[thirdparty/systemd.git] / man / systemd-stub.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd-stub" conditional='HAVE_GNU_EFI'
    xmlns:xi="http://www.w3.org/2001/XInclude">
  <refentryinfo>
    <title>systemd-stub</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-stub</refentrytitle>
    <manvolnum>7</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-stub</refname>
    <refname>sd-stub</refname>
    <refname>linuxx64.efi.stub</refname>
    <refname>linuxia32.efi.stub</refname>
    <refname>linuxaa64.efi.stub</refname>
    <refpurpose>A simple UEFI kernel boot stub</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/usr/lib/systemd/boot/efi/linuxx64.efi.stub</filename></para>
    <para><filename>/usr/lib/systemd/boot/efi/linuxia32.efi.stub</filename></para>
    <para><filename>/usr/lib/systemd/boot/efi/linuxaa64.efi.stub</filename></para>
    <para><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.cred</filename></para>
    <para><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.raw</filename></para>
    <para><filename><replaceable>ESP</replaceable>/loader/credentials/*.cred</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-stub</command> (stored in per-architecture files
    <filename>linuxx64.efi.stub</filename>, <filename>linuxia32.efi.stub</filename>,
    <filename>linuxaa64.efi.stub</filename> on disk) is a simple UEFI boot stub. An UEFI boot stub is
    attached to a Linux kernel binary image, and is a piece of code that runs in the UEFI firmware
    environment before transitioning into the Linux kernel environment. The UEFI boot stub ensures a Linux
    kernel is executable as regular UEFI binary, and is able to do various preparations before switching the
    system into the Linux world.</para>

    <para>The UEFI boot stub looks for various resources for the kernel invocation inside the UEFI PE binary
    itself. This allows combining various resources inside a single PE binary image, which may then be signed
    via UEFI SecureBoot as a whole, covering all individual resources at once. Specifically it may
    include:</para>

    <itemizedlist>
      <listitem><para>The ELF Linux kernel images will be looked for in the <literal>.linux</literal> PE
      section of the executed image.</para></listitem>

      <listitem><para>The initial RAM disk (initrd) will be looked for in the <literal>.initrd</literal> PE
      section.</para></listitem>

      <listitem><para>A compiled binary DeviceTree will be looked for in the <literal>.dtb</literal> PE
      section.</para></listitem>

      <listitem><para>The kernel command line to pass to the invoked kernel will be looked for in the
      <literal>.cmdline</literal> PE section.</para></listitem>

      <listitem><para>A boot splash (in Windows <filename>.BMP</filename> format) to show on screen before
      invoking the kernel will be looked for in the <literal>.splash</literal> PE section.</para></listitem>
    </itemizedlist>

    <para>If UEFI SecureBoot is enabled and the <literal>.cmdline</literal> section is present in the executed
    image, any attempts to override the kernel command line by passing one as invocation parameters to the
    EFI binary are ignored. Thus, in order to allow overriding the kernel command line, either disable UEFI
    SecureBoot, or don't include a kernel command line PE section in the kernel image file. If a command line
    is accepted via EFI invocation parameters to the EFI binary it is measured into TPM PCR 8 (if a TPM is
    present).</para>

    <para>If a DeviceTree is embedded in the <literal>.dtb</literal> section, it replaces an existing
    DeviceTree in the corresponding EFI configuration table. systemd-stub will ask the firmware via the
    <literal>EFI_DT_FIXUP_PROTOCOL</literal> for hardware specific fixups to the DeviceTree.</para>
  </refsect1>

  <refsect1>
    <title>Companion Files</title>

    <para>The <command>systemd-stub</command> UEFI boot stub automatically collects two types of auxiliary
    companion files optionally placed in drop-in directories on the same partition as the EFI binary,
    dynamically generates <command>cpio</command> initrd archives from them, and passes them to the kernel.
    Specifically:</para>

