From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 10 Oct 2023 06:26:55 +0000 (+0200)
Subject: Mention secure boot auto enrollment minimum systemd version
X-Git-Tag: v19~88
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2ca651fb10004dd0f32e58cc74eeb79056ed068;p=thirdparty%2Fmkosi.git

Mention secure boot auto enrollment minimum systemd version
---

diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
index d734360be..f326b6a3d 100644
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -975,9 +975,18 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
 
 `SecureBoot=`, `--secure-boot`
 
-: Sign systemd-boot (if it is not signed yet) and the resulting
-  kernel/initrd image for UEFI SecureBoot. Also set up secure boot key
-  auto enrollment as documented in the systemd-boot [man page](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+: Sign systemd-boot (if it is not signed yet) and any generated
+  unified kernel images for UEFI SecureBoot. Also set up automatic
+  enrollment of the secure boot keys in virtual machines as documented
+  in the systemd-boot
+  [man page](https://www.freedesktop.org/software/systemd/man/systemd-boot.html).
+  Note that systemd-boot will only do automatic secure boot key
+  enrollment in virtual machines starting from systemd v253. To do auto
+  enrollment on systemd v252 or on bare metal machines, write a
+  systemd-boot configuration file to `/efi/loader/loader.conf` using an
+  extra tree with `secure-boot-enroll force` or
+  `secure-boot-enroll manual` in it. Auto enrollment is not supported on
+  systemd versions older than v252.
 
 `SecureBootKey=`, `--secure-boot-key=`