From 12caf7271655e16030e34279b1fb0b29a592f6ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=98=D0=B0=D0=BD=20=D0=93=D0=B5=D0=BE?=
 =?UTF-8?q?=D1=80=D0=B3=D0=B8=D0=B5=D0=B2=D1=81=D0=BA=D0=B8?=
 <gdamjan@gmail.com>
Date: Mon, 29 Nov 2021 22:44:01 +0100
Subject: bootctl: optionally install .signed efi file

if /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed exists
install that instead of /usr/lib/systemd/boot/efi/systemd-bootx64.efi

the idea is that SecureBoot tooling can create the efi.signed file
whenever /usr/lib/systemd/boot/efi/systemd-bootx64.efi from the package
is updated.
---
 man/bootctl.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'man/bootctl.xml')

diff --git a/man/bootctl.xml b/man/bootctl.xml
index a0be688321..c50f458bbc 100644
--- a/man/bootctl.xml
+++ b/man/bootctl.xml
@@ -286,6 +286,14 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>Signed .efi files</title>
+    <para><command>bootctl</command> <option>install</option> and <option>update</option> will look for a
+    <command>systemd-boot</command> file ending with the <literal>.efi.signed</literal> suffix first, and copy
+    that instead of the normal <literal>.efi</literal> file. This allows distributions or end-users to provide
+    signed images for UEFI SecureBoot.</para>
+  </refsect1>
+
   <refsect1>
     <title>Exit status</title>
     <para>On success, 0 is returned, a non-zero failure code otherwise.</para>
-- 
cgit v1.2.1