projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 0fdf4e18 ZJS |
1 | <?xml version="1.0"?> |
| 2 | <!--*-nxml-*--> | |
| 3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
| 4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
| 5 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> | |
| 9c45bfb2 | 6 | <refentry id="ukify" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='ENABLE_UKIFY'> |
| 0fdf4e18 ZJS |
7 | |
| 8 | <refentryinfo> | |
| 9 | <title>ukify</title> | |
| 10 | <productname>systemd</productname> | |
| 11 | </refentryinfo> | |
| 12 | ||
| 13 | <refmeta> | |
| 14 | <refentrytitle>ukify</refentrytitle> | |
| 15 | <manvolnum>1</manvolnum> | |
| 16 | </refmeta> | |
| 17 | ||
| 18 | <refnamediv> | |
| 19 | <refname>ukify</refname> | |
| 00e5933f | 20 | <refpurpose>Combine components into a signed Unified Kernel Image for UEFI systems</refpurpose> |
| 0fdf4e18 ZJS |
21 | </refnamediv> |
| 22 | ||
| 23 | <refsynopsisdiv> | |
| 24 | <cmdsynopsis> | |
| 25 | <command>/usr/lib/systemd/ukify</command> | |
| 00e5933f LB |
26 | <arg choice="opt"><replaceable>LINUX</replaceable></arg> |
| 27 | <arg choice="opt" rep="repeat"><replaceable>INITRD</replaceable></arg> | |
| 0fdf4e18 ZJS |
28 | <arg choice="opt" rep="repeat">OPTIONS</arg> |
| 29 | </cmdsynopsis> | |
| 30 | </refsynopsisdiv> | |
| 31 | ||
| 32 | <refsect1> | |
| 33 | <title>Description</title> | |
| 34 | ||
| 35 | <para>Note: this command is experimental for now. While it is intended to become a regular component of | |
| 36 | systemd, it might still change in behaviour and interface.</para> | |
| 37 | ||
| 00e5933f LB |
38 | <para><command>ukify</command> is a tool that combines components (e.g.: a kernel and an initrd with |
| 39 | a UEFI boot stub) to create a | |
| 0fdf4e18 ZJS |
40 | <ulink url="https://uapi-group.org/specifications/specs/unified_kernel_image/">Unified Kernel Image (UKI)</ulink> |
| 41 | — a PE binary that can be executed by the firmware to start the embedded linux kernel. | |
| 42 | See <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| 43 | for details about the stub.</para> | |
| 44 | ||
| 45 | <para>Additional sections will be inserted into the UKI, either automatically or only if a specific | |
| 46 | option is provided. See the discussions of | |
| 248be6ef ZJS |
47 | <varname>Cmdline=</varname>/<option>--cmdline=</option>, |
| 48 | <varname>OSRelease=</varname>/<option>--os-release=</option>, | |
| 49 | <varname>DeviceTree=</varname>/<option>--devicetree=</option>, | |
| 50 | <varname>Splash=</varname>/<option>--splash=</option>, | |
| 51 | <varname>PCRPKey=</varname>/<option>--pcrpkey=</option>, | |
| 52 | <varname>Uname=</varname>/<option>--uname=</option>, | |
| 0fdf4e18 ZJS |
53 | and <option>--section=</option> |
| 54 | below.</para> | |
| 55 | ||
| 00e5933f LB |
56 | <para><command>ukify</command> can also be used to assemble a PE binary that is not executable but |
| 57 | contains auxiliary data, for example additional kernel command line entries.</para> | |
| 58 | ||
| 248be6ef ZJS |
59 | <para>If PCR signing keys are provided via the |
| 60 | <varname>PCRPrivateKey=</varname>/<option>--pcr-private-key=</option> and | |
| 61 | <varname>PCRPublicKey=</varname>/<option>--pcr-public-key=</option> options, PCR values that will be seen | |
| 62 | after booting with the given kernel, initrd, and other sections, will be calculated, signed, and embedded | |
| 63 | in the UKI. | |
| 0fdf4e18 ZJS |
64 | <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> is |
| 65 | used to perform this calculation and signing.</para> | |
| 66 | ||
| 67 | <para>The calculation of PCR values is done for specific boot phase paths. Those can be specified with | |
| 248be6ef ZJS |
68 | the <varname>Phases=</varname>/<option>--phases=</option> option. If not specified, the default provided |
| 69 | by <command>systemd-measure</command> is used. It is also possible to specify the | |
