[systemd-devel] Passing Kernel Params from systemd-boot for Secure Boot UKI

Mah, Yock Gen yock.gen.mah at intel.com
Mon Oct 7 13:54:52 UTC 2024 

My Mariner OS is built with following features:

1, Unified Kernel Image (kernel+initrd+cmdline)
2. Systemd-boot as boot loader
3. Secure Boot enabled
4. Multi boot

Systemd-boot config files looks like below

```
root at YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
Title   Yockgen OS1 UKI
efi     /EFI/Linux/linux-6.1.0-0.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa ro quiet yockgen=1
```
```
root at YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
Title   Yockgen OS2 UKI
efi     /EFI/Linux/linux-6.1.0-1.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2
```

With Secure Boot enabled, the /proc/cmdline is no longer overwritten by the systemd-boot configuration. The cmdline is shown those params during UKI built time.

Runtime logs as below:

```
root at YockgenOS [ ~ ]# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.6.43-1.cm2       rd.auto=1 root=PARTUUID=21f13e53-110f-4be5-b18a-fed745cacc87 init=/lib/systemd/systemd ro loglevel=3 no-vmw-sta crashkernel=256M lockdown=integrity lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 net.ifnames=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0

root at YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
Title   Yockgen OS1 UKI
efi     /EFI/Linux/linux-6.1.0-0.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=1


root at YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
Title   Yockgen OS2 UKI
efi     /EFI/Linux/linux-6.1.0-1.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2
```
I couldn't hardcode the 'yockgen' parameter during the build process, as its value depends on the runtime environment. This value needs to be assessed by a custom Dracut module during the initrd stage to mount specific devices.

What could be the possible solution for this?

Thanks a lot, of any guidance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20241007/b6cdac08/attachment.htm>

More information about the systemd-devel mailing list