]>
Commit | Line | Data |
---|---|---|
0fdf4e18 ZJS |
1 | <?xml version="1.0"?> |
2 | <!--*-nxml-*--> | |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
5 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> | |
9c45bfb2 | 6 | <refentry id="ukify" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='ENABLE_UKIFY'> |
0fdf4e18 ZJS |
7 | |
8 | <refentryinfo> | |
9 | <title>ukify</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>ukify</refentrytitle> | |
15 | <manvolnum>1</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>ukify</refname> | |
00e5933f | 20 | <refpurpose>Combine components into a signed Unified Kernel Image for UEFI systems</refpurpose> |
0fdf4e18 ZJS |
21 | </refnamediv> |
22 | ||
23 | <refsynopsisdiv> | |
24 | <cmdsynopsis> | |
25 | <command>/usr/lib/systemd/ukify</command> | |
00e5933f LB |
26 | <arg choice="opt"><replaceable>LINUX</replaceable></arg> |
27 | <arg choice="opt" rep="repeat"><replaceable>INITRD</replaceable></arg> | |
0fdf4e18 ZJS |
28 | <arg choice="opt" rep="repeat">OPTIONS</arg> |
29 | </cmdsynopsis> | |
30 | </refsynopsisdiv> | |
31 | ||
32 | <refsect1> | |
33 | <title>Description</title> | |
34 | ||
35 | <para>Note: this command is experimental for now. While it is intended to become a regular component of | |
36 | systemd, it might still change in behaviour and interface.</para> | |
37 | ||
00e5933f LB |
38 | <para><command>ukify</command> is a tool that combines components (e.g.: a kernel and an initrd with |
39 | a UEFI boot stub) to create a | |
0fdf4e18 ZJS |
40 | <ulink url="https://uapi-group.org/specifications/specs/unified_kernel_image/">Unified Kernel Image (UKI)</ulink> |
41 | — a PE binary that can be executed by the firmware to start the embedded linux kernel. | |
42 | See <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
43 | for details about the stub.</para> | |
44 | ||
45 | <para>Additional sections will be inserted into the UKI, either automatically or only if a specific | |
46 | option is provided. See the discussions of | |
248be6ef ZJS |
47 | <varname>Cmdline=</varname>/<option>--cmdline=</option>, |
48 | <varname>OSRelease=</varname>/<option>--os-release=</option>, | |
49 | <varname>DeviceTree=</varname>/<option>--devicetree=</option>, | |
50 | <varname>Splash=</varname>/<option>--splash=</option>, | |
51 | <varname>PCRPKey=</varname>/<option>--pcrpkey=</option>, | |
52 | <varname>Uname=</varname>/<option>--uname=</option>, | |
0fdf4e18 ZJS |
53 | and <option>--section=</option> |
54 | below.</para> | |
55 | ||
00e5933f LB |
56 | <para><command>ukify</command> can also be used to assemble a PE binary that is not executable but |
57 | contains auxiliary data, for example additional kernel command line entries.</para> | |
58 | ||
248be6ef ZJS |
59 | <para>If PCR signing keys are provided via the |
60 | <varname>PCRPrivateKey=</varname>/<option>--pcr-private-key=</option> and | |
61 | <varname>PCRPublicKey=</varname>/<option>--pcr-public-key=</option> options, PCR values that will be seen | |
62 | after booting with the given kernel, initrd, and other sections, will be calculated, signed, and embedded | |
63 | in the UKI. | |
0fdf4e18 ZJS |
64 | <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> is |
65 | used to perform this calculation and signing.</para> | |
66 | ||
67 | <para>The calculation of PCR values is done for specific boot phase paths. Those can be specified with | |
248be6ef ZJS |
68 | the <varname>Phases=</varname>/<option>--phases=</option> option. If not specified, the default provided |
69 | by <command>systemd-measure</command> is used. It is also possible to specify the | |
70 | <varname>PCRPrivateKey=</varname>/<option>--pcr-private-key=</option>, | |
71 | <varname>PCRPublicKey=</varname>/<option>--pcr-public-key=</option>, and | |
72 | <varname>Phases=</varname>/<option>--phases=</option> arguments more than once. Signatures will then be | |
73 | performed with each of the specified keys. On the command line, when both <option>--phases=</option> and | |
74 | <option>--pcr-private-key=</option> are used, they must be specified the same number of times, and then | |
75 | the n-th boot phase path set will be signed by the n-th key. This can be used to build different trust | |
76 | policies for different phases of the boot. In the config file, <varname>PCRPrivateKey=</varname>, | |
