pcrlock\&.d/generated\&.pcrlock
+.ie \n(.g \{\
+/var/lib/pcrlock.d/\:250\-firmware\-config\-early.pcrlock.d/\:generated.pcrlock
+and
+/var/lib/pcrlock.d/\:550\-firmware\-config\-late.pcrlock.d/\:generated.pcrlock.
+.el \{\
+/var/lib/pcrlock.d/250\-firmware\-config\-early.pcrlock.d/generated.pcrlock
and
-/var/lib/pcrlock\&.d/550\-firmware\-config\-late\&.pcrlock\&.d/generated\&.pcrlock\&.
+/var/lib/pcrlock.d/550\-firmware\-config\-late.pcrlock.d/generated.pcrlock.
+.\}
.sp
Added in version 255\&.
.RE
@@ -290,7 +294,12 @@ Generates/removes a
file based on the SecureBoot authorities used to validate the boot path\&. SecureBoot authorities are the specific SecureBoot database entries that where used to validate the UEFI PE binaries executed at boot\&. This looks at the event log of the current boot, and uses relevant measurements on PCR 7 ("secure\-boot\-policy")\&.
.sp
This writes/removes the file
-/var/lib/pcrlock\&.d/620\-secureboot\-authority\&.pcrlock\&.d/generated\&.pcrlock\&.
+.ie \n(.g \{\
+/var/lib/pcrlock.d/\:620\-secureboot\-authority.pcrlock.d/\:generated.pcrlock.
+.\}
+.el \{\
+/var/lib/pcrlock.d/620\-secureboot\-authority.pcrlock.d/generated.pcrlock.
+.\}
.sp
Added in version 255\&.
.RE
@@ -415,8 +424,7 @@ or to STDOUT (if none is specified)\&.
.sp
Added in version 255\&.
.RE
-.SH "OPTIONS"
-.PP
+.SH OPTIONS
The following options are understood:
.PP
\fB\-\-raw\-description\fR
@@ -561,7 +569,7 @@ If specified suppresses output when invo
Added in version 258\&.
.RE
.PP
-\fB\-\-json=\fR\fB\fIMODE\fR\fR
+\fB\-\-json=\fIMODE\fR
.RS 4
Shows output formatted as JSON\&. Expects one of
"short"
@@ -587,14 +595,12 @@ Print a short help text and exit\&.
Print a short version string and exit\&.
.RE
.SH "EXIT STATUS"
-.PP
On success, 0 is returned, a non\-zero failure code otherwise\&.
.SH "SEE ALSO"
-.PP
\fBsystemd\fR(1), \fBsystemd.pcrlock\fR(5), \fBsystemd-cryptenroll\fR(1), \fBsystemd-cryptsetup at .service\fR(8), \fBsystemd-repart\fR(8), \fBsystemd-pcrmachine.service\fR(8), \fBsystemd-creds\fR(1), \fBsystemd-stub\fR(7), \fBbootctl\fR(1)
-.SH "NOTES"
+.SH NOTES
.IP " 1." 4
TCG Canonical Event Log Format (CEL-JSON)
.RS 4
-\%https://trustedcomputinggroup.org/resource/canonical-event-log-format/
+\%https://trustedcomputinggroup.org/resource/canonical\-event\-log\-format/
.RE
-------------- next part --------------
Check the output from "lintian" in the Debian distribution.
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
To find most trailing spaces use
grep -n -e ' $' -e ' \\f.$' -e ' \\"' -e ' "$' <man page>
The same goes for man pages that are used as an input.
-.-
For a style guide use
mandoc -T lint
-.-
For general input conventions consult the man page "nroff(7)" (item
"Input conventions") or the Texinfo manual about the same item.
-.-
Any "autogenerator" should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
It should also check its input files for too long (> 80) lines.
This is just a simple quality control measure.
The "autogenerator" may have to be corrected to get a better man page,
the source file may, and any additional file may.
-.-
Common defects:
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
"git" has a "tool" to point out whitespace,
see for example "git-apply(1)" and git-config(1)")
-.-
Not beginning each input sentence on a new line.
Line length and patch size should thus be reduced when that has been fixed.
The script "reportbug" uses 'quoted-printable' encoding when a line is
longer than 1024 characters in an 'ascii' file.
See man-pages(7), item "semantic newline".
-.-
The difference between the formatted output of the original
and patched file can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -d -u <out1> <out2>
and for groff, using
\"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - \"
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output from 'diff -d -u ...' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option "-warnings=w"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT="-ww -b -z"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-
-------------- next part --------------
An embedded message was scrubbed...
From: unknown sender
Subject: clean files of trailing whitespace
Date: no date
Size: 498
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20260703/2982f0c4/attachment-0001.eml>
More information about the Pkg-systemd-maintainers
mailing list