From: Luca Boccassi Date: Tue, 3 Oct 2023 09:12:36 +0000 (+0100) Subject: docs: rephrase sentence about UKIs in UEFI_SECURITY.md X-Git-Tag: v255-rc1~351^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f9231f0d82a9e64121e440509663cd23b17faf9;p=thirdparty%2Fsystemd.git docs: rephrase sentence about UKIs in UEFI_SECURITY.md --- diff --git a/src/boot/efi/UEFI_SECURITY.md b/src/boot/efi/UEFI_SECURITY.md index ec4efc336a7..c524f313c70 100644 --- a/src/boot/efi/UEFI_SECURITY.md +++ b/src/boot/efi/UEFI_SECURITY.md @@ -24,13 +24,15 @@ Specification)](https://uapi-group.org/specifications/specs/boot_loader_specific The role of `systemd-stub` is to load and measure in the TPM the post-bootloader stages, such as the kernel, initrd and kernel command line, and implement optional features such as augmenting the initrd with -additional content such as configuration or optional services. - -Since it is embedded in a PE signed binary, `systemd-stub` will temporarily disable SecureBoot -authentication when loading the payload kernel it wraps, in order to avoid redundant duplicate -authentication of the image, given that that the payload kernel was already authenticated and verified as -part of the whole image. SecureBoot authentication is re-enabled immediately after the kernel image has been -loaded. +additional content such as configuration or optional services. [Unified Kernel +Images](https://uapi-group.org/specifications/specs/unified_kernel_image/) embed `systemd-stub`, a kernel +and other optional components as sections in a PE signed binary, that can thus be executed in UEFI +environments. + +Since it is embedded in a PE signed binary, `systemd-stub` will temporarily disable the UEFI authentication +protobol while loading the payload kernel it wraps, in order to avoid redundant duplicate authentication of +the image, given that that the payload kernel was already authenticated and verified as part of the whole +image. SecureBoot authentication is re-enabled immediately after the kernel image has been loaded. Various EFI variables, under the vendor UUID `4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`, are set and read by these components, to pass metadata and configuration between different stages of the boot process, as