77 | <varname>PCRPublicKey=</varname>, and <varname>Phases=</varname> are grouped into separate sections, | |
78 | describing separate boot phases.</para> | |
79 | ||
80 | <para>If a SecureBoot signing key is provided via the | |
81 | <varname>SecureBootPrivateKey=</varname>/<option>--secureboot-private-key=</option> option, the resulting | |
82 | PE binary will be signed as a whole, allowing the resulting UKI to be trusted by SecureBoot. Also see the | |
83 | discussion of automatic enrollment in | |
0fdf4e18 ZJS |
84 | <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>. |
85 | </para> | |
86 | </refsect1> | |
87 | ||
88 | <refsect1> | |
248be6ef ZJS |
89 | <title>Configuration settings</title> |
90 | ||
91 | <para>Settings can appear in configuration files (the syntax with <varname | |
92 | index='false'>SomeSetting=<replaceable>value</replaceable></varname>) and on the command line (the syntax | |
93 | with <option index='false'>--some-setting=<replaceable>value</replaceable></option>). For some command | |
94 | line parameters, a single-letter shortcut is also allowed. In the configuration files, the setting must | |
95 | be in the appropriate section, so the descriptions are grouped by section below. When the same setting | |
96 | appears in the configuration file and on the command line, generally the command line setting has higher | |
97 | priority and overwrites the config file setting completely. If some setting behaves differently, this is | |
98 | described below.</para> | |
99 | ||
100 | <para>The <replaceable>LINUX</replaceable> and <replaceable>INITRD</replaceable> positional arguments, or | |
101 | the equivalent <varname>Linux=</varname> and <varname>Initrd=</varname> settings, are optional. If more | |
102 | than one initrd is specified, they will all be combined into a single PE section. This is useful to, for | |
103 | example, prepend microcode before the actual initrd.</para> | |
104 | ||
105 | <para>The following options and settings are understood:</para> | |
106 | ||
107 | <refsect2> | |
108 | <title>Commandline-only options</title> | |
109 | ||
110 | <variablelist> | |
111 | <varlistentry> | |
112 | <term><option>--config=<replaceable>PATH</replaceable></option></term> | |
113 | ||
114 | <listitem><para>Load configuration from the given config file. In general, settings specified in | |
115 | the config file have lower precedence than the settings specified via options. In cases where the | |
116 | commandline option does not fully override the config file setting are explicitly mentioned in the | |
117 | descriptions of individual options.</para></listitem> | |
118 | </varlistentry> | |
119 | ||
120 | <varlistentry> | |
121 | <term><option>--measure</option></term> | |
122 | <term><option>--no-measure</option></term> | |
123 | ||
8fb35004 ZJS |
124 | <listitem><para>Enable or disable a call to |
125 | <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
126 | to print pre-calculated PCR values. Defaults to false.</para></listitem> | |
248be6ef ZJS |
127 | </varlistentry> |
128 | ||
129 | <varlistentry> | |
130 | <term><option>--section=<replaceable>NAME</replaceable>:<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> | |
131 | ||
132 | <listitem><para>Specify an arbitrary additional section | |
133 | <literal><replaceable>NAME</replaceable></literal>. Note that the name is used as-is, and if the | |
134 | section name should start with a dot, it must be included in <replaceable>NAME</replaceable>. The | |
135 | argument may be a literal string, or <literal>@</literal> followed by a path name. This option may be | |
136 | specified more than once. Any sections specified in this fashion will be inserted (in order) before | |
137 | the <literal>.linux</literal> section which is always last.</para></listitem> | |
138 | </varlistentry> | |
139 | ||
140 | <varlistentry> | |
141 | <term><option>--tools=<replaceable>DIRS</replaceable></option></term> | |
142 | ||
143 | <listitem><para>Specify one or more directories with helper tools. <command>ukify</command> will | |
144 | look for helper tools in those directories first, and if not found, try to load them from | |
145 | <varname>$PATH</varname> in the usual fashion.</para></listitem> | |
146 | </varlistentry> | |
147 | ||
148 | <varlistentry> | |
149 | <term><option>--output=<replaceable>FILENAME</replaceable></option></term> | |
150 | ||