| 70 | <varname>PCRPrivateKey=</varname>/<option>--pcr-private-key=</option>, | |
| 71 | <varname>PCRPublicKey=</varname>/<option>--pcr-public-key=</option>, and | |
| 72 | <varname>Phases=</varname>/<option>--phases=</option> arguments more than once. Signatures will then be | |
| 73 | performed with each of the specified keys. On the command line, when both <option>--phases=</option> and | |
| 74 | <option>--pcr-private-key=</option> are used, they must be specified the same number of times, and then | |
| 75 | the n-th boot phase path set will be signed by the n-th key. This can be used to build different trust | |
| 76 | policies for different phases of the boot. In the config file, <varname>PCRPrivateKey=</varname>, | |
| 77 | <varname>PCRPublicKey=</varname>, and <varname>Phases=</varname> are grouped into separate sections, | |
| 78 | describing separate boot phases.</para> | |
| 79 | ||
| 80 | <para>If a SecureBoot signing key is provided via the | |
| 81 | <varname>SecureBootPrivateKey=</varname>/<option>--secureboot-private-key=</option> option, the resulting | |
| 82 | PE binary will be signed as a whole, allowing the resulting UKI to be trusted by SecureBoot. Also see the | |
| 83 | discussion of automatic enrollment in | |
| 0fdf4e18 ZJS |
84 | <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>. |
| 85 | </para> | |
| 86 | </refsect1> | |
| 87 | ||
| 88 | <refsect1> | |
| 248be6ef ZJS |
89 | <title>Configuration settings</title> |
| 90 | ||
| 91 | <para>Settings can appear in configuration files (the syntax with <varname | |
| 92 | index='false'>SomeSetting=<replaceable>value</replaceable></varname>) and on the command line (the syntax | |
| 93 | with <option index='false'>--some-setting=<replaceable>value</replaceable></option>). For some command | |
| 94 | line parameters, a single-letter shortcut is also allowed. In the configuration files, the setting must | |
| 95 | be in the appropriate section, so the descriptions are grouped by section below. When the same setting | |
| 96 | appears in the configuration file and on the command line, generally the command line setting has higher | |
| 97 | priority and overwrites the config file setting completely. If some setting behaves differently, this is | |
| 98 | described below.</para> | |
| 99 | ||
| 100 | <para>The <replaceable>LINUX</replaceable> and <replaceable>INITRD</replaceable> positional arguments, or | |
| 101 | the equivalent <varname>Linux=</varname> and <varname>Initrd=</varname> settings, are optional. If more | |
| 102 | than one initrd is specified, they will all be combined into a single PE section. This is useful to, for | |
| 103 | example, prepend microcode before the actual initrd.</para> | |
| 104 | ||
| 105 | <para>The following options and settings are understood:</para> | |
| 106 | ||
| 107 | <refsect2> | |
| 108 | <title>Commandline-only options</title> | |
| 109 | ||
| 110 | <variablelist> | |
| 111 | <varlistentry> | |
| 112 | <term><option>--config=<replaceable>PATH</replaceable></option></term> | |
| 113 | ||
| 114 | <listitem><para>Load configuration from the given config file. In general, settings specified in | |
| 115 | the config file have lower precedence than the settings specified via options. In cases where the | |
| 116 | commandline option does not fully override the config file setting are explicitly mentioned in the | |
| 117 | descriptions of individual options.</para></listitem> | |
| 118 | </varlistentry> | |
| 119 | ||
| 120 | <varlistentry> | |
| 121 | <term><option>--measure</option></term> | |
| 122 | <term><option>--no-measure</option></term> | |
| 123 | ||
| 8fb35004 ZJS |
124 | <listitem><para>Enable or disable a call to |
| 125 | <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 126 | to print pre-calculated PCR values. Defaults to false.</para></listitem> | |
| 248be6ef ZJS |
127 | </varlistentry> |
