From 00e5933f57c6e336ebed18601299acc6855bb3c2 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Tue, 18 Apr 2023 00:40:43 +0100 Subject: ukify: allow building PE addon Make the kernel optional too, so that we can easily build and sign a PE addon, that can be used to carry extra command line options. --- man/ukify.xml | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) (limited to 'man') diff --git a/man/ukify.xml b/man/ukify.xml index c3c0d3f2df..97c3f899c7 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -17,14 +17,14 @@ ukify - Combine kernel and initrd into a signed Unified Kernel Image + Combine components into a signed Unified Kernel Image for UEFI systems /usr/lib/systemd/ukify - LINUX - INITRD + LINUX + INITRD OPTIONS @@ -35,8 +35,8 @@ Note: this command is experimental for now. While it is intended to become a regular component of systemd, it might still change in behaviour and interface. - ukify is a tool that combines a kernel and an initrd with - a UEFI boot stub to create a + ukify is a tool that combines components (e.g.: a kernel and an initrd with + a UEFI boot stub) to create a Unified Kernel Image (UKI) — a PE binary that can be executed by the firmware to start the embedded linux kernel. See systemd-stub7 @@ -53,6 +53,9 @@ and below. + ukify can also be used to assemble a PE binary that is not executable but + contains auxiliary data, for example additional kernel command line entries. + If PCR signing keys are provided via the and options, PCR values that will be seen after booting with the given kernel, initrd, and other sections, will be calculated, signed, and embedded in the UKI. @@ -78,10 +81,9 @@ Options - Note that the LINUX positional argument is mandatory. The - INITRD positional arguments are optional. If more than one is specified, they - will all be combined into a single PE section. This is useful to for example prepend microcode before the - actual initrd. + The LINUX and INITRD positional arguments are + optional. If more than one INITRD are specified, they will all be combined into + a single PE section. This is useful to for example prepend microcode before the actual initrd. The following options are understood: @@ -296,6 +298,19 @@ key pcr-private-system-key.pem. The Linux binary and the resulting combined image will be signed with the SecureBoot key sb.key. + + + Kernel command line auxiliary PE + + ukify \ + --secureboot-private-key=sb.key \ + --secureboot-certificate=sb.cert \ + --cmdline='debug' \ + --output=debug.cmdline.efi + + + This creates a signed PE binary that contains an additional kernel command line parameter. + -- cgit v1.2.1