151 | <listitem><para>The output filename. If not specified, the name of the | |
152 | <replaceable>LINUX</replaceable> argument, with the suffix <literal>.unsigned.efi</literal> or | |
153 | <literal>.signed.efi</literal> will be used, depending on whether signing for SecureBoot was | |
154 | performed.</para></listitem> | |
155 | </varlistentry> | |
156 | ||
157 | <varlistentry> | |
158 | <term><option>--summary</option></term> | |
159 | ||
160 | <listitem><para>Print a summary of loaded config and exit. This is useful to check how the options | |
161 | form the configuration file and the commandline are combined.</para></listitem> | |
162 | </varlistentry> | |
163 | ||
164 | <xi:include href="standard-options.xml" xpointer="help" /> | |
165 | <xi:include href="standard-options.xml" xpointer="version" /> | |
166 | </variablelist> | |
167 | </refsect2> | |
168 | ||
169 | <refsect2> | |
170 | <title>[UKI] section</title> | |
171 | ||
172 | <variablelist> | |
173 | <varlistentry> | |
174 | <term><varname>Linux=<replaceable>LINUX</replaceable></varname></term> | |
175 | <term>positional argument <replaceable>LINUX</replaceable></term> | |
176 | ||
177 | <listitem><para>A path to the kernel binary.</para></listitem> | |
178 | </varlistentry> | |
179 | ||
180 | <varlistentry> | |
181 | <term><varname>Initrd=<replaceable>INITRD</replaceable>...</varname></term> | |
182 | <term>positional argument <replaceable>INITRD</replaceable></term> | |
183 | ||
184 | <listitem><para>Zero or more initrd paths. In the configuration file, items are separated by | |
185 | whitespace. The initrds are combined in the order of specification, with the initrds specified in | |
186 | the config file first.</para></listitem> | |
187 | </varlistentry> | |
188 | ||
189 | <varlistentry> | |
190 | <term><varname>Cmdline=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term> | |
191 | <term><option>--cmdline=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> | |
192 | ||
193 | <listitem><para>The kernel command line (the <literal>.cmdline</literal> section). The argument may | |
194 | be a literal string, or <literal>@</literal> followed by a path name. If not specified, no command | |
195 | line will be embedded.</para></listitem> | |
196 | </varlistentry> | |
197 | ||
198 | <varlistentry> | |
199 | <term><varname>OSRelease=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term> | |
200 | <term><option>--os-release=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> | |
201 | ||
202 | <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument | |
203 | may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the | |
204 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file | |
205 | will be picked up from the host system.</para></listitem> | |
206 | </varlistentry> | |
207 | ||
208 | <varlistentry> | |
209 | <term><varname>DeviceTree=<replaceable>PATH</replaceable></varname></term> | |
210 | <term><option>--devicetree=<replaceable>PATH</replaceable></option></term> | |
211 | ||
212 | <listitem><para>The devicetree description (the <literal>.dtb</literal> section). The argument is a | |
213 | path to a compiled binary DeviceTree file. If not specified, the section will not be present. | |
214 | </para></listitem> | |
215 | </varlistentry> | |
216 | ||
217 | <varlistentry> | |
218 | <term><varname>Splash=<replaceable>PATH</replaceable></varname></term> | |
219 | <term><option>--splash=<replaceable>PATH</replaceable></option></term> | |
220 | ||
221 | <listitem><para>A picture to display during boot (the <literal>.splash</literal> section). The | |
222 | argument is a path to a BMP file. If not specified, the section will not be present. | |
223 | </para></listitem> | |
224 | </varlistentry> | |
225 | ||
226 | <varlistentry> | |
227 | <term><varname>PCRPKey=<replaceable>PATH</replaceable></varname></term> | |
228 | <term><option>--pcrpkey=<replaceable>PATH</replaceable></option></term> | |
229 | ||
230 | <listitem><para>A path to a public key to embed in the <literal>.pcrpkey</literal> section. If not | |
231 | specified, and there's exactly one | |
232 | <varname>PCRPublicKey=</varname>/<option>--pcr-public-key=</option> argument, that key will be used. | |
233 | Otherwise, the section will not be present.</para></listitem> | |
234 | </varlistentry> | |
235 | ||
236 | <varlistentry> | |
