]>
Commit | Line | Data |
---|---|---|
3f9a615d LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> | |
5 | ||
ba38a24d | 6 | <refentry id="systemd-stub" conditional='HAVE_GNU_EFI' |
3f9a615d LP |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
8 | <refentryinfo> | |
9 | <title>systemd-stub</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>systemd-stub</refentrytitle> | |
15 | <manvolnum>7</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>systemd-stub</refname> | |
838f094c | 20 | <refname>sd-stub</refname> |
3f9a615d LP |
21 | <refname>linuxx64.efi.stub</refname> |
22 | <refname>linuxia32.efi.stub</refname> | |
23 | <refname>linuxaa64.efi.stub</refname> | |
24 | <refpurpose>A simple UEFI kernel boot stub</refpurpose> | |
25 | </refnamediv> | |
26 | ||
27 | <refsynopsisdiv> | |
28 | <para><filename>/usr/lib/systemd/boot/efi/linuxx64.efi.stub</filename></para> | |
29 | <para><filename>/usr/lib/systemd/boot/efi/linuxia32.efi.stub</filename></para> | |
30 | <para><filename>/usr/lib/systemd/boot/efi/linuxaa64.efi.stub</filename></para> | |
f3b6f333 AV |
31 | <para><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.cred</filename></para> |
32 | <para><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.raw</filename></para> | |
33 | <para><filename><replaceable>ESP</replaceable>/loader/credentials/*.cred</filename></para> | |
3f9a615d LP |
34 | </refsynopsisdiv> |
35 | ||
36 | <refsect1> | |
37 | <title>Description</title> | |
38 | ||
39 | <para><command>systemd-stub</command> (stored in per-architecture files | |
40 | <filename>linuxx64.efi.stub</filename>, <filename>linuxia32.efi.stub</filename>, | |
41 | <filename>linuxaa64.efi.stub</filename> on disk) is a simple UEFI boot stub. An UEFI boot stub is | |
42 | attached to a Linux kernel binary image, and is a piece of code that runs in the UEFI firmware | |
43 | environment before transitioning into the Linux kernel environment. The UEFI boot stub ensures a Linux | |
44 | kernel is executable as regular UEFI binary, and is able to do various preparations before switching the | |
45 | system into the Linux world.</para> | |
46 | ||
47 | <para>The UEFI boot stub looks for various resources for the kernel invocation inside the UEFI PE binary | |
48 | itself. This allows combining various resources inside a single PE binary image, which may then be signed | |
49 | via UEFI SecureBoot as a whole, covering all individual resources at once. Specifically it may | |
50 | include:</para> | |
51 | ||
52 | <itemizedlist> | |
53 | <listitem><para>The ELF Linux kernel images will be looked for in the <literal>.linux</literal> PE | |
54 | section of the executed image.</para></listitem> | |
55 | ||
56 | <listitem><para>The initial RAM disk (initrd) will be looked for in the <literal>.initrd</literal> PE | |
57 | section.</para></listitem> | |
58 | ||
111c9ba6 MR |
59 | <listitem><para>A compiled binary DeviceTree will be looked for in the <literal>.dtb</literal> PE |
60 | section.</para></listitem> | |
61 | ||
3f9a615d LP |
62 | <listitem><para>The kernel command line to pass to the invoked kernel will be looked for in the |
63 | <literal>.cmdline</literal> PE section.</para></listitem> | |
64 | ||
65 | <listitem><para>A boot splash (in Windows <filename>.BMP</filename> format) to show on screen before | |
66 | invoking the kernel will be looked for in the <literal>.splash</literal> PE section.</para></listitem> | |
67 | </itemizedlist> | |
68 | ||
69 | <para>If UEFI SecureBoot is enabled and the <literal>.cmdline</literal> section is present in the executed | |
70 | image, any attempts to override the kernel command line by passing one as invocation parameters to the | |
71 | EFI binary are ignored. Thus, in order to allow overriding the kernel command line, either disable UEFI | |
72 | SecureBoot, or don't include a kernel command line PE section in the kernel image file. If a command line | |
73 | is accepted via EFI invocation parameters to the EFI binary it is measured into TPM PCR 8 (if a TPM is | |
74 | present).</para> | |
111c9ba6 MR |
75 | |
76 | <para>If a DeviceTree is embedded in the <literal>.dtb</literal> section, it replaces an existing | |
77 | DeviceTree in the corresponding EFI configuration table. systemd-stub will ask the firmware via the | |
