[systemd-devel] Passing Kernel Params from systemd-boot for Secure Boot UKI
Srinivas Naik
nivasnaik at gmail.com
Tue Oct 15 11:01:46 UTC 2024
Thanks a lot for the details. Will go through them and get back to you.
Thanks
Srinivas
On Tue, Oct 15, 2024 at 4:27 PM Luca Boccassi <luca.boccassi at gmail.com>
wrote:
> Yes addons have to be signed, otherwise it would defeat their purpose.
> OSTree should to switch to other mechanisms, like credentials stored
> in the ESP ( https://systemd.io/CREDENTIALS/ ), instead of using the
> kernel command line.
>
> On Tue, 15 Oct 2024 at 11:45, Srinivas Naik <nivasnaik at gmail.com> wrote:
> >
> > Hi All,
> > I have a question on this, when secure boot is enabled, addons file also
> must be signed?
> > On devices which use OSTree for OTA, there is a need to update the
> command line parameter at run time with the latest SHA deployment.
> > How to do this on secure boot enabled devices since command line
> parameters mentioned in the config file will not be picked.
> >
> > Thanks
> > Srinivas
> >
> > On Thu, Oct 10, 2024 at 4:13 AM Mah, Yock Gen <yock.gen.mah at intel.com>
> wrote:
> >>
> >> It's works, really appreciate your help, Lennart!
> >>
> >> -----Original Message-----
> >> From: Lennart Poettering <lennart at poettering.net>
> >> Sent: Tuesday, October 8, 2024 9:39 PM
> >> To: Mah, Yock Gen <yock.gen.mah at intel.com>
> >> Cc: systemd-devel at lists.freedesktop.org
> >> Subject: Re: [systemd-devel] Passing Kernel Params from systemd-boot
> for Secure Boot UKI
> >>
> >> On Di, 08.10.24 12:37, Mah, Yock Gen (yock.gen.mah at intel.com) wrote:
> >>
> >> > Really appreciate! I tried to create an PE "addon" using below:
> >> >
> >> > echo "yockgen=b" > cmdline.txt
> >> >
> >> > objcopy --input binary --output efi-app-x86_64 cmdline.txt
> >> > bootdm_b.addon.efi
> >>
> >> This doesn't look right. You must insert the cmdline in the ".cmdline"
> >> PE section, of course. As mentioned, addons follow the same structure
> as UKIs after all.
> >>
> >> We generally recommend using ukify for generating UKIs and PE addons.
> >>
> >> The man page even has an example doing exactly what you need to do:
> >>
> >> https://github.com/systemd/systemd/blob/main/man/ukify.xml#L674
> >>
> >> Lennart
> >>
> >> --
> >> Lennart Poettering, Berlin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20241015/ea5851fd/attachment-0001.htm>
More information about the systemd-devel
mailing list