X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=man%2Fsystemd-stub.xml;h=2724c57ef92688233b5da7838c36d8590ce5f8aa;hb=HEAD;hp=e489a138d64daee9d11b248c5b7ba44abebea4f0;hpb=f03e8f19b736872ebe450d9321b5e7f6fd230f93;p=thirdparty%2Fsystemd.git

diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index e489a138d64..2724c57ef92 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -70,6 +70,9 @@
 
       <listitem><para>An <literal>.initrd</literal> section with the initrd.</para></listitem>
 
+      <listitem><para>A <literal>.ucode</literal> section with an initrd containing microcode, to be handed
+      to the kernel before any other initrd. This initrd must not be compressed.</para></listitem>
+
       <listitem><para>A <literal>.splash</literal> section with an image (in the Windows
       <filename>.BMP</filename> format) to show on screen before invoking the kernel.</para></listitem>
 
@@ -89,7 +92,7 @@
       specific key.</para></listitem>
 
       <listitem><para>A <literal>.pcrpkey</literal> section with a public key in the PEM format matching the
-      signature data in the the <literal>.pcrsig</literal> section.</para></listitem>
+      signature data in the <literal>.pcrsig</literal> section.</para></listitem>
     </itemizedlist>
 
     <para>If UEFI SecureBoot is enabled and the <literal>.cmdline</literal> section is present in the executed
@@ -185,7 +188,7 @@
       configuration.</para>
 
       <para>In case Secure Boot is enabled, these files will be validated using keys in UEFI DB, Shim's DB or
-      Shim's MOK, and will be rejected otherwise. Additionally, if the both the addon and the UKI contain a a
+      Shim's MOK, and will be rejected otherwise. Additionally, if both the addon and the UKI contain a
       <literal>.uname</literal> section, the addon will be rejected if they do not match exactly. It is
       recommended to always add a <literal>.sbat</literal> section to all signed addons, so that they may be
       revoked with a SBAT policy update, without requiring blocklisting via DBX/MOKX. The
@@ -233,7 +236,7 @@
     core kernel, the embedded initrd and kernel command line (see above for a full list).</para>
 
     <para>Also note that the Linux kernel will measure all initrds it receives into TPM PCR 9. This means
-    every type of initrd will be measured two or three times: the initrd embedded in the kernel image will be
+    every type of initrd will be measured two or three times: the initrds embedded in the kernel image will be
     measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials (and the one synthesized
     from configuration extensions) will be measured to both PCR 9 and PCR 12; the initrd synthesized from
     system extensions will be measured to both PCR 4 and PCR 9. Let's summarize the OS resources and the PCRs
@@ -274,6 +277,11 @@
             <entry>4 + 9 + 11</entry>
           </row>
 
+          <row>
+            <entry>Microcode initrd (embedded in unified PE binary)</entry>
+            <entry>4 + 9 + 11</entry>
+          </row>
+
           <row>
             <entry>Default kernel command line (embedded in unified PE binary)</entry>
             <entry>4 + 11</entry>
@@ -503,7 +511,8 @@
     <title>SMBIOS Type 11 Strings</title>
 
     <para><command>systemd-stub</command> can be configured using SMBIOS Type 11 strings. Applicable strings
-    consist of a name, followed by <literal>=</literal>, followed by the value.
+    consist of a name, followed by <literal>=</literal>, followed by the value. Unless
+    <command>systemd-stub</command> detects it is running inside a confidential computing environment,
     <command>systemd-stub</command> will search the table for a string with a specific name, and if found,
     use its value. The following strings are read:</para>