diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-05-21 15:32:39 +0200 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2023-05-24 12:09:03 +0200 |
| commit | c67d5a027d7a34ab19a12f7585dd7c143d82481d (patch) | |
| tree | dac07d8ede1463f30f57d809449f90a342df70e7 /man | |
| parent | ukify: use empty stub for addons (diff) | |
| download | systemd-c67d5a027d7a34ab19a12f7585dd7c143d82481d.tar.xz systemd-c67d5a027d7a34ab19a12f7585dd7c143d82481d.zip | |
ukify: add default .sbat section for addons
In order to ensure addons can always be revoked via SBAT, and it is not
left out by mistake, have a default metadata entry if none is specified
by the caller.
https://github.com/rhboot/shim/blob/main/SBAT.md
Diffstat (limited to 'man')
| -rw-r--r-- | man/ukify.xml | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/man/ukify.xml b/man/ukify.xml index 2e22b1f42e..4531ac89b2 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -50,6 +50,7 @@ <varname>Splash=</varname>/<option>--splash=</option>, <varname>PCRPKey=</varname>/<option>--pcrpkey=</option>, <varname>Uname=</varname>/<option>--uname=</option>, + <varname>SBAT=</varname>/<option>--sbat=</option>, and <option>--section=</option> below.</para> @@ -369,6 +370,27 @@ </varlistentry> </variablelist> </refsect2> + + <refsect2> + <title>[Addon:<replaceable>NAME</replaceable>] section</title> + + <para>Currently, these options only apply when building PE addons.</para> + + <variablelist> + <varlistentry> + <term><varname>SBAT=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term> + <term><option>--sbat=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> + + <listitem><para>SBAT metadata associated with the addon. SBAT policies are useful to revoke whole + groups of addons with a single, static policy update that does not take space in DBX/MOKX. If not + specified manually, a default metadata entry consisting of + <literal>uki.addon.systemd,1,UKI Addon,uki.addon.systemd,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html</literal> + will be used, to ensure it is always possible to revoke addons. For more information on SBAT see + <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink></para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> </refsect1> <refsect1> @@ -464,11 +486,13 @@ Phases=enter-initrd:leave-initrd --secureboot-private-key=sb.key \ --secureboot-certificate=sb.cert \ --cmdline='debug' \ + --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md + uki.addon.author,1,UKI Addon for System,uki.addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' --output=debug.cmdline </programlisting> <para>This creates a signed PE binary that contains the additional kernel command line parameter - <literal>debug</literal>.</para> + <literal>debug</literal> with SBAT metadata referring to the owner of the addon.</para> </example> </refsect1> |