[systemd-devel] Passing Kernel Params from systemd-boot for Secure Boot UKI
Lennart Poettering
lennart at poettering.net
Tue Oct 8 14:30:53 UTC 2024
On Di, 08.10.24 14:25, Mah, Yock Gen (yock.gen.mah at intel.com) wrote:
> Thanks! I did below:
> ukify build --secureboot-private-key=../../db.key --secureboot-certificate=../../db.crt --cmdline='yockgenxxxx' --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' --output= linux-9-9.addon.efi
>
> And, my UI and addon stored on below:
> root at TiberOS [ /boot/efi/EFI/Linux ]# ls
> linux-9-9.addon.efi linux-9-9.efi
>
>
> However, when I booted it, and check the cmdline, doesn't seems like the new "yockgenxxxx" has been added? Log as below:
> root at TiberOS [ /boot/efi/EFI/Linux ]# cat /proc/cmdline
> BOOT_IMAGE=/boot/vmlinuz-6.6.43-1.cm2 rd.auto=1 root=PARTUUID=xxxxxx-fed745cacc87 init=/lib/systemd/systemd ro loglevel=3 no-vmw-sta crashkernel=256M lockdown=integrity lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 net.ifnames=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0
>
>
> Am I doing it right? I'm first timer on this, really appreciate your guidance on it.
Please consult the systemd-stub documentation.
For an UKI /EFI/Linux/foobar.efi in the ESP any addons must be placed in /EFI/Linux/foobar.efi.extra.d/waldo.addon.efi
i.e. the ….extra.d/ subdir is where to place things.
Also make sure your systemd-stub is new enough. i.e. at least v254,
better newer.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list