[systemd-devel] Passing Kernel Params from systemd-boot for Secure Boot UKI

Mah, Yock Gen yock.gen.mah at intel.com
Tue Oct 8 14:25:18 UTC 2024 

Thanks! I did below:
ukify build --secureboot-private-key=../../db.key --secureboot-certificate=../../db.crt --cmdline='yockgenxxxx' --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' --output= linux-9-9.addon.efi

And, my UI and addon stored on below:
root at TiberOS [ /boot/efi/EFI/Linux ]# ls
linux-9-9.addon.efi  linux-9-9.efi


However, when I booted it, and check the cmdline, doesn't seems like the new "yockgenxxxx" has been added? Log as below:
root at TiberOS [ /boot/efi/EFI/Linux ]# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.6.43-1.cm2       rd.auto=1 root=PARTUUID=xxxxxx-fed745cacc87 init=/lib/systemd/systemd ro loglevel=3 no-vmw-sta crashkernel=256M lockdown=integrity lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 net.ifnames=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0


Am I doing it right? I'm first timer on this, really appreciate your guidance on it.


Thanks!

-----Original Message-----
From: Lennart Poettering <lennart at poettering.net> 
Sent: Tuesday, October 8, 2024 9:39 PM
To: Mah, Yock Gen <yock.gen.mah at intel.com>
Cc: systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] Passing Kernel Params from systemd-boot for Secure Boot UKI

On Di, 08.10.24 12:37, Mah, Yock Gen (yock.gen.mah at intel.com) wrote:

> Really appreciate! I tried to create an PE "addon" using below:
>
> echo "yockgen=b" > cmdline.txt
>
> objcopy --input binary --output efi-app-x86_64 cmdline.txt 
> bootdm_b.addon.efi

This doesn't look right. You must insert the cmdline in the ".cmdline"
PE section, of course. As mentioned, addons follow the same structure as UKIs after all.

We generally recommend using ukify for generating UKIs and PE addons.

The man page even has an example doing exactly what you need to do:

https://github.com/systemd/systemd/blob/main/man/ukify.xml#L674

Lennart

--
Lennart Poettering, Berlin

More information about the systemd-devel mailing list