| 128 | ||
| 129 | <varlistentry> | |
| 130 | <term><option>--section=<replaceable>NAME</replaceable>:<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> | |
| 131 | ||
| 132 | <listitem><para>Specify an arbitrary additional section | |
| 133 | <literal><replaceable>NAME</replaceable></literal>. Note that the name is used as-is, and if the | |
| 134 | section name should start with a dot, it must be included in <replaceable>NAME</replaceable>. The | |
| 135 | argument may be a literal string, or <literal>@</literal> followed by a path name. This option may be | |
| 136 | specified more than once. Any sections specified in this fashion will be inserted (in order) before | |
| 137 | the <literal>.linux</literal> section which is always last.</para></listitem> | |
| 138 | </varlistentry> | |
| 139 | ||
| 140 | <varlistentry> | |
| 141 | <term><option>--tools=<replaceable>DIRS</replaceable></option></term> | |
| 142 | ||
| 143 | <listitem><para>Specify one or more directories with helper tools. <command>ukify</command> will | |
| 144 | look for helper tools in those directories first, and if not found, try to load them from | |
| 145 | <varname>$PATH</varname> in the usual fashion.</para></listitem> | |
| 146 | </varlistentry> | |
| 147 | ||
| 148 | <varlistentry> | |
| 149 | <term><option>--output=<replaceable>FILENAME</replaceable></option></term> | |
| 150 | ||
| 151 | <listitem><para>The output filename. If not specified, the name of the | |
| 152 | <replaceable>LINUX</replaceable> argument, with the suffix <literal>.unsigned.efi</literal> or | |
| 153 | <literal>.signed.efi</literal> will be used, depending on whether signing for SecureBoot was | |
| 154 | performed.</para></listitem> | |
| 155 | </varlistentry> | |
| 156 | ||
| 157 | <varlistentry> | |
| 158 | <term><option>--summary</option></term> | |
| 159 | ||
| 160 | <listitem><para>Print a summary of loaded config and exit. This is useful to check how the options | |
| 161 | form the configuration file and the commandline are combined.</para></listitem> | |
| 162 | </varlistentry> | |
| 163 | ||
| 164 | <xi:include href="standard-options.xml" xpointer="help" /> | |
| 165 | <xi:include href="standard-options.xml" xpointer="version" /> | |
| 166 | </variablelist> | |
| 167 | </refsect2> | |
| 168 | ||
| 169 | <refsect2> | |
| 170 | <title>[UKI] section</title> | |
| 171 | ||
| 172 | <variablelist> | |
| 173 | <varlistentry> | |
| 174 | <term><varname>Linux=<replaceable>LINUX</replaceable></varname></term> | |
| 175 | <term>positional argument <replaceable>LINUX</replaceable></term> | |
| 176 | ||
| 177 | <listitem><para>A path to the kernel binary.</para></listitem> | |
| 178 | </varlistentry> | |
| 179 | ||
| 180 | <varlistentry> | |
| 181 | <term><varname>Initrd=<replaceable>INITRD</replaceable>...</varname></term> | |
| 182 | <term>positional argument <replaceable>INITRD</replaceable></term> | |
| 183 | ||
| 184 | <listitem><para>Zero or more initrd paths. In the configuration file, items are separated by | |
| 185 | whitespace. The initrds are combined in the order of specification, with the initrds specified in | |
| 186 | the config file first.</para></listitem> | |
| 187 | </varlistentry> | |
| 188 | ||
| 189 | <varlistentry> | |
| 190 | <term><varname>Cmdline=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term> | |
| 191 | <term><option>--cmdline=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> | |
| 192 | ||
| 193 | <listitem><para>The kernel command line (the <literal>.cmdline</literal> section). The argument may | |
| 194 | be a literal string, or <literal>@</literal> followed by a path name. If not specified, no command | |
| 195 | line will be embedded.</para></listitem> | |
| 196 | </varlistentry> | |
| 197 | ||
| 198 | <varlistentry> | |
| 199 | <term><varname>OSRelease=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term> | |
