if sign_kernel:
linux_signed = tempfile.NamedTemporaryFile(prefix='linux-signed')
- linux = linux_signed.name
+ linux = pathlib.Path(linux_signed.name)
sign(sign_tool, opts.linux, linux, opts=opts)
else:
linux = opts.linux
('.osrel', opts.os_release, True ),
('.cmdline', opts.cmdline, True ),
('.dtb', opts.devicetree, True ),
+ ('.uname', opts.uname, True ),
('.splash', opts.splash, True ),
('.pcrpkey', pcrpkey, True ),
('.initrd', initrd, True ),
- ('.uname', opts.uname, False),
# linux shall be last to leave breathing room for decompression.
# We'll add it later.
call_systemd_measure(uki, linux, opts=opts)
- # UKI creation
+ # UKI or addon creation - addons don't use the stub so we add SBAT manually
if linux is not None:
uki.add_section(Section.create('.linux', linux, measure=True))
+ elif opts.sbat:
+ uki.add_section(Section.create('.sbat', opts.sbat, measure=False))
if sign_args_present:
unsigned = tempfile.NamedTemporaryFile(prefix='uki')
config_key = 'UKI/Stub',
),
+ ConfigItem(
+ '--sbat',
+ metavar = 'TEXT|@PATH',
+ help = 'SBAT policy [.sbat section] for addons',
+ default = """sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+ uki.addon,1,UKI Addon,uki.addon,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html
+ """,
+ config_key = 'Addon/SBAT',
+ ),
+
ConfigItem(
'--section',
dest = 'sections',
opts.efi_arch = guess_efi_arch()
if opts.stub is None:
- opts.stub = pathlib.Path(f'/usr/lib/systemd/boot/efi/linux{opts.efi_arch}.efi.stub')
+ if opts.linux is not None:
+ opts.stub = pathlib.Path(f'/usr/lib/systemd/boot/efi/linux{opts.efi_arch}.efi.stub')
+ else:
+ opts.stub = pathlib.Path(f'/usr/lib/systemd/boot/efi/addon{opts.efi_arch}.efi.stub')
if opts.signing_engine is None:
if opts.sb_key:
projects / thirdparty / systemd.git / commitdiff
