X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=man%2Fsystemd-stub.xml;h=2724c57ef92688233b5da7838c36d8590ce5f8aa;hb=HEAD;hp=e489a138d64daee9d11b248c5b7ba44abebea4f0;hpb=f03e8f19b736872ebe450d9321b5e7f6fd230f93;p=thirdparty%2Fsystemd.git
diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index e489a138d64..2724c57ef92 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -70,6 +70,9 @@
An .initrd section with the initrd.
+ A .ucode section with an initrd containing microcode, to be handed
+ to the kernel before any other initrd. This initrd must not be compressed.
+
A .splash section with an image (in the Windows
.BMP format) to show on screen before invoking the kernel.
@@ -89,7 +92,7 @@
specific key.
A .pcrpkey section with a public key in the PEM format matching the
- signature data in the the .pcrsig section.
+ signature data in the .pcrsig section.
If UEFI SecureBoot is enabled and the .cmdline section is present in the executed
@@ -185,7 +188,7 @@
configuration.
In case Secure Boot is enabled, these files will be validated using keys in UEFI DB, Shim's DB or
- Shim's MOK, and will be rejected otherwise. Additionally, if the both the addon and the UKI contain a a
+ Shim's MOK, and will be rejected otherwise. Additionally, if both the addon and the UKI contain a
.uname section, the addon will be rejected if they do not match exactly. It is
recommended to always add a .sbat section to all signed addons, so that they may be
revoked with a SBAT policy update, without requiring blocklisting via DBX/MOKX. The
@@ -233,7 +236,7 @@
core kernel, the embedded initrd and kernel command line (see above for a full list).
Also note that the Linux kernel will measure all initrds it receives into TPM PCR 9. This means
- every type of initrd will be measured two or three times: the initrd embedded in the kernel image will be
+ every type of initrd will be measured two or three times: the initrds embedded in the kernel image will be
measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials (and the one synthesized
from configuration extensions) will be measured to both PCR 9 and PCR 12; the initrd synthesized from
system extensions will be measured to both PCR 4 and PCR 9. Let's summarize the OS resources and the PCRs
@@ -274,6 +277,11 @@
4 + 9 + 11
+
+ Microcode initrd (embedded in unified PE binary)
+ 4 + 9 + 11
+
+
Default kernel command line (embedded in unified PE binary)
4 + 11
@@ -503,7 +511,8 @@
SMBIOS Type 11 Strings
systemd-stub can be configured using SMBIOS Type 11 strings. Applicable strings
- consist of a name, followed by =, followed by the value.
+ consist of a name, followed by =, followed by the value. Unless
+ systemd-stub detects it is running inside a confidential computing environment,
systemd-stub will search the table for a string with a specific name, and if found,
use its value. The following strings are read: