diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-07-03 19:33:07 +0200 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2023-07-05 22:31:08 +0200 |
| commit | a8b645dec8e6abf4c9ba0c93a6a0088953a2155e (patch) | |
| tree | 32d1c4334486050debd9ed2b2bf9606a5aaaf18d /man/ukify.xml | |
| parent | hwdb update for v246-rc1 (diff) | |
| download | systemd-a8b645dec8e6abf4c9ba0c93a6a0088953a2155e.tar.xz systemd-a8b645dec8e6abf4c9ba0c93a6a0088953a2155e.zip | |
ukify: enable --sbat for UKIs too
For confidential computing they want to be able to revoke initrds too, so allow
passing a specific --sbat section when building a UKI too, not just an addon.
Merge it with the stub and kernel sections.
Diffstat (limited to 'man/ukify.xml')
| -rw-r--r-- | man/ukify.xml | 36 |
1 files changed, 15 insertions, 21 deletions
diff --git a/man/ukify.xml b/man/ukify.xml index 31e54c473a..28103ea2d4 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -366,6 +366,19 @@ <varname>SignKernel=</varname>/<option>--sign-kernel</option> is true, and the binary has already been signed, the signature will be appended anyway.</para></listitem> </varlistentry> + + <varlistentry> + <term><varname>SBAT=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term> + <term><option>--sbat=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> + + <listitem><para>SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke + whole groups of UKIs or addons with a single, static policy update that does not take space in + DBX/MOKX. If not specified manually, a default metadata entry consisting of + <literal>uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html</literal> + will be used, to ensure it is always possible to revoke UKIs and addons. For more information on + SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink> + </para></listitem> + </varlistentry> </variablelist> </refsect2> @@ -412,27 +425,6 @@ </varlistentry> </variablelist> </refsect2> - - <refsect2> - <title>[Addon:<replaceable>NAME</replaceable>] section</title> - - <para>Currently, these options only apply when building PE addons.</para> - - <variablelist> - <varlistentry> - <term><varname>SBAT=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term> - <term><option>--sbat=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> - - <listitem><para>SBAT metadata associated with the addon. SBAT policies are useful to revoke whole - groups of addons with a single, static policy update that does not take space in DBX/MOKX. If not - specified manually, a default metadata entry consisting of - <literal>uki.addon.systemd,1,UKI Addon,uki.addon.systemd,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html</literal> - will be used, to ensure it is always possible to revoke addons. For more information on SBAT see - <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink></para> - </listitem> - </varlistentry> - </variablelist> - </refsect2> </refsect1> <refsect1> @@ -457,6 +449,8 @@ --linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ --initrd=early_cpio \ --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \ + --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md + uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' \ --pcr-private-key=pcr-private-initrd-key.pem \ --pcr-public-key=pcr-public-initrd-key.pem \ --phases='enter-initrd' \ |