[systemd-devel] Passing Kernel Params from systemd-boot for Secure Boot UKI
Srinivas Naik
nivasnaik at gmail.com
Tue Oct 15 09:43:41 UTC 2024
Hi All,
I have a question on this, when secure boot is enabled, addons file also
must be signed?
On devices which use OSTree for OTA, there is a need to update the command
line parameter at run time with the latest SHA deployment.
How to do this on secure boot enabled devices since command line
parameters mentioned in the config file will not be picked.
Thanks
Srinivas
On Thu, Oct 10, 2024 at 4:13 AM Mah, Yock Gen <yock.gen.mah at intel.com>
wrote:
> It's works, really appreciate your help, Lennart!
>
> -----Original Message-----
> From: Lennart Poettering <lennart at poettering.net>
> Sent: Tuesday, October 8, 2024 9:39 PM
> To: Mah, Yock Gen <yock.gen.mah at intel.com>
> Cc: systemd-devel at lists.freedesktop.org
> Subject: Re: [systemd-devel] Passing Kernel Params from systemd-boot for
> Secure Boot UKI
>
> On Di, 08.10.24 12:37, Mah, Yock Gen (yock.gen.mah at intel.com) wrote:
>
> > Really appreciate! I tried to create an PE "addon" using below:
> >
> > echo "yockgen=b" > cmdline.txt
> >
> > objcopy --input binary --output efi-app-x86_64 cmdline.txt
> > bootdm_b.addon.efi
>
> This doesn't look right. You must insert the cmdline in the ".cmdline"
> PE section, of course. As mentioned, addons follow the same structure as
> UKIs after all.
>
> We generally recommend using ukify for generating UKIs and PE addons.
>
> The man page even has an example doing exactly what you need to do:
>
> https://github.com/systemd/systemd/blob/main/man/ukify.xml#L674
>
> Lennart
>
> --
> Lennart Poettering, Berlin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20241015/2fa5a07e/attachment.htm>
More information about the systemd-devel
mailing list