237 | <term><varname>Uname=<replaceable>VERSION</replaceable></varname></term> | |
238 | <term><option>--uname=<replaceable>VERSION</replaceable></option></term> | |
239 | ||
240 | <listitem><para>Specify the kernel version (as in <command>uname -r</command>, the | |
241 | <literal>.uname</literal> section). If not specified, an attempt will be made to extract the | |
242 | version string from the kernel image. It is recommended to pass this explicitly if known, because | |
243 | the extraction is based on heuristics and not very reliable. If not specified and extraction fails, | |
244 | the section will not be present.</para></listitem> | |
245 | </varlistentry> | |
246 | ||
247 | <varlistentry> | |
248 | <term><varname>PCRBanks=<replaceable>PATH</replaceable></varname></term> | |
249 | <term><option>--pcr-banks=<replaceable>PATH</replaceable></option></term> | |
250 | ||
251 | <listitem><para>A comma or space-separated list of PCR banks to sign a policy for. If not present, | |
252 | all known banks will be used (<literal>sha1</literal>, <literal>sha256</literal>, | |
253 | <literal>sha384</literal>, <literal>sha512</literal>), which will fail if not supported by the | |
254 | system.</para></listitem> | |
255 | </varlistentry> | |
256 | ||
c1e8d172 EGE |
257 | <varlistentry> |
258 | <term><varname>SecureBootSigningTool=<replaceable>SIGNER</replaceable></varname></term> | |
259 | <term><option>--signtool=<replaceable>SIGNER</replaceable></option></term> | |
260 | ||
261 | <listitem><para>Whether to use <literal>sbsign</literal> or <literal>pesign</literal>. | |
262 | Depending on this choice, different parameters are required in order to sign an image. | |
263 | Defaults to <literal>sbsign</literal>.</para></listitem> | |
264 | </varlistentry> | |
265 | ||
248be6ef ZJS |
266 | <varlistentry> |
267 | <term><varname>SecureBootPrivateKey=<replaceable>SB_KEY</replaceable></varname></term> | |
268 | <term><option>--secureboot-private-key=<replaceable>SB_KEY</replaceable></option></term> | |
269 | ||
270 | <listitem><para>A path to a private key to use for signing of the resulting binary. If the | |
271 | <varname>SigningEngine=</varname>/<option>--signing-engine=</option> option is used, this may also be | |
c1e8d172 EGE |
272 | an engine-specific designation. This option is required by |
273 | <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para></listitem> | |
248be6ef ZJS |
274 | </varlistentry> |
275 | ||
276 | <varlistentry> | |
277 | <term><varname>SecureBootCertificate=<replaceable>SB_CERT</replaceable></varname></term> | |
278 | <term><option>--secureboot-certificate=<replaceable>SB_CERT</replaceable></option></term> | |
279 | ||
280 | <listitem><para>A path to a certificate to use for signing of the resulting binary. If the | |
281 | <varname>SigningEngine=</varname>/<option>--signing-engine=</option> option is used, this may also | |
c1e8d172 EGE |
282 | be an engine-specific designation. This option is required by |
283 | <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para></listitem> | |
284 | </varlistentry> | |
285 | ||
286 | <varlistentry> | |
287 | <term><varname>SecureBootCertificateDir=<replaceable>SB_PATH</replaceable></varname></term> | |
288 | <term><option>--secureboot-certificate-dir=<replaceable>SB_PATH</replaceable></option></term> | |
289 | ||
290 | <listitem><para>A path to a nss certificate database directory to use for signing of the resulting binary. | |
291 | Takes effect when <varname>SecureBootSigningTool=pesign</varname>/<option>--signtool=pesign</option> is used. | |
292 | Defaults to <filename>/etc/pki/pesign</filename>.</para></listitem> | |
293 | </varlistentry> | |
294 | ||
295 | <varlistentry> | |
296 | <term><varname>SecureBootCertificateName=<replaceable>SB_CERTNAME</replaceable></varname></term> | |
297 | <term><option>--secureboot-certificate-name=<replaceable>SB_CERTNAME</replaceable></option></term> | |
298 | ||
299 | <listitem><para>The name of the nss certificate database entry to use for signing of the resulting binary. | |
300 | This option is required by <varname>SecureBootSigningTool=pesign</varname>/<option>--signtool=pesign</option>.</para></listitem> | |
248be6ef ZJS |
301 | </varlistentry> |
302 | ||
303 | <varlistentry> | |
304 | <term><varname>SigningEngine=<replaceable>ENGINE</replaceable></varname></term> | |
305 | <term><option>--signing-engine=<replaceable>ENGINE</replaceable></option></term> | |