78 | <literal>EFI_DT_FIXUP_PROTOCOL</literal> for hardware specific fixups to the DeviceTree.</para> | |
3f9a615d LP |
79 | </refsect1> |
80 | ||
81 | <refsect1> | |
82 | <title>Companion Files</title> | |
83 | ||
84 | <para>The <command>systemd-stub</command> UEFI boot stub automatically collects two types of auxiliary | |
f3b6f333 AV |
85 | companion files optionally placed in drop-in directories on the same partition as the EFI binary, |
86 | dynamically generates <command>cpio</command> initrd archives from them, and passes them to the kernel. | |
87 | Specifically:</para> | |
3f9a615d LP |
88 | |
89 | <itemizedlist> | |
f3b6f333 | 90 | <listitem><para>For a kernel binary called <filename><replaceable>foo</replaceable>.efi</filename>, it |
3f9a615d | 91 | will look for files with the <filename>.cred</filename> suffix in a directory named |
f3b6f333 | 92 | <filename><replaceable>foo</replaceable>.efi.extra.d/</filename> next to it. A <command>cpio</command> |
3f9a615d LP |
93 | archive is generated from all files found that way, placing them in the |
94 | <filename>/.extra/credentials/</filename> directory of the initrd file hierarchy. The main initrd may | |
95 | then access them in this directory. This is supposed to be used to store auxiliary, encrypted, | |
96 | authenticated credentials for use with <varname>LoadCredentialEncrypted=</varname> in the UEFI System | |
97 | Partition. See | |
fe003f02 ZJS |
98 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
99 | and | |
100 | <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
101 | for | |
3f9a615d | 102 | details on encrypted credentials. The generated <command>cpio</command> archive is measured into TPM |
fe003f02 | 103 | PCR 4 (if a TPM is present).</para></listitem> |
3f9a615d | 104 | |
f3b6f333 AV |
105 | <listitem><para>Similarly, files <filename><replaceable>foo</replaceable>.efi.extra.d/*.raw</filename> |
106 | are packed up in a <command>cpio</command> archive and placed in the <filename>/.extra/sysext/</filename> | |
3f9a615d LP |
107 | directory in the initrd file hierarchy. This is supposed to be used to pass additional system extension |
108 | images to the initrd. See | |
109 | <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for | |
110 | details on system extension images. The generated <command>cpio</command> archive containing these | |
111 | system extension images is measured into TPM PCR 8 (if a TPM is present).</para></listitem> | |
f3b6f333 AV |
112 | |
113 | <listitem><para>Files <filename>/loader/credentials/*.cred</filename> are packed up in a | |
114 | <command>cpio</command> archive and placed in the <filename>/.extra/global_credentials/</filename> | |
115 | directory of the initrd file hierarchy. This is supposed to be used to pass additional credentials to | |
116 | the initrd, regardless of the kernel being booted. The generated <command>cpio</command> archive is | |
117 | measured into TPM PCR 4 (if a TPM is present)</para></listitem> | |
3f9a615d LP |
118 | </itemizedlist> |
119 | ||
f3b6f333 | 120 | <para>These mechanisms may be used to parameterize and extend trusted (i.e. signed), immutable initrd |
3f9a615d LP |
121 | images in a reasonably safe way: all data they contain is measured into TPM PCRs. On access they should be |
122 | further validated: in case of the credentials case by encrypting/authenticating them via TPM, as exposed | |
123 | by <command>systemd-creds encrypt -T</command> (see | |
124 | <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
125 | details); in case of the system extension images by using signed Verity images.</para> | |
126 | </refsect1> | |
127 | ||
128 | <refsect1> | |
129 | <title>EFI Variables</title> | |
130 | ||
131 | <para>The following EFI variables are defined, set and read by <command>systemd-stub</command>, under the | |
132 | vendor UUID <literal>4a67b082-0a4c-41cf-b6c7-440b29bb8c4f</literal>, for communication between the boot | |
133 | stub and the OS:</para> | |
134 | ||
135 | <variablelist class='efi-variables'> | |
136 | <varlistentry> | |
137 | <term><varname>LoaderDevicePartUUID</varname></term> | |
138 | ||
139 | <listitem><para>Contains the partition UUID of the EFI System Partition the EFI image was run | |
140 | from. <citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
