Use [FILE] as a splash image when creating an UEFI
executable. Requires bitmap (.bmp) image format.
--kernel-image [FILE] Location of the kernel image.
+ --sbat [PARAMETERS] The SBAT parameters to be added to .sbat.
+ The string "sbat,1,SBAT Version,sbat,1,
+ https://github.com/rhboot/shim/blob/main/SBAT.md" is
+ already added by default.
--regenerate-all Regenerate all initramfs images at the default location
for the kernel versions found on the system.
-p, --parallel Use parallel processing if possible (currently only
--long uefi-stub: \
--long uefi-splash-image: \
--long kernel-image: \
+ --long sbat: \
--long no-hostonly-i18n \
--long hostonly-i18n \
--long hostonly-nics: \
PARMS_TO_STORE+=" '$2'"
shift
;;
+ --sbat)
+ sbat_l="$2"
+ PARMS_TO_STORE+=" '$2'"
+ shift
+ ;;
--no-machineid)
machine_id_l="no"
;;
[[ $uefi_stub_l ]] && uefi_stub="$uefi_stub_l"
[[ $uefi_splash_image_l ]] && uefi_splash_image="$uefi_splash_image_l"
[[ $kernel_image_l ]] && kernel_image="$kernel_image_l"
+[[ $sbat_l ]] && sbat="$sbat_l"
[[ $machine_id_l ]] && machine_id="$machine_id_l"
if ! [[ $outfile ]]; then
fi
if [[ $uefi == "yes" ]]; then
- # shellcheck disable=SC2154
if [[ -n $uefi_secureboot_key && -z $uefi_secureboot_cert ]] || [[ -z $uefi_secureboot_key && -n $uefi_secureboot_cert ]]; then
printf "%s\n" "dracut[F]: Need 'uefi_secureboot_key' and 'uefi_secureboot_cert' both to be set." >&2
exit 1
readonly initdir="${DRACUT_TMPDIR}/initramfs"
mkdir -p "$initdir"
-# shellcheck disable=SC2154
if [[ $early_microcode == yes ]] || { [[ $acpi_override == yes ]] && [[ -d $acpi_table_dir ]]; }; then
readonly early_cpio_dir="${DRACUT_TMPDIR}/earlycpio"
mkdir "$early_cpio_dir"
unset enhanced_cpio
fi
-# shellcheck disable=SC2154
if [[ $no_kernel != yes ]] && ! [[ -d $srcmods ]]; then
dfatal "Cannot find module directory $srcmods"
dfatal "and --no-kernel was not specified"
if [[ $early_microcode == yes ]]; then
if [[ $hostonly ]]; then
- if [[ $(get_cpu_vendor) == "AMD" ]]; then
- check_kernel_config CONFIG_MICROCODE_AMD || unset early_microcode
- elif [[ $(get_cpu_vendor) == "Intel" ]]; then
- check_kernel_config CONFIG_MICROCODE_INTEL || unset early_microcode
+ if [[ $(get_cpu_vendor) == "AMD" || $(get_cpu_vendor) == "Intel" ]]; then
+ check_kernel_config CONFIG_MICROCODE || unset early_microcode
else
unset early_microcode
fi
else
- ! check_kernel_config CONFIG_MICROCODE_AMD \
- && ! check_kernel_config CONFIG_MICROCODE_INTEL \
+ ! check_kernel_config CONFIG_MICROCODE \
&& unset early_microcode
fi
# Do not complain on non-x86 architectures as it makes no sense
case "${DRACUT_ARCH:-$(uname -m)}" in
x86_64 | i?86)
[[ $early_microcode != yes ]] \
- && dwarn "Disabling early microcode, because kernel does not support it. CONFIG_MICROCODE_[AMD|INTEL]!=y"
+ && dwarn "Disabling early microcode, because kernel does not support it. CONFIG_MICROCODE!=y"
;;
*) ;;
esac
if [[ $kernel_only != yes ]]; then
mkdir -p "${initdir}/etc/cmdline.d"
mkdir -m 0755 "${initdir}"/lib/dracut/hooks
- # shellcheck disable=SC2154
for _d in $hookdirs; do
# shellcheck disable=SC2174
mkdir -m 0755 -p "${initdir}/lib/dracut/hooks/$_d"
# shellcheck disable=SC2086
find "$initdir" -type f -perm /0111 -not -path '*.ko' -print0 \
| xargs -r -0 $DRACUT_INSTALL ${initdir:+-D "$initdir"} ${dracutsysrootdir:+-r "$dracutsysrootdir"} -R ${DRACUT_FIPS_MODE:+-f} --
- dinfo "*** Resolving executable dependencies done ***"
+ # shellcheck disable=SC2181
+ if (($? == 0)); then
+ dinfo "*** Resolving executable dependencies done ***"
+ else
+ dfatal "Resolving executable dependencies failed"
+ exit 1
+ fi
fi
# Now we are done with lazy resolving, always install dependencies
fi
fi
-# shellcheck disable=SC2154
if ((maxloglvl >= 5)) && ((verbosity_mod_l >= 0)); then
if [[ $allowlocal ]]; then
"$dracutbasedir/lsinitrd.sh" "${DRACUT_TMPDIR}/initramfs.img" | ddebug
umask 077
+SBAT_DEFAULT="sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"
+sbat_out=$uefi_outdir/uki.sbat
+
+clean_sbat_string() {
+ local inp=$1
+ local temp=$uefi_outdir/temp.sbat
+ sed "/${SBAT_DEFAULT//\//\\/}/d" "$inp" > "$temp"
+ [[ -s $temp ]] && cat "$temp" >> "$sbat_out"
+ rm "$temp"
+}
+
+get_sbat_string() {
+ local inp=$1
+ local out=$uefi_outdir/$2
+ objcopy -O binary --only-section=.sbat "$inp" "$out"
+ clean_sbat_string "$out"
+}
+
if [[ $uefi == yes ]]; then
if [[ $kernel_cmdline ]]; then
echo -n "$kernel_cmdline" > "$uefi_outdir/cmdline.txt"
unset uefi_splash_image
fi
+ echo "$SBAT_DEFAULT" > "$sbat_out"
+ if [[ -n $sbat ]]; then
+ echo "$sbat" | sed "/${SBAT_DEFAULT//\//\\/}/d" >> "$sbat_out"
+ fi
+ get_sbat_string "$kernel_image" kernel.sbat
+ get_sbat_string "$uefi_stub" stub.sbat
+
+ uefi_sbat_offs="${offs}"
+ offs=$((offs + $(stat -Lc%s "$sbat_out")))
+ offs=$((offs + "$align" - offs % "$align"))
uefi_linux_offs="${offs}"
offs=$((offs + $(stat -Lc%s "$kernel_image")))
offs=$((offs + "$align" - offs % "$align"))
exit 1
fi
+ tmp_uefi_stub=$uefi_outdir/elf.stub
+ cp "$uefi_stub" "$tmp_uefi_stub"
+ objcopy --remove-section .sbat "$tmp_uefi_stub" &> /dev/null
+
if objcopy \
${uefi_osrelease:+--add-section .osrel="$uefi_osrelease" --change-section-vma .osrel=$(printf 0x%x "$uefi_osrelease_offs")} \
${uefi_cmdline:+--add-section .cmdline="$uefi_cmdline" --change-section-vma .cmdline=$(printf 0x%x "$uefi_cmdline_offs")} \
${uefi_splash_image:+--add-section .splash="$uefi_splash_image" --change-section-vma .splash=$(printf 0x%x "$uefi_splash_offs")} \
+ --add-section .sbat="$sbat_out" --change-section-vma .sbat="$(printf 0x%x "$uefi_sbat_offs")" \
--add-section .linux="$kernel_image" --change-section-vma .linux="$(printf 0x%x "$uefi_linux_offs")" \
--add-section .initrd="${DRACUT_TMPDIR}/initramfs.img" --change-section-vma .initrd="$(printf 0x%x "$uefi_initrd_offs")" \
--image-base="$(printf 0x%x "$base_image")" \
- "$uefi_stub" "${uefi_outdir}/linux.efi"; then
+ "$tmp_uefi_stub" "${uefi_outdir}/linux.efi"; then
if [[ -n ${uefi_secureboot_key} && -n ${uefi_secureboot_cert} ]]; then
if sbsign \
${uefi_secureboot_engine:+--engine "$uefi_secureboot_engine"} \