306 | ||
8fb35004 | 307 | <listitem><para>An "engine" for signing of the resulting binary. This option is currently passed |
248be6ef ZJS |
308 | verbatim to the <option>--engine=</option> option of |
309 | <citerefentry project='archlinux'><refentrytitle>sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
310 | </para></listitem> | |
311 | </varlistentry> | |
312 | ||
313 | <varlistentry> | |
314 | <term><varname>SignKernel=<replaceable>BOOL</replaceable></varname></term> | |
315 | <term><option>--sign-kernel</option></term> | |
316 | <term><option>--no-sign-kernel</option></term> | |
317 | ||
318 | <listitem><para>Override the detection of whether to sign the Linux binary itself before it is | |
319 | embedded in the combined image. If not specified, it will be signed if a SecureBoot signing key is | |
320 | provided via the | |
321 | <varname>SecureBootPrivateKey=</varname>/<option>--secureboot-private-key=</option> option and the | |
322 | binary has not already been signed. If | |
323 | <varname>SignKernel=</varname>/<option>--sign-kernel</option> is true, and the binary has already | |
324 | been signed, the signature will be appended anyway.</para></listitem> | |
325 | </varlistentry> | |
326 | </variablelist> | |
327 | </refsect2> | |
328 | ||
329 | <refsect2> | |
330 | <title>[PCRSignature:<replaceable>NAME</replaceable>] section</title> | |
331 | ||
332 | <para>In the config file, those options are grouped by section. On the commandline, they | |
333 | must be specified in the same order. The sections specified in both sources are combined. | |
334 | </para> | |
335 | ||
336 | <variablelist> | |
337 | <varlistentry> | |
338 | <term><varname>PCRPrivateKey=<replaceable>PATH</replaceable></varname></term> | |
339 | <term><option>--pcr-private-key=<replaceable>PATH</replaceable></option></term> | |
340 | ||
341 | <listitem><para>A private key to use for signing PCR policies. On the commandline, this option may | |
342 | be specified more than once, in which case multiple signatures will be made.</para></listitem> | |
343 | </varlistentry> | |
344 | ||
345 | <varlistentry> | |
346 | <term><varname>PCRPublicKey=<replaceable>PATH</replaceable></varname></term> | |
347 | <term><option>--pcr-public-key=<replaceable>PATH</replaceable></option></term> | |
348 | ||
349 | <listitem><para>A public key to use for signing PCR policies.</para> | |
350 | ||
351 | <para>On the commandline, this option may be specified more than once, similarly to the | |
352 | <option>--pcr-private-key=</option> option. If not present, the public keys will be extracted from | |
353 | the private keys. On the commandline, if present, the this option must be specified the same number | |
354 | of times as the <option>--pcr-private-key=</option> option.</para></listitem> | |
355 | </varlistentry> | |
356 | ||
357 | <varlistentry> | |
358 | <term><varname>Phases=<replaceable>LIST</replaceable></varname></term> | |
359 | <term><option>--phases=<replaceable>LIST</replaceable></option></term> | |
360 | ||
361 | <listitem><para>A comma or space-separated list of colon-separated phase paths to sign a policy | |
362 | for. Each set of boot phase paths will be signed with the corresponding private key. If not | |
363 | present, the default of | |
364 | <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
365 | will be used.</para> | |
366 | ||
367 | <para>On the commandline, when this argument is present, it must appear the same number of times as | |
368 | the <option>--pcr-private-key=</option> option. </para></listitem> | |
369 | </varlistentry> | |
370 | </variablelist> | |
371 | </refsect2> | |
0fdf4e18 ZJS |
372 | </refsect1> |
373 | ||
374 | <refsect1> | |
375 | <title>Examples</title> | |
376 | ||
377 | <example> | |
378 | <title>Minimal invocation</title> | |
379 | ||
248be6ef | 380 | <programlisting>$ ukify \ |
0fdf4e18 ZJS |
381 | /lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ |
382 | /some/path/initramfs-6.0.9-300.fc37.x86_64.img \ | |
383 | --cmdline='quiet rw' | |
384 | </programlisting> | |
385 | ||
386 | <para>This creates an unsigned UKI <filename>./vmlinuz.unsigned.efi</filename>.</para> | |
387 | </example> | |
388 | ||
389 | <example> | |
390 | <title>All the bells and whistles</title> | |
391 | ||
248be6ef | 392 | <programlisting># /usr/lib/systemd/ukify \ |