141 | uses this information to automatically find the disk booted from, in order to discover various other | |
142 | partitions on the same disk automatically.</para></listitem> | |
143 | </varlistentry> | |
144 | ||
145 | <varlistentry> | |
146 | <term><varname>LoaderFirmwareInfo</varname></term> | |
147 | <term><varname>LoaderFirmwareType</varname></term> | |
148 | ||
149 | <listitem><para>Brief firmware information. Use | |
150 | <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view this | |
151 | data.</para></listitem> | |
152 | </varlistentry> | |
153 | ||
154 | <varlistentry> | |
155 | <term><varname>LoaderImageIdentifier</varname></term> | |
156 | ||
157 | <listitem><para>The path of EFI executable, relative to the EFI System Partition's root | |
158 | directory. Use | |
159 | <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view | |
160 | this data.</para></listitem> | |
161 | </varlistentry> | |
162 | ||
163 | <varlistentry> | |
164 | <term><varname>StubInfo</varname></term> | |
165 | ||
166 | <listitem><para>Brief stub information. Use | |
167 | <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view | |
168 | this data.</para></listitem> | |
169 | </varlistentry> | |
170 | </variablelist> | |
171 | ||
172 | <para>Note that some of the variables above may also be set by the boot loader. The stub will only set | |
173 | them if they aren't set already. Some of these variables are defined by the <ulink | |
174 | url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>.</para> | |
175 | </refsect1> | |
176 | ||
177 | <refsect1> | |
178 | <title>Assembling Kernel Images</title> | |
179 | ||
180 | <para>In order to assemble an UEFI PE kernel image from various components as described above, use an | |
ff9412c1 | 181 | <citerefentry project='man-pages'><refentrytitle>objcopy</refentrytitle><manvolnum>1</manvolnum></citerefentry> command line |
3f9a615d LP |
182 | like this:</para> |
183 | ||
184 | <programlisting>objcopy \ | |
185 | --add-section .osrel=os-release --change-section-vma .osrel=0x20000 \ | |
186 | --add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \ | |
111c9ba6 MR |
187 | --add-section .dtb=devicetree.dtb --change-section-vma .dtb=0x40000 \ |
188 | --add-section .splash=splash.bmp --change-section-vma .splash=0x100000 \ | |
3f9a615d LP |
189 | --add-section .linux=vmlinux --change-section-vma .linux=0x2000000 \ |
190 | --add-section .initrd=initrd.cpio --change-section-vma .initrd=0x3000000 \ | |
191 | /usr/lib/systemd/boot/efi/linuxx64.efi.stub \ | |
192 | foo-unsigned.efi</programlisting> | |
193 | ||
194 | <para>This generates one PE executable file <filename>foo-unsigned.efi</filename> from the six individual | |
195 | files for OS release information, kernel command line, boot splash image, kernel image, main initrd and | |
196 | UEFI boot stub.</para> | |
197 | ||
198 | <para>To then sign the resulting image for UEFI SecureBoot use an | |
ff9412c1 | 199 | <citerefentry project='archlinux'><refentrytitle>sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry> command like |
3f9a615d LP |
200 | the following:</para> |
201 | ||
202 | <programlisting>sbsign \ | |
203 | --key mykey.pem \ | |
204 | --cert mykey.crt \ | |
205 | --output foo.efi \ | |
206 | foo-unsigned.efi</programlisting> | |
207 | ||
208 | <para>This expects a pair of X.509 private key and certificate as parameters and then signs the UEFI PE | |
209 | executable we generated above for UEFI SecureBoot and generates a signed UEFI PE executable as | |
210 | result.</para> | |
211 | </refsect1> | |
212 | ||
213 | <refsect1> | |
214 | <title>See Also</title> | |
215 | <para> | |
216 | <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>, | |
217 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
218 | <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
219 | <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
220 | <ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink>, | |
221 | <ulink url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>, | |
ff9412c1 ZJS |
222 | <citerefentry project='man-pages'><refentrytitle>objcopy</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
223 | <citerefentry project='archlinux'><refentrytitle>sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
3f9a615d LP |
224 | </para> |
225 | </refsect1> | |
226 | </refentry> |