| 200 | <term><option>--os-release=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term> | |
| 201 | ||
| 202 | <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument | |
| 203 | may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the | |
| 204 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file | |
| 205 | will be picked up from the host system.</para></listitem> | |
| 206 | </varlistentry> | |
| 207 | ||
| 208 | <varlistentry> | |
| 209 | <term><varname>DeviceTree=<replaceable>PATH</replaceable></varname></term> | |
| 210 | <term><option>--devicetree=<replaceable>PATH</replaceable></option></term> | |
| 211 | ||
| 212 | <listitem><para>The devicetree description (the <literal>.dtb</literal> section). The argument is a | |
| 213 | path to a compiled binary DeviceTree file. If not specified, the section will not be present. | |
| 214 | </para></listitem> | |
| 215 | </varlistentry> | |
| 216 | ||
| 217 | <varlistentry> | |
| 218 | <term><varname>Splash=<replaceable>PATH</replaceable></varname></term> | |
| 219 | <term><option>--splash=<replaceable>PATH</replaceable></option></term> | |
| 220 | ||
| 221 | <listitem><para>A picture to display during boot (the <literal>.splash</literal> section). The | |
| 222 | argument is a path to a BMP file. If not specified, the section will not be present. | |
| 223 | </para></listitem> | |
| 224 | </varlistentry> | |
| 225 | ||
| 226 | <varlistentry> | |
| 227 | <term><varname>PCRPKey=<replaceable>PATH</replaceable></varname></term> | |
| 228 | <term><option>--pcrpkey=<replaceable>PATH</replaceable></option></term> | |
| 229 | ||
| 230 | <listitem><para>A path to a public key to embed in the <literal>.pcrpkey</literal> section. If not | |
| 231 | specified, and there's exactly one | |
| 232 | <varname>PCRPublicKey=</varname>/<option>--pcr-public-key=</option> argument, that key will be used. | |
| 233 | Otherwise, the section will not be present.</para></listitem> | |
| 234 | </varlistentry> | |
| 235 | ||
| 236 | <varlistentry> | |
| 237 | <term><varname>Uname=<replaceable>VERSION</replaceable></varname></term> | |
| 238 | <term><option>--uname=<replaceable>VERSION</replaceable></option></term> | |
| 239 | ||
| 240 | <listitem><para>Specify the kernel version (as in <command>uname -r</command>, the | |
| 241 | <literal>.uname</literal> section). If not specified, an attempt will be made to extract the | |
| 242 | version string from the kernel image. It is recommended to pass this explicitly if known, because | |
| 243 | the extraction is based on heuristics and not very reliable. If not specified and extraction fails, | |
| 244 | the section will not be present.</para></listitem> | |
| 245 | </varlistentry> | |
| 246 | ||
| 247 | <varlistentry> | |
| 248 | <term><varname>PCRBanks=<replaceable>PATH</replaceable></varname></term> | |
| 249 | <term><option>--pcr-banks=<replaceable>PATH</replaceable></option></term> | |
| 250 | ||
| 251 | <listitem><para>A comma or space-separated list of PCR banks to sign a policy for. If not present, | |
| 252 | all known banks will be used (<literal>sha1</literal>, <literal>sha256</literal>, | |
| 253 | <literal>sha384</literal>, <literal>sha512</literal>), which will fail if not supported by the | |
| 254 | system.</para></listitem> | |
| 255 | </varlistentry> | |
| 256 | ||
| c1e8d172 EGE |
257 | <varlistentry> |
| 258 | <term><varname>SecureBootSigningTool=<replaceable>SIGNER</replaceable></varname></term> | |
| 259 | <term><option>--signtool=<replaceable>SIGNER</replaceable></option></term> | |
| 260 | ||
| 261 | <listitem><para>Whether to use <literal>sbsign</literal> or <literal>pesign</literal>. | |
| 262 | Depending on this choice, different parameters are required in order to sign an image. | |
| 263 | Defaults to <literal>sbsign</literal>.</para></listitem> | |
| 264 | </varlistentry> | |
| 265 | ||
| 248be6ef ZJS |
266 | <varlistentry> |