    <itemizedlist>
      <listitem><para>For a kernel binary called <filename><replaceable>foo</replaceable>.efi</filename>, it
      will look for files with the <filename>.cred</filename> suffix in a directory named
      <filename><replaceable>foo</replaceable>.efi.extra.d/</filename> next to it. A <command>cpio</command>
      archive is generated from all files found that way, placing them in the
      <filename>/.extra/credentials/</filename> directory of the initrd file hierarchy. The main initrd may
      then access them in this directory. This is supposed to be used to store auxiliary, encrypted,
      authenticated credentials for use with <varname>LoadCredentialEncrypted=</varname> in the UEFI System
      Partition. See
      <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
      and
      <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>
      for
      details on encrypted credentials. The generated <command>cpio</command> archive is measured into TPM
      PCR 4 (if a TPM is present).</para></listitem>

      <listitem><para>Similarly, files <filename><replaceable>foo</replaceable>.efi.extra.d/*.raw</filename>
      are packed up in a <command>cpio</command> archive and placed in the <filename>/.extra/sysext/</filename>
      directory in the initrd file hierarchy. This is supposed to be used to pass additional system extension
      images to the initrd. See
      <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
      details on system extension images. The generated <command>cpio</command> archive containing these
      system extension images is measured into TPM PCR 8 (if a TPM is present).</para></listitem>

      <listitem><para>Files <filename>/loader/credentials/*.cred</filename> are packed up in a
      <command>cpio</command> archive and placed in the <filename>/.extra/global_credentials/</filename>
      directory of the initrd file hierarchy. This is supposed to be used to pass additional credentials to
      the initrd, regardless of the kernel being booted. The generated <command>cpio</command> archive is
      measured into TPM PCR 4 (if a TPM is present)</para></listitem>
    </itemizedlist>

    <para>These mechanisms may be used to parameterize and extend trusted (i.e. signed), immutable initrd
    images in a reasonably safe way: all data they contain is measured into TPM PCRs. On access they should be
    further validated: in case of the credentials case by encrypting/authenticating them via TPM, as exposed
    by <command>systemd-creds encrypt -T</command> (see
    <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
    details); in case of the system extension images by using signed Verity images.</para>
  </refsect1>

  <refsect1>
    <title>EFI Variables</title>

    <para>The following EFI variables are defined, set and read by <command>systemd-stub</command>, under the
    vendor UUID <literal>4a67b082-0a4c-41cf-b6c7-440b29bb8c4f</literal>, for communication between the boot
    stub and the OS:</para>

    <variablelist class='efi-variables'>
      <varlistentry>
        <term><varname>LoaderDevicePartUUID</varname></term>

        <listitem><para>Contains the partition UUID of the EFI System Partition the EFI image was run
        from. <citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        uses this information to automatically find the disk booted from, in order to discover various other
        partitions on the same disk automatically.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>LoaderFirmwareInfo</varname></term>
        <term><varname>LoaderFirmwareType</varname></term>

        <listitem><para>Brief firmware information. Use
        <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view this
        data.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>LoaderImageIdentifier</varname></term>

        <listitem><para>The path of EFI executable, relative to the EFI System Partition's root
        directory. Use
        <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view
        this data.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>StubInfo</varname></term>

        <listitem><para>Brief stub information. Use
        <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view
        this data.</para></listitem>
      </varlistentry>
    </variablelist>

    <para>Note that some of the variables above may also be set by the boot loader. The stub will only set
    them if they aren't set already. Some of these variables are defined by the <ulink
    url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>.</para>
  </refsect1>

  <refsect1>
    <title>Assembling Kernel Images</title>

    <para>In order to assemble an UEFI PE kernel image from various components as described above, use an
    <citerefentry project='man-pages'><refentrytitle>objcopy</refentrytitle><manvolnum>1</manvolnum></citerefentry> command line
    like this:</para>

    <programlisting>objcopy \
    --add-section .osrel=os-release --change-section-vma .osrel=0x20000 \
    --add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
    --add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
    --add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
    --add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
    --add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
    /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
    foo-unsigned.efi</programlisting>

    <para>This generates one PE executable file <filename>foo-unsigned.efi</filename> from the six individual
    files for OS release information, kernel command line, boot splash image, kernel image, main initrd and
    UEFI boot stub.</para>

