summaryrefslogtreecommitdiffstats
path: root/upstream/fedora-rawhide/man7/systemd-stub.7
diff options
context:
space:
mode:
Diffstat (limited to 'upstream/fedora-rawhide/man7/systemd-stub.7')
-rw-r--r--upstream/fedora-rawhide/man7/systemd-stub.7123
1 files changed, 98 insertions, 25 deletions
diff --git a/upstream/fedora-rawhide/man7/systemd-stub.7 b/upstream/fedora-rawhide/man7/systemd-stub.7
index 0a1f9b0b..be784019 100644
--- a/upstream/fedora-rawhide/man7/systemd-stub.7
+++ b/upstream/fedora-rawhide/man7/systemd-stub.7
@@ -1,5 +1,5 @@
'\" t
-.TH "SYSTEMD\-STUB" "7" "" "systemd 255" "systemd-stub"
+.TH "SYSTEMD\-STUB" "7" "" "systemd 256~rc3" "systemd-stub"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -23,21 +23,36 @@
systemd-stub, sd-stub, linuxx64.efi.stub, linuxia32.efi.stub, linuxaa64.efi.stub \- A simple UEFI kernel boot stub
.SH "SYNOPSIS"
.PP
+.RS 4
/usr/lib/systemd/boot/efi/linuxx64\&.efi\&.stub
-.PP
+.RE
+.RS 4
/usr/lib/systemd/boot/efi/linuxia32\&.efi\&.stub
-.PP
+.RE
+.RS 4
/usr/lib/systemd/boot/efi/linuxaa64\&.efi\&.stub
-.PP
+.RE
+.RS 4
\fIESP\fR/\&.\&.\&./\fIfoo\fR\&.efi\&.extra\&.d/*\&.addon\&.efi
-.PP
+.RE
+.RS 4
\fIESP\fR/\&.\&.\&./\fIfoo\fR\&.efi\&.extra\&.d/*\&.cred
-.PP
+.RE
+.RS 4
\fIESP\fR/\&.\&.\&./\fIfoo\fR\&.efi\&.extra\&.d/*\&.raw
-.PP
+.RE
+.RS 4
+\fIESP\fR/\&.\&.\&./\fIfoo\fR\&.efi\&.extra\&.d/*\&.sysext\&.raw
+.RE
+.RS 4
+\fIESP\fR/\&.\&.\&./\fIfoo\fR\&.efi\&.extra\&.d/*\&.confext\&.raw
+.RE
+.RS 4
\fIESP\fR/loader/addons/*\&.addon\&.efi
-.PP
+.RE
+.RS 4
\fIESP\fR/loader/credentials/*\&.cred
+.RE
.SH "DESCRIPTION"
.PP
\fBsystemd\-stub\fR
@@ -112,6 +127,19 @@ section with the initrd\&.
.IP \(bu 2.3
.\}
A
+"\&.ucode"
+section with an initrd containing microcode, to be handed to the kernel before any other initrd\&. This initrd must not be compressed\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+A
"\&.splash"
section with an image (in the Windows
\&.BMP
@@ -186,7 +214,7 @@ section with a set of cryptographic signatures for the expected TPM2 PCR values
.\}
A
"\&.pcrpkey"
-section with a public key in the PEM format matching the signature data in the the
+section with a public key in the PEM format matching the signature data in the
"\&.pcrsig"
section\&.
.RE
@@ -277,7 +305,7 @@ archive is measured into TPM PCR 12 (if a TPM is present)\&.