0fdf4e18 | 393 | /lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ |
54c84c8a | 394 | early_cpio \ |
0fdf4e18 ZJS |
395 | /some/path/initramfs-6.0.9-300.fc37.x86_64.img \ |
396 | --pcr-private-key=pcr-private-initrd-key.pem \ | |
397 | --pcr-public-key=pcr-public-initrd-key.pem \ | |
398 | --phases='enter-initrd' \ | |
399 | --pcr-private-key=pcr-private-system-key.pem \ | |
400 | --pcr-public-key=pcr-public-system-key.pem \ | |
401 | --phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \ | |
402 | enter-initrd:leave-initrd:sysinit:ready' \ | |
403 | --pcr-banks=sha384,sha512 \ | |
404 | --secureboot-private-key=sb.key \ | |
405 | --secureboot-certificate=sb.cert \ | |
406 | --sign-kernel \ | |
407 | --cmdline='quiet rw rhgb' | |
408 | </programlisting> | |
409 | ||
410 | <para>This creates a signed UKI <filename index='false'>./vmlinuz.signed.efi</filename>. | |
54c84c8a ZJS |
411 | The initrd section contains two concatenated parts, <filename index='false'>early_cpio</filename> |
412 | and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>. | |
0fdf4e18 ZJS |
413 | The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the |
414 | <constant>enter-initrd</constant> phase) with the key | |
415 | <filename index='false'>pcr-private-initrd-key.pem</filename>, and for the main system (phases | |
416 | <constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the | |
417 | key <filename index='false'>pcr-private-system-key.pem</filename>. The Linux binary and the resulting | |
418 | combined image will be signed with the SecureBoot key <filename index='false'>sb.key</filename>.</para> | |
419 | </example> | |
00e5933f | 420 | |
248be6ef ZJS |
421 | <example> |
422 | <title>All the bells and whistles, via a config file</title> | |
423 | ||
424 | <para>This is the same as the previous example, but this time the configuration is stored in a | |
425 | file:</para> | |
426 | ||
427 | <programlisting>$ cat ukify.conf | |
428 | [UKI] | |
429 | Initrd=early_cpio | |
430 | Cmdline=quiet rw rhgb | |
431 | ||
432 | SecureBootPrivateKey=sb.key | |
433 | SecureBootCerificate=sb.cert | |
434 | SignKernel=yes | |
435 | PCRBanks=sha384,sha512 | |
436 | ||
437 | [PCRSignature:initrd] | |
438 | PCRPrivateKey=pcr-private-initrd-key.pem | |
439 | PCRPublicKey=pcr-public-initrd-key.pem | |
440 | Phases=enter-initrd | |
441 | ||
442 | [PCRSignature:system] | |
443 | PCRPrivateKey=pcr-private-system-key.pem | |
444 | PCRPublicKey=pcr-public-system-key.pem | |
445 | Phases=enter-initrd:leave-initrd | |
446 | enter-initrd:leave-initrd:sysinit | |
447 | enter-initrd:leave-initrd:sysinit:ready | |
448 | ||
449 | # /usr/lib/systemd/ukify -c ukify.conf \ | |
450 | /lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ | |
451 | /some/path/initramfs-6.0.9-300.fc37.x86_64.img | |
452 | </programlisting> | |
453 | ||
454 | <para>One "initrd" (<filename index='false'>early_cpio</filename>) is specified in the config file, and | |
455 | the other initrd (<filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>) is specified | |
456 | on the commandline. This may be useful for example when the first initrd contains microcode for the CPU | |
457 | and does not need to be updated when the kernel version changes, unlike the actual initrd.</para> | |
458 | </example> | |
459 | ||
00e5933f LB |
460 | <example> |
461 | <title>Kernel command line auxiliary PE</title> | |
462 | ||
463 | <programlisting>ukify \ | |
464 | --secureboot-private-key=sb.key \ | |
465 | --secureboot-certificate=sb.cert \ | |
466 | --cmdline='debug' \ | |
e673c5c2 | 467 | --output=debug.cmdline |
00e5933f LB |
468 | </programlisting> |
469 | ||
248be6ef ZJS |
470 | <para>This creates a signed PE binary that contains the additional kernel command line parameter |
471 | <literal>debug</literal>.</para> | |
00e5933f | 472 | </example> |
0fdf4e18 ZJS |
473 | </refsect1> |
474 | ||
475 | <refsect1> | |
476 | <title>See Also</title> | |
477 | <para> | |
478 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
479 | <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>, | |
480 | <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>, | |
248be6ef | 481 | <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
9e60dc0d | 482 | <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
0fdf4e18 ZJS |
483 | </para> |
484 | </refsect1> | |
485 | ||
486 | </refentry> |