    <para>To then sign the resulting image for UEFI SecureBoot use an
    <citerefentry project='archlinux'><refentrytitle>sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry> command like
    the following:</para>

    <programlisting>sbsign \
    --key mykey.pem \
    --cert mykey.crt \
    --output foo.efi \
    foo-unsigned.efi</programlisting>

    <para>This expects a pair of X.509 private key and certificate as parameters and then signs the UEFI PE
    executable we generated above for UEFI SecureBoot and generates a signed UEFI PE executable as
    result.</para>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink>,
      <ulink url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>,
      <citerefentry project='man-pages'><refentrytitle>objcopy</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='archlinux'><refentrytitle>sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>
</refentry>
Commit	Line	Data
3f9a615d LP	1	<?xml version='1.0'?> <!---nxml--->
	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
	5
ba38a24d	6	<refentry id="systemd-stub" conditional='HAVE_GNU_EFI'
3f9a615d LP	7	xmlns:xi="http://www.w3.org/2001/XInclude">
	8	<refentryinfo>
	9	<title>systemd-stub</title>
	10	<productname>systemd</productname>
	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>systemd-stub</refentrytitle>
	15	<manvolnum>7</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>systemd-stub</refname>
838f094c	20	<refname>sd-stub</refname>
3f9a615d LP	21	<refname>linuxx64.efi.stub</refname>
	22	<refname>linuxia32.efi.stub</refname>
	23	<refname>linuxaa64.efi.stub</refname>
	24	<refpurpose>A simple UEFI kernel boot stub</refpurpose>
	25	</refnamediv>
	26
	27	<refsynopsisdiv>
	28	<para><filename>/usr/lib/systemd/boot/efi/linuxx64.efi.stub</filename></para>
	29	<para><filename>/usr/lib/systemd/boot/efi/linuxia32.efi.stub</filename></para>
	30	<para><filename>/usr/lib/systemd/boot/efi/linuxaa64.efi.stub</filename></para>
f3b6f333 AV	31	<para><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.cred</filename></para>
	32	<para><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.raw</filename></para>
	33	<para><filename><replaceable>ESP</replaceable>/loader/credentials/*.cred</filename></para>
3f9a615d LP	34	</refsynopsisdiv>
	35
	36	<refsect1>
	37	<title>Description</title>
	38
	39	<para><command>systemd-stub</command> (stored in per-architecture files
	40	<filename>linuxx64.efi.stub</filename>, <filename>linuxia32.efi.stub</filename>,
	41	<filename>linuxaa64.efi.stub</filename> on disk) is a simple UEFI boot stub. An UEFI boot stub is
	42	attached to a Linux kernel binary image, and is a piece of code that runs in the UEFI firmware
	43	environment before transitioning into the Linux kernel environment. The UEFI boot stub ensures a Linux
	44	kernel is executable as regular UEFI binary, and is able to do various preparations before switching the
	45	system into the Linux world.</para>
	46
	47	<para>The UEFI boot stub looks for various resources for the kernel invocation inside the UEFI PE binary
	48	itself. This allows combining various resources inside a single PE binary image, which may then be signed
	49	via UEFI SecureBoot as a whole, covering all individual resources at once. Specifically it may
	50	include:</para>
	51
	52	<itemizedlist>
	53	<listitem><para>The ELF Linux kernel images will be looked for in the <literal>.linux</literal> PE
	54	section of the executed image.</para></listitem>
	55
	56	<listitem><para>The initial RAM disk (initrd) will be looked for in the <literal>.initrd</literal> PE
	57	section.</para></listitem>
	58
111c9ba6 MR	59	<listitem><para>A compiled binary DeviceTree will be looked for in the <literal>.dtb</literal> PE
	60	section.</para></listitem>
	61
3f9a615d LP	62	<listitem><para>The kernel command line to pass to the invoked kernel will be looked for in the
	63	<literal>.cmdline</literal> PE section.</para></listitem>
	64
	65	<listitem><para>A boot splash (in Windows <filename>.BMP</filename> format) to show on screen before
	66	invoking the kernel will be looked for in the <literal>.splash</literal> PE section.</para></listitem>
	67	</itemizedlist>
	68
	69	<para>If UEFI SecureBoot is enabled and the <literal>.cmdline</literal> section is present in the executed