.IP \(bu 2.3
.\}
Similarly, files
-\fIfoo\fR\&.efi\&.extra\&.d/*\&.raw
+\fIfoo\fR\&.efi\&.extra\&.d/*\&.sysext\&.raw
are packed up in a
\fBcpio\fR
archive and placed in the
@@ -298,12 +326,33 @@ archive containing these system extension images is measured into TPM PCR 13 (if
.IP \(bu 2.3
.\}
Similarly, files
+\fIfoo\fR\&.efi\&.extra\&.d/*\&.confext\&.raw
+are packed up in a
+\fBcpio\fR
+archive and placed in the
+/\&.extra/confext/
+directory in the initrd file hierarchy\&. This is supposed to be used to pass additional configuration extension images to the initrd\&. See
+\fBsystemd-confext\fR(8)
+for details on configuration extension images\&. The generated
+\fBcpio\fR
+archive containing these system extension images is measured into TPM PCR 12 (if a TPM is present)\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Similarly, files
\fIfoo\fR\&.efi\&.extra\&.d/*\&.addon\&.efi
are loaded and verified as PE binaries, and a
"\&.cmdline"
section is parsed from them\&. Addons are supposed to be used to pass additional kernel command line parameters or Devicetree blobs, regardless of the kernel image being booted, for example to allow platform vendors to ship platform\-specific configuration\&.
.sp
-In case Secure Boot is enabled, these files will be validated using keys in UEFI DB, Shim\*(Aqs DB or Shim\*(Aqs MOK, and will be rejected otherwise\&. Additionally, if the both the addon and the UKI contain a a
+In case Secure Boot is enabled, these files will be validated using keys in UEFI DB, Shim\*(Aqs DB or Shim\*(Aqs MOK, and will be rejected otherwise\&. Additionally, if both the addon and the UKI contain a
"\&.uname"
section, the addon will be rejected if they do not match exactly\&. It is recommended to always add a
"\&.sbat"
@@ -363,7 +412,7 @@ Note that when a unified kernel using
\fBsystemd\-stub\fR
is invoked the firmware will measure it as a whole to TPM PCR 4, covering all embedded resources, such as the stub code itself, the core kernel, the embedded initrd and kernel command line (see above for a full list)\&.
.PP
-Also note that the Linux kernel will measure all initrds it receives into TPM PCR 9\&. This means every type of initrd will be measured two or three times: the initrd embedded in the kernel image will be measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials will be measured to both PCR 9 and PCR 12; the initrd synthesized from system extensions will be measured to both PCR 4 and PCR 9\&. Let\*(Aqs summarize the OS resources and the PCRs they are measured to:
+Also note that the Linux kernel will measure all initrds it receives into TPM PCR 9\&. This means every type of initrd will be measured two or three times: the initrds embedded in the kernel image will be measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials (and the one synthesized from configuration extensions) will be measured to both PCR 9 and PCR 12; the initrd synthesized from system extensions will be measured to both PCR 4 and PCR 9\&. Let\*(Aqs summarize the OS resources and the PCRs they are measured to:
.sp
.it 1 an-trap
.nr an-no-space-flag 1
@@ -389,6 +438,8 @@ l l
l l
l l
l l
+l l
+l l
l l.
T{
\fBsystemd\-stub\fR code (the entry point of the unified PE binary)
@@ -411,6 +462,11 @@ T}:T{
4 + 9 + 11
T}
T{
+Microcode initrd (embedded in unified PE binary)
+T}:T{
+4 + 9 + 11
+T}
+T{
Default kernel command line (embedded in unified PE binary)
T}:T{
4 + 11
@@ -445,6 +501,11 @@ System Extensions (synthesized initrd from companion files)
T}:T{
9 + 13
T}
+T{
+Configuration Extensions (synthesized initrd from companion files)
+T}:T{
+9 + 12
+T}
.TE
.sp 1
.SH "EFI VARIABLES"
@@ -507,12 +568,20 @@ Added in version 252\&.
.PP
\fIStubPcrInitRDSysExts\fR
.RS 4
-The PCR register index the systemd extensions for the initrd, which are picked up from the file system the kernel image is located on\&. Formatted as decimal ASCII string (e\&.g\&.
+The PCR register index the system extensions for the initrd, which are picked up from the file system the kernel image is located on\&. Formatted as decimal ASCII string (e\&.g\&.