| 267 | <term><varname>SecureBootPrivateKey=<replaceable>SB_KEY</replaceable></varname></term> | |
| 268 | <term><option>--secureboot-private-key=<replaceable>SB_KEY</replaceable></option></term> | |
| 269 | ||
| 270 | <listitem><para>A path to a private key to use for signing of the resulting binary. If the | |
| 271 | <varname>SigningEngine=</varname>/<option>--signing-engine=</option> option is used, this may also be | |
| c1e8d172 EGE |
272 | an engine-specific designation. This option is required by |
| 273 | <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para></listitem> | |
| 248be6ef ZJS |
274 | </varlistentry> |
| 275 | ||
| 276 | <varlistentry> | |
| 277 | <term><varname>SecureBootCertificate=<replaceable>SB_CERT</replaceable></varname></term> | |
| 278 | <term><option>--secureboot-certificate=<replaceable>SB_CERT</replaceable></option></term> | |
| 279 | ||
| 280 | <listitem><para>A path to a certificate to use for signing of the resulting binary. If the | |
| 281 | <varname>SigningEngine=</varname>/<option>--signing-engine=</option> option is used, this may also | |
| c1e8d172 EGE |
282 | be an engine-specific designation. This option is required by |
| 283 | <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para></listitem> | |
| 284 | </varlistentry> | |
| 285 | ||
| 286 | <varlistentry> | |
| 287 | <term><varname>SecureBootCertificateDir=<replaceable>SB_PATH</replaceable></varname></term> | |
| 288 | <term><option>--secureboot-certificate-dir=<replaceable>SB_PATH</replaceable></option></term> | |
| 289 | ||
| 290 | <listitem><para>A path to a nss certificate database directory to use for signing of the resulting binary. | |
| 291 | Takes effect when <varname>SecureBootSigningTool=pesign</varname>/<option>--signtool=pesign</option> is used. | |
| 292 | Defaults to <filename>/etc/pki/pesign</filename>.</para></listitem> | |
| 293 | </varlistentry> | |
| 294 | ||
| 295 | <varlistentry> | |
| 296 | <term><varname>SecureBootCertificateName=<replaceable>SB_CERTNAME</replaceable></varname></term> | |
| 297 | <term><option>--secureboot-certificate-name=<replaceable>SB_CERTNAME</replaceable></option></term> | |
| 298 | ||
| 299 | <listitem><para>The name of the nss certificate database entry to use for signing of the resulting binary. | |
| 300 | This option is required by <varname>SecureBootSigningTool=pesign</varname>/<option>--signtool=pesign</option>.</para></listitem> | |
| 248be6ef ZJS |
301 | </varlistentry> |
| 302 | ||
| 303 | <varlistentry> | |
| 304 | <term><varname>SigningEngine=<replaceable>ENGINE</replaceable></varname></term> | |
| 305 | <term><option>--signing-engine=<replaceable>ENGINE</replaceable></option></term> | |
| 306 | ||
| 8fb35004 | 307 | <listitem><para>An "engine" for signing of the resulting binary. This option is currently passed |
| 248be6ef ZJS |
308 | verbatim to the <option>--engine=</option> option of |
| 309 | <citerefentry project='archlinux'><refentrytitle>sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
| 310 | </para></listitem> | |
| 311 | </varlistentry> | |
| 312 | ||
| 313 | <varlistentry> | |
| 314 | <term><varname>SignKernel=<replaceable>BOOL</replaceable></varname></term> | |
| 315 | <term><option>--sign-kernel</option></term> | |
| 316 | <term><option>--no-sign-kernel</option></term> | |
| 317 | ||
| 318 | <listitem><para>Override the detection of whether to sign the Linux binary itself before it is | |
| 319 | embedded in the combined image. If not specified, it will be signed if a SecureBoot signing key is | |
| 320 | provided via the | |
| 321 | <varname>SecureBootPrivateKey=</varname>/<option>--secureboot-private-key=</option> option and the | |
| 322 | binary has not already been signed. If | |
| 323 | <varname>SignKernel=</varname>/<option>--sign-kernel</option> is true, and the binary has already | |
| 324 | been signed, the signature will be appended anyway.</para></listitem> | |