	70	image, any attempts to override the kernel command line by passing one as invocation parameters to the
	71	EFI binary are ignored. Thus, in order to allow overriding the kernel command line, either disable UEFI
	72	SecureBoot, or don't include a kernel command line PE section in the kernel image file. If a command line
	73	is accepted via EFI invocation parameters to the EFI binary it is measured into TPM PCR 8 (if a TPM is
	74	present).</para>
111c9ba6 MR	75
	76	<para>If a DeviceTree is embedded in the <literal>.dtb</literal> section, it replaces an existing
	77	DeviceTree in the corresponding EFI configuration table. systemd-stub will ask the firmware via the
	78	<literal>EFI_DT_FIXUP_PROTOCOL</literal> for hardware specific fixups to the DeviceTree.</para>
3f9a615d LP	79	</refsect1>
	80
	81	<refsect1>
	82	<title>Companion Files</title>
	83
	84	<para>The <command>systemd-stub</command> UEFI boot stub automatically collects two types of auxiliary
f3b6f333 AV	85	companion files optionally placed in drop-in directories on the same partition as the EFI binary,
	86	dynamically generates <command>cpio</command> initrd archives from them, and passes them to the kernel.
	87	Specifically:</para>
3f9a615d LP	88
3f9a615d LP	89	<itemizedlist>
f3b6f333	90	<listitem><para>For a kernel binary called <filename><replaceable>foo</replaceable>.efi</filename>, it
3f9a615d	91	will look for files with the <filename>.cred</filename> suffix in a directory named
f3b6f333	92	<filename><replaceable>foo</replaceable>.efi.extra.d/</filename> next to it. A <command>cpio</command>
3f9a615d LP	93	archive is generated from all files found that way, placing them in the
	94	<filename>/.extra/credentials/</filename> directory of the initrd file hierarchy. The main initrd may
	95	then access them in this directory. This is supposed to be used to store auxiliary, encrypted,
	96	authenticated credentials for use with <varname>LoadCredentialEncrypted=</varname> in the UEFI System
	97	Partition. See
fe003f02 ZJS	98	<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	99	and
	100	<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	101	for
3f9a615d	102	details on encrypted credentials. The generated <command>cpio</command> archive is measured into TPM
fe003f02	103	PCR 4 (if a TPM is present).</para></listitem>
3f9a615d	104
f3b6f333 AV	105	<listitem><para>Similarly, files <filename><replaceable>foo</replaceable>.efi.extra.d/*.raw</filename>
f3b6f333 AV	106	are packed up in a <command>cpio</command> archive and placed in the <filename>/.extra/sysext/</filename>
3f9a615d LP	107	directory in the initrd file hierarchy. This is supposed to be used to pass additional system extension
	108	images to the initrd. See
	109	<citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
	110	details on system extension images. The generated <command>cpio</command> archive containing these
	111	system extension images is measured into TPM PCR 8 (if a TPM is present).</para></listitem>
f3b6f333 AV	112
	113	<listitem><para>Files <filename>/loader/credentials/*.cred</filename> are packed up in a
	114	<command>cpio</command> archive and placed in the <filename>/.extra/global_credentials/</filename>
	115	directory of the initrd file hierarchy. This is supposed to be used to pass additional credentials to
	116	the initrd, regardless of the kernel being booted. The generated <command>cpio</command> archive is
	117	measured into TPM PCR 4 (if a TPM is present)</para></listitem>
3f9a615d LP	118	</itemizedlist>
3f9a615d LP	119
f3b6f333	120	<para>These mechanisms may be used to parameterize and extend trusted (i.e. signed), immutable initrd
3f9a615d LP	121	images in a reasonably safe way: all data they contain is measured into TPM PCRs. On access they should be
	122	further validated: in case of the credentials case by encrypting/authenticating them via TPM, as exposed
	123	by <command>systemd-creds encrypt -T</command> (see
	124	<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
	125	details); in case of the system extension images by using signed Verity images.</para>
	126	</refsect1>
	127
	128	<refsect1>
	129	<title>EFI Variables</title>
	130
	131	<para>The following EFI variables are defined, set and read by <command>systemd-stub</command>, under the
	132	vendor UUID <literal>4a67b082-0a4c-41cf-b6c7-440b29bb8c4f</literal>, for communication between the boot