"13")\&. This variable is set if a measurement was successfully completed, and remains unset otherwise\&.
.sp
Added in version 252\&.
.RE
.PP
+\fIStubPcrInitRDConfExts\fR
+.RS 4
+The PCR register index the configuration extensions for the initrd, which are picked up from the file system the kernel image is located on\&. Formatted as decimal ASCII string (e\&.g\&.
+"12")\&. This variable is set if a measurement was successfully completed, and remains unset otherwise\&.
+.sp
+Added in version 255\&.
+.RE
+.PP
Note that some of the variables above may also be set by the boot loader\&. The stub will only set them if they aren\*(Aqt set already\&. Some of these variables are defined by the
\m[blue]\fBBoot Loader Interface\fR\m[]\&\s-2\u[4]\d\s+2\&.
.SH "INITRD RESOURCES"
@@ -549,16 +618,26 @@ directory in the initrd execution environment\&.
Added in version 252\&.
.RE
.PP
-/\&.extra/sysext/*\&.raw
+/\&.extra/sysext/*\&.sysext\&.raw
.RS 4
System extension image files (suffix
-"\&.raw") that are placed next to the unified kernel image (as described above) are copied into the
+"\&.sysext\&.raw") that are placed next to the unified kernel image (as described above) are copied into the
/\&.extra/sysext/
directory in the initrd execution environment\&.
.sp
Added in version 252\&.
.RE
.PP
+/\&.extra/confext/*\&.confext\&.raw
+.RS 4
+Configuration extension image files (suffix
+"\&.confext\&.raw") that are placed next to the unified kernel image (as described above) are copied into the
+/\&.extra/confext/
+directory in the initrd execution environment\&.
+.sp
+Added in version 255\&.
+.RE
+.PP
/\&.extra/tpm2\-pcr\-signature\&.json
.RS 4
The TPM2 PCR signature JSON object included in the
@@ -590,7 +669,9 @@ line\&. By default, this is done for the TPM2 PCR signature and public key files
.PP
\fBsystemd\-stub\fR
can be configured using SMBIOS Type 11 strings\&. Applicable strings consist of a name, followed by
-"=", followed by the value\&.
+"=", followed by the value\&. Unless
+\fBsystemd\-stub\fR
+detects it is running inside a confidential computing environment,
\fBsystemd\-stub\fR
will search the table for a string with a specific name, and if found, use its value\&. The following strings are read:
.PP
@@ -606,15 +687,7 @@ In order to assemble a bootable Unified Kernel Image from various components as
\fBukify\fR(1)\&.
.SH "SEE ALSO"
.PP
-\fBsystemd-boot\fR(7),
-\fBsystemd.exec\fR(5),
-\fBsystemd-creds\fR(1),
-\fBsystemd-sysext\fR(8),
-\m[blue]\fBBoot Loader Specification\fR\m[]\&\s-2\u[5]\d\s+2,
-\m[blue]\fBBoot Loader Interface\fR\m[]\&\s-2\u[4]\d\s+2,
-\fBukify\fR(1),
-\fBsystemd-measure\fR(1),
-\m[blue]\fBTPM2 PCR Measurements Made by systemd\fR\m[]\&\s-2\u[6]\d\s+2
+\fBsystemd-boot\fR(7), \fBsystemd.exec\fR(5), \fBsystemd-creds\fR(1), \fBsystemd-sysext\fR(8), \m[blue]\fBBoot Loader Specification\fR\m[]\&\s-2\u[5]\d\s+2, \m[blue]\fBBoot Loader Interface\fR\m[]\&\s-2\u[4]\d\s+2, \fBukify\fR(1), \fBsystemd-measure\fR(1), \m[blue]\fBTPM2 PCR Measurements Made by systemd\fR\m[]\&\s-2\u[6]\d\s+2
.SH "NOTES"
.IP " 1." 4
SBAT
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-18 15:34:55 +0000