| 325 | </varlistentry> | |
| 326 | </variablelist> | |
| 327 | </refsect2> | |
| 328 | ||
| 329 | <refsect2> | |
| 330 | <title>[PCRSignature:<replaceable>NAME</replaceable>] section</title> | |
| 331 | ||
| 332 | <para>In the config file, those options are grouped by section. On the commandline, they | |
| 333 | must be specified in the same order. The sections specified in both sources are combined. | |
| 334 | </para> | |
| 335 | ||
| 336 | <variablelist> | |
| 337 | <varlistentry> | |
| 338 | <term><varname>PCRPrivateKey=<replaceable>PATH</replaceable></varname></term> | |
| 339 | <term><option>--pcr-private-key=<replaceable>PATH</replaceable></option></term> | |
| 340 | ||
| 341 | <listitem><para>A private key to use for signing PCR policies. On the commandline, this option may | |
| 342 | be specified more than once, in which case multiple signatures will be made.</para></listitem> | |
| 343 | </varlistentry> | |
| 344 | ||
| 345 | <varlistentry> | |
| 346 | <term><varname>PCRPublicKey=<replaceable>PATH</replaceable></varname></term> | |
| 347 | <term><option>--pcr-public-key=<replaceable>PATH</replaceable></option></term> | |
| 348 | ||
| 349 | <listitem><para>A public key to use for signing PCR policies.</para> | |
| 350 | ||
| 351 | <para>On the commandline, this option may be specified more than once, similarly to the | |
| 352 | <option>--pcr-private-key=</option> option. If not present, the public keys will be extracted from | |
| 353 | the private keys. On the commandline, if present, the this option must be specified the same number | |
| 354 | of times as the <option>--pcr-private-key=</option> option.</para></listitem> | |
| 355 | </varlistentry> | |
| 356 | ||
| 357 | <varlistentry> | |
| 358 | <term><varname>Phases=<replaceable>LIST</replaceable></varname></term> | |
| 359 | <term><option>--phases=<replaceable>LIST</replaceable></option></term> | |
| 360 | ||
| 361 | <listitem><para>A comma or space-separated list of colon-separated phase paths to sign a policy | |
| 362 | for. Each set of boot phase paths will be signed with the corresponding private key. If not | |
| 363 | present, the default of | |
| 364 | <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 365 | will be used.</para> | |
| 366 | ||
| 367 | <para>On the commandline, when this argument is present, it must appear the same number of times as | |
| 368 | the <option>--pcr-private-key=</option> option. </para></listitem> | |
| 369 | </varlistentry> | |
| 370 | </variablelist> | |
| 371 | </refsect2> | |
| 0fdf4e18 ZJS |
372 | </refsect1> |
| 373 | ||
| 374 | <refsect1> | |
| 375 | <title>Examples</title> | |
| 376 | ||
| 377 | <example> | |
| 378 | <title>Minimal invocation</title> | |
| 379 | ||
| 248be6ef | 380 | <programlisting>$ ukify \ |
| 0fdf4e18 ZJS |
381 | /lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ |
| 382 | /some/path/initramfs-6.0.9-300.fc37.x86_64.img \ | |
| 383 | --cmdline='quiet rw' | |
| 384 | </programlisting> | |
| 385 | ||
| 386 | <para>This creates an unsigned UKI <filename>./vmlinuz.unsigned.efi</filename>.</para> | |
| 387 | </example> | |
| 388 | ||
| 389 | <example> | |
| 390 | <title>All the bells and whistles</title> | |
| 391 | ||
| 248be6ef | 392 | <programlisting># /usr/lib/systemd/ukify \ |
| 0fdf4e18 | 393 | /lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ |
| 54c84c8a | 394 | early_cpio \ |
| 0fdf4e18 ZJS |
395 | /some/path/initramfs-6.0.9-300.fc37.x86_64.img \ |
| 396 | --pcr-private-key=pcr-private-initrd-key.pem \ | |
| 397 | --pcr-public-key=pcr-public-initrd-key.pem \ | |
| 398 | --phases='enter-initrd' \ | |
| 399 | --pcr-private-key=pcr-private-system-key.pem \ | |
| 400 | --pcr-public-key=pcr-public-system-key.pem \ | |
| 401 | --phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \ | |
| 402 | enter-initrd:leave-initrd:sysinit:ready' \ | |
| 403 | --pcr-banks=sha384,sha512 \ | |
| 404 | --secureboot-private-key=sb.key \ | |
