From e673c5c2d904d821719b2d21746ef91482acf8b4 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Fri, 5 May 2023 06:22:57 -0400 Subject: ukify: typo in doc and print when package is missing If a package is missing, a subprocess is started with None as command argument. Error raised by subprocess is therefore not helpful at all to understand what needs to be done to fix that error. Also fix doc since systemd-stub will look for .cmdline files, and not .cmdline.efi files. Signed-off-by: Emanuele Giuseppe Esposito --- man/ukify.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'man') diff --git a/man/ukify.xml b/man/ukify.xml index 6aa136298d..cc711190fa 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -435,7 +435,7 @@ Phases=enter-initrd:leave-initrd --secureboot-private-key=sb.key \ --secureboot-certificate=sb.cert \ --cmdline='debug' \ - --output=debug.cmdline.efi + --output=debug.cmdline This creates a signed PE binary that contains the additional kernel command line parameter -- cgit v1.2.1 From c1e8d1727b64cc38821140312c7c3348300d81a0 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Thu, 4 May 2023 11:48:47 -0400 Subject: ukify: support pesign as alternative to sbsign sbsign is not available everywhere, for example RHEL does not have it. Add pesign as alternative to it. pesign will use options "--secureboot-certificate-name" (mandatory) and "--secureboot-certificate-dir" (optional), while sbsign will use "--secureboot-private-key" and "--secureboot-certificate". By default, use sbsign. If no key/cert is provided or sbsign is not found, try pesign. Signed-off-by: Emanuele Giuseppe Esposito --- man/ukify.xml | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) (limited to 'man') diff --git a/man/ukify.xml b/man/ukify.xml index cc711190fa..f5a2fcc3e8 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -253,13 +253,23 @@ system. + + SecureBootSigningTool=SIGNER + + + Whether to use sbsign or pesign. + Depending on this choice, different parameters are required in order to sign an image. + Defaults to sbsign. + + SecureBootPrivateKey=SB_KEY A path to a private key to use for signing of the resulting binary. If the SigningEngine=/ option is used, this may also be - an engine-specific designation. + an engine-specific designation. This option is required by + SecureBootSigningTool=sbsign/. @@ -268,7 +278,25 @@ A path to a certificate to use for signing of the resulting binary. If the SigningEngine=/ option is used, this may also - be an engine-specific designation. + be an engine-specific designation. This option is required by + SecureBootSigningTool=sbsign/. + + + + SecureBootCertificateDir=SB_PATH + + + A path to a nss certificate database directory to use for signing of the resulting binary. + Takes effect when SecureBootSigningTool=pesign/ is used. + Defaults to /etc/pki/pesign. + + + + SecureBootCertificateName=SB_CERTNAME + + + The name of the nss certificate database entry to use for signing of the resulting binary. + This option is required by SecureBootSigningTool=pesign/. -- cgit v1.2.1