diff options
Diffstat (limited to 'upstream/fedora-rawhide/man1/ukify.1')
| -rw-r--r-- | upstream/fedora-rawhide/man1/ukify.1 | 40 |
1 files changed, 27 insertions, 13 deletions
diff --git a/upstream/fedora-rawhide/man1/ukify.1 b/upstream/fedora-rawhide/man1/ukify.1 index 00e7ff62..10123b4f 100644 --- a/upstream/fedora-rawhide/man1/ukify.1 +++ b/upstream/fedora-rawhide/man1/ukify.1 @@ -1,5 +1,5 @@ '\" t -.TH "UKIFY" "1" "" "systemd 255" "ukify" +.TH "UKIFY" "1" "" "systemd 256~rc3" "ukify" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -52,6 +52,7 @@ accepts multiple whitespace\-separated paths and can be specified multiple times\&. .PP Additional sections will be inserted into the UKI, either automatically or only if a specific option is provided\&. See the discussions of +\fIMicrocode=\fR/\fB\-\-microcode=\fR, \fICmdline=\fR/\fB\-\-cmdline=\fR, \fIOSRelease=\fR/\fB\-\-os\-release=\fR, \fIDeviceTree=\fR/\fB\-\-devicetree=\fR, @@ -89,7 +90,9 @@ are used, they must be specified the same number of times, and then the n\-th bo \fIPCRPrivateKey=\fR, \fIPCRPublicKey=\fR, and \fIPhases=\fR -are grouped into separate sections, describing separate boot phases\&. +are grouped into separate sections, describing separate boot phases\&. If +\fISigningEngine=\fR/\fB\-\-signing\-engine=\fR +is specified, then the private keys arguments will be passed verbatim to OpenSSL as URIs, and the public key arguments will be loaded as X\&.509 certificates, so that signing can be performed with an OpenSSL engine\&. .PP If a SecureBoot signing key is provided via the \fISecureBootPrivateKey=\fR/\fB\-\-secureboot\-private\-key=\fR @@ -123,6 +126,12 @@ Also see the description of \fB\-j\fR/\fB\-\-json=\fR and \fB\-\-section=\fR\&. +.PP +Other tools that may be useful for inspect UKIs: +\fBllvm-objdump\fR(1) +\fB\-p\fR +and +\fBpe\-inspect\fR\&. .SH "CONFIGURATION SETTINGS" .PP Settings can appear in configuration files (the syntax with @@ -133,8 +142,8 @@ If no config file is provided via the option \fB\-\-config=\fR\fB\fIPATH\fR\fR, \fBukify\fR will try to look for a default configuration file in the following paths in this order: -/run/systemd/ukify\&.conf, /etc/systemd/ukify\&.conf, +/run/systemd/ukify\&.conf, /usr/local/lib/systemd/ukify\&.conf, and /usr/lib/systemd/ukify\&.conf, and then load the first one found\&. \fBukify\fR @@ -169,7 +178,7 @@ to print pre\-calculated PCR values\&. Defaults to false\&. Added in version 253\&. .RE .PP -\fB\-\-section=\fR\fB\fINAME\fR\fR\fB:\fR\fB\fITEXT\fR\fR\fB|\fR\fB\fI@PATH\fR\fR, \fB\-\-section=\fR\fB\fINAME\fR\fR\fB:\fR\fBtext|binary\fR\fB[@\fIPATH\fR]\fR +\fB\-\-section=\fR\fB\fINAME\fR\fR\fB:\fR\fB\fITEXT\fR\fR\fB|\fR\fB\fI@PATH\fR\fR, \fB\-\-section=\fR\fB\fINAME\fR\fR\fB:text|binary\fR\fB[@\fIPATH\fR]\fR .RS 4 For all verbs except \fBinspect\fR, the first syntax is used\&. Specify an arbitrary additional section @@ -267,6 +276,13 @@ Zero or more initrd paths\&. In the configuration file, items are separated by w Added in version 254\&. .RE .PP +\fIMicrocode=\fR\fI\fIUCODE\fR\fR, \fB\-\-microcode=\fR\fB\fIUCODE\fR\fR +.RS 4 +Path to initrd containing microcode updates\&. If not specified, the section will not be present\&. +.sp +Added in version 256\&. +.RE +.PP \fICmdline=\fR\fI\fITEXT\fR\fR\fI|\fR\fI\fI@PATH\fR\fR, \fB\-\-cmdline=\fR\fB\fITEXT\fR\fR\fB|\fR\fB\fI@PATH\fR\fR .RS 4 The kernel command line (the @@ -421,8 +437,10 @@ Added in version 253\&. \fISBAT=\fR\fI\fITEXT\fR\fR\fI|\fR\fI\fI@PATH\fR\fR, \fB\-\-sbat=\fR\fB\fITEXT\fR\fR\fB|\fR\fB\fI@PATH\fR\fR .RS 4 SBAT metadata associated with the UKI or addon\&. SBAT policies are useful to revoke whole groups of UKIs or addons with a single, static policy update that does not take space in DBX/MOKX\&. If not specified manually, a default metadata entry consisting of -"uki,1,UKI,uki,1,https://www\&.freedesktop\&.org/software/systemd/man/systemd\-stub\&.html" -will be used, to ensure it is always possible to revoke UKIs and addons\&. For more information on SBAT see +"uki,1,UKI,uki,1,https://uapi\-group\&.org/specifications/specs/unified_kernel_image/" +for UKIs and +"uki\-addon,1,UKI Addon,addon,1,https://www\&.freedesktop\&.org/software/systemd/man/latest/systemd\-stub\&.html" +for addons will be used, to ensure it is always possible to revoke them\&. For more information on SBAT see \m[blue]\fBShim documentation\fR\m[]\&\s-2\u[2]\d\s+2\&. .sp Added in version 254\&. @@ -495,7 +513,7 @@ $ ukify build \e \-\-initrd=early_cpio \e \-\-initrd=/some/path/initramfs\-6\&.0\&.9\-300\&.fc37\&.x86_64\&.img \e \-\-sbat=\*(Aqsbat,1,SBAT Version,sbat,1,https://github\&.com/rhboot/shim/blob/main/SBAT\&.md - uki\&.author\&.myimage,1,UKI for System,uki\&.author\&.myimage,1,https://www\&.freedesktop\&.org/software/systemd/man/systemd\-stub\&.html\*(Aq \e + uki\&.author\&.myimage,1,UKI for System,uki\&.author\&.myimage,1,https://uapi\-group\&.org/specifications/specs/unified_kernel_image/\*(Aq \e \-\-pcr\-private\-key=pcr\-private\-initrd\-key\&.pem \e \-\-pcr\-public\-key=pcr\-public\-initrd\-key\&.pem \e \-\-phases=\*(Aqenter\-initrd\*(Aq \e @@ -582,7 +600,7 @@ ukify build \e \-\-secureboot\-certificate=sb\&.cert \e \-\-cmdline=\*(Aqdebug\*(Aq \e \-\-sbat=\*(Aqsbat,1,SBAT Version,sbat,1,https://github\&.com/rhboot/shim/blob/main/SBAT\&.md - uki\&.addon\&.author,1,UKI Addon for System,uki\&.addon\&.author,1,https://www\&.freedesktop\&.org/software/systemd/man/systemd\-stub\&.html\*(Aq + uki\-addon\&.author,1,UKI Addon for System,uki\-addon\&.author,1,https://www\&.freedesktop\&.org/software/systemd/man/systemd\-stub\&.html\*(Aq \-\-output=debug\&.cmdline .fi @@ -655,11 +673,7 @@ by default, so after this file has been created, installations of kernels that c will perform signing using this config\&. .SH "SEE ALSO" .PP -\fBsystemd\fR(1), -\fBsystemd-stub\fR(7), -\fBsystemd-boot\fR(7), -\fBsystemd-measure\fR(1), -\fBsystemd-pcrphase.service\fR(8) +\fBsystemd\fR(1), \fBsystemd-stub\fR(7), \fBsystemd-boot\fR(7), \fBsystemd-measure\fR(1), \fBsystemd-pcrphase.service\fR(8) .SH "NOTES" .IP " 1." 4 Unified Kernel Image (UKI) |