	133	stub and the OS:</para>
	134
	135	<variablelist class='efi-variables'>
	136	<varlistentry>
	137	<term><varname>LoaderDevicePartUUID</varname></term>
	138
	139	<listitem><para>Contains the partition UUID of the EFI System Partition the EFI image was run
	140	from. <citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	141	uses this information to automatically find the disk booted from, in order to discover various other
	142	partitions on the same disk automatically.</para></listitem>
	143	</varlistentry>
	144
	145	<varlistentry>
	146	<term><varname>LoaderFirmwareInfo</varname></term>
	147	<term><varname>LoaderFirmwareType</varname></term>
	148
	149	<listitem><para>Brief firmware information. Use
	150	<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view this
	151	data.</para></listitem>
	152	</varlistentry>
	153
	154	<varlistentry>
	155	<term><varname>LoaderImageIdentifier</varname></term>
	156
	157	<listitem><para>The path of EFI executable, relative to the EFI System Partition's root
	158	directory. Use
	159	<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view
	160	this data.</para></listitem>
	161	</varlistentry>
	162
	163	<varlistentry>
	164	<term><varname>StubInfo</varname></term>
	165
	166	<listitem><para>Brief stub information. Use
	167	<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view
	168	this data.</para></listitem>
	169	</varlistentry>
	170	</variablelist>
	171
	172	<para>Note that some of the variables above may also be set by the boot loader. The stub will only set
	173	them if they aren't set already. Some of these variables are defined by the <ulink
	174	url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>.</para>
	175	</refsect1>
	176
	177	<refsect1>
	178	<title>Assembling Kernel Images</title>
	179
	180	<para>In order to assemble an UEFI PE kernel image from various components as described above, use an
ff9412c1	181	<citerefentry project='man-pages'><refentrytitle>objcopy</refentrytitle><manvolnum>1</manvolnum></citerefentry> command line
3f9a615d LP	182	like this:</para>
	183
	184	<programlisting>objcopy \
	185	--add-section .osrel=os-release --change-section-vma .osrel=0x20000 \
	186	--add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
111c9ba6 MR	187	--add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \
111c9ba6 MR	188	--add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \
3f9a615d LP	189	--add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \
	190	--add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \
	191	/usr/lib/systemd/boot/efi/linuxx64.efi.stub \
	192	foo-unsigned.efi</programlisting>
	193
	194	<para>This generates one PE executable file <filename>foo-unsigned.efi</filename> from the six individual
	195	files for OS release information, kernel command line, boot splash image, kernel image, main initrd and
	196	UEFI boot stub.</para>
	197
	198	<para>To then sign the resulting image for UEFI SecureBoot use an
ff9412c1	199	<citerefentry project='archlinux'><refentrytitle>sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry> command like
3f9a615d LP	200	the following:</para>
	201
	202	<programlisting>sbsign \
	203	--key mykey.pem \
	204	--cert mykey.crt \
	205	--output foo.efi \
	206	foo-unsigned.efi</programlisting>
	207
	208	<para>This expects a pair of X.509 private key and certificate as parameters and then signs the UEFI PE
	209	executable we generated above for UEFI SecureBoot and generates a signed UEFI PE executable as
	210	result.</para>
	211	</refsect1>
	212
	213	<refsect1>
	214	<title>See Also</title>
	215	<para>
	216	<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
	217	<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	218	<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	219	<citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	220	<ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink>,
	221	<ulink url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>,
ff9412c1 ZJS	222	<citerefentry project='man-pages'><refentrytitle>objcopy</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
ff9412c1 ZJS	223	<citerefentry project='archlinux'><refentrytitle>sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry>
3f9a615d LP	224	</para>
	225	</refsect1>
	226	</refentry>