| 405 | --secureboot-certificate=sb.cert \ | |
| 406 | --sign-kernel \ | |
| 407 | --cmdline='quiet rw rhgb' | |
| 408 | </programlisting> | |
| 409 | ||
| 410 | <para>This creates a signed UKI <filename index='false'>./vmlinuz.signed.efi</filename>. | |
| 54c84c8a ZJS |
411 | The initrd section contains two concatenated parts, <filename index='false'>early_cpio</filename> |
| 412 | and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>. | |
| 0fdf4e18 ZJS |
413 | The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the |
| 414 | <constant>enter-initrd</constant> phase) with the key | |
| 415 | <filename index='false'>pcr-private-initrd-key.pem</filename>, and for the main system (phases | |
| 416 | <constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the | |
| 417 | key <filename index='false'>pcr-private-system-key.pem</filename>. The Linux binary and the resulting | |
| 418 | combined image will be signed with the SecureBoot key <filename index='false'>sb.key</filename>.</para> | |
| 419 | </example> | |
| 00e5933f | 420 | |
| 248be6ef ZJS |
421 | <example> |
| 422 | <title>All the bells and whistles, via a config file</title> | |
| 423 | ||
| 424 | <para>This is the same as the previous example, but this time the configuration is stored in a | |
| 425 | file:</para> | |
| 426 | ||
| 427 | <programlisting>$ cat ukify.conf | |
| 428 | [UKI] | |
| 429 | Initrd=early_cpio | |
| 430 | Cmdline=quiet rw rhgb | |
| 431 | ||
| 432 | SecureBootPrivateKey=sb.key | |
| 433 | SecureBootCerificate=sb.cert | |
| 434 | SignKernel=yes | |
| 435 | PCRBanks=sha384,sha512 | |
| 436 | ||
| 437 | [PCRSignature:initrd] | |
| 438 | PCRPrivateKey=pcr-private-initrd-key.pem | |
| 439 | PCRPublicKey=pcr-public-initrd-key.pem | |
| 440 | Phases=enter-initrd | |
| 441 | ||
| 442 | [PCRSignature:system] | |
| 443 | PCRPrivateKey=pcr-private-system-key.pem | |
| 444 | PCRPublicKey=pcr-public-system-key.pem | |
| 445 | Phases=enter-initrd:leave-initrd | |
| 446 | enter-initrd:leave-initrd:sysinit | |
| 447 | enter-initrd:leave-initrd:sysinit:ready | |
| 448 | ||
| 449 | # /usr/lib/systemd/ukify -c ukify.conf \ | |
| 450 | /lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ | |
| 451 | /some/path/initramfs-6.0.9-300.fc37.x86_64.img | |
| 452 | </programlisting> | |
| 453 | ||
| 454 | <para>One "initrd" (<filename index='false'>early_cpio</filename>) is specified in the config file, and | |
| 455 | the other initrd (<filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>) is specified | |
| 456 | on the commandline. This may be useful for example when the first initrd contains microcode for the CPU | |
| 457 | and does not need to be updated when the kernel version changes, unlike the actual initrd.</para> | |
| 458 | </example> | |
| 459 | ||
| 00e5933f LB |
460 | <example> |
| 461 | <title>Kernel command line auxiliary PE</title> | |
| 462 | ||
| 463 | <programlisting>ukify \ | |
| 464 | --secureboot-private-key=sb.key \ | |
| 465 | --secureboot-certificate=sb.cert \ | |
| 466 | --cmdline='debug' \ | |
| e673c5c2 | 467 | --output=debug.cmdline |
| 00e5933f LB |
468 | </programlisting> |
| 469 | ||
| 248be6ef ZJS |
470 | <para>This creates a signed PE binary that contains the additional kernel command line parameter |
| 471 | <literal>debug</literal>.</para> | |
| 00e5933f | 472 | </example> |
| 0fdf4e18 ZJS |
473 | </refsect1> |
| 474 | ||
| 475 | <refsect1> | |
| 476 | <title>See Also</title> | |
| 477 | <para> | |
| 478 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 479 | <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>, | |
| 480 | <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>, | |
| 248be6ef | 481 | <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| 9e60dc0d | 482 | <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| 0fdf4e18 ZJS |
483 | </para> |
| 484 | </refsect1> | |
| 485 | ||
| 486 | </refentry> |