# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2024-06-01 06:32+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "UKIFY" msgstr "" #. type: TH #: archlinux fedora-40 mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "systemd 255" msgstr "" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "ukify" msgstr "" #. ----------------------------------------------------------------- #. * MAIN CONTENT STARTS HERE * #. ----------------------------------------------------------------- #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "ukify - Combine components into a signed Unified Kernel Image for UEFI " "systems" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "SYNOPSIS" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "B [OPTIONS...] build" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B [OPTIONS...] genkey" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "B [OPTIONS...] inspect FILE..." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B is a tool whose primary purpose is to combine components (usually a " "kernel, an initrd, and a UEFI boot stub) to create a \\m[blue]B\\m[]\\&\\s-2\\u[1]\\d\\s+2 \\(em a PE binary that can be " "executed by the firmware to start the embedded linux kernel\\&. See " "B(7) for details about the stub\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "COMMANDS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "The following commands are understood:" msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "build" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "This command creates a Unified Kernel Image\\&. The two primary options that " "should be specified for the B verb are I/B<--linux=>, and " "I/B<--initrd=>\\&. I accepts multiple whitespace-" "separated paths and B<--initrd=> can be specified multiple times\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron opensuse-tumbleweed msgid "" "Additional sections will be inserted into the UKI, either automatically or " "only if a specific option is provided\\&. See the discussions of I/" "B<--cmdline=>, I/B<--os-release=>, I/B<--" "devicetree=>, I/B<--splash=>, I/B<--pcrpkey=>, I/" "B<--uname=>, I/B<--sbat=>, and B<--section=> below\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B can also be used to assemble a PE binary that is not executable but " "contains auxiliary data, for example additional kernel command line " "entries\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "If PCR signing keys are provided via the I/B<--pcr-private-" "key=> and I/B<--pcr-public-key=> options, PCR values that " "will be seen after booting with the given kernel, initrd, and other " "sections, will be calculated, signed, and embedded in the UKI\\&. B(1) is used to perform this calculation and signing\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron opensuse-tumbleweed msgid "" "The calculation of PCR values is done for specific boot phase paths\\&. " "Those can be specified with the I/B<--phases=> option\\&. If not " "specified, the default provided by B is used\\&. It is also " "possible to specify the I/B<--pcr-private-key=>, " "I/B<--pcr-public-key=>, and I/B<--phases=> arguments " "more than once\\&. Signatures will then be performed with each of the " "specified keys\\&. On the command line, when both B<--phases=> and B<--pcr-" "private-key=> are used, they must be specified the same number of times, and " "then the n-th boot phase path set will be signed by the n-th key\\&. This " "can be used to build different trust policies for different phases of the " "boot\\&. In the config file, I, I, and " "I are grouped into separate sections, describing separate boot " "phases\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "If a SecureBoot signing key is provided via the I/B<--" "secureboot-private-key=> option, the resulting PE binary will be signed as a " "whole, allowing the resulting UKI to be trusted by SecureBoot\\&. Also see " "the discussion of automatic enrollment in B(7)\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "If the stub and/or the kernel contain \"\\&.sbat\" sections they will be " "merged in the UKI so that revocation updates affecting either are considered " "when the UKI is loaded by Shim\\&. For more information on SBAT see " "\\m[blue]B\\m[]\\&\\s-2\\u[2]\\d\\s+2\\&." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "genkey" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "This command creates the keys for PCR signing and the key and certificate " "used for SecureBoot signing\\&. The same configuration options that " "determine what keys and in which paths will be needed for signing when " "B is used, here determine which keys will be created\\&. See the " "discussion of I/B<--pcr-private-key=>, I/B<--" "pcr-public-key=>, and I/B<--secureboot-private-key=> " "below\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "The output files must not exist\\&." msgstr "" #. type: SS #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "inspect" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Display information about the sections in a given binary or binaries\\&. If " "B<--all> is given, all sections are shown\\&. Otherwise, if B<--section=> " "option is specified at least once, only those sections are shown\\&. " "Otherwise, well-known sections that are typically included in an UKI are " "shown\\&. For each section, its name, size, and sha256-digest is printed\\&. " "For text sections, the contents are printed\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Also see the description of B<-j>/B<--json=> and B<--section=>\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "CONFIGURATION SETTINGS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Settings can appear in configuration files (the syntax with " "II) and on the command line (the syntax with B<--some-" "setting=>I)\\&. For some command line parameters, a single-letter " "shortcut is also allowed\\&. In the configuration files, the setting must be " "in the appropriate section, so the descriptions are grouped by section " "below\\&. When the same setting appears in the configuration file and on the " "command line, generally the command line setting has higher priority and " "overwrites the config file setting completely\\&. If some setting behaves " "differently, this is described below\\&." msgstr "" #. type: Plain text #: archlinux fedora-40 mageia-cauldron opensuse-tumbleweed msgid "" "If no config file is provided via the option B<--config=>I, B " "will try to look for a default configuration file in the following paths in " "this order: /run/systemd/ukify\\&.conf, /etc/systemd/ukify\\&.conf, /usr/" "local/lib/systemd/ukify\\&.conf, and /usr/lib/systemd/ukify\\&.conf, and " "then load the first one found\\&. B will proceed normally if no " "configuration file is specified and no default one is found\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "The I and I positional arguments, or the equivalent I " "and I settings, are optional\\&. If more than one initrd is " "specified, they will all be combined into a single PE section\\&. This is " "useful to, for example, prepend microcode before the actual initrd\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "The following options and settings are understood:" msgstr "" #. type: SS #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "Command line-only options" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--config=>I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Load configuration from the given config file\\&. In general, settings " "specified in the config file have lower precedence than the settings " "specified via options\\&. In cases where the command line option does not " "fully override the config file setting are explicitly mentioned in the " "descriptions of individual options\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 254\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--measure>, B<--no-measure>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Enable or disable a call to B(1) to print pre-calculated " "PCR values\\&. Defaults to false\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 253\\&." msgstr "" #. type: Plain text #: archlinux fedora-40 mageia-cauldron opensuse-tumbleweed msgid "" "B<--section=>IB<:>IB<|>I<@PATH>, B<--section=>IB<:>BB<[@>I]" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "For all verbs except B, the first syntax is used\\&. Specify an " "arbitrary additional section \"I\"\\&. The argument may be a literal " "string, or \"@\" followed by a path name\\&. This option may be specified " "more than once\\&. Any sections specified in this fashion will be inserted " "(in order) before the \"\\&.linux\" section which is always last\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "For the B verb, the second syntax is used\\&. The section I " "will be inspected (if found)\\&. If the second argument is \"text\", the " "contents will be printed\\&. If the third argument is given, the contents " "will be saved to file I\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Note that the name is used as-is, and if the section name should start with " "a dot, it must be included in I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--tools=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Specify one or more directories with helper tools\\&. B will look " "for helper tools in those directories first, and if not found, try to load " "them from I<$PATH> in the usual fashion\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--output=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "The output filename\\&. If not specified, the name of the I argument, " "with the suffix \"\\&.unsigned\\&.efi\" or \"\\&.signed\\&.efi\" will be " "used, depending on whether signing for SecureBoot was performed\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--summary>" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Print a summary of loaded config and exit\\&. This is useful to check how " "the options from the configuration file and the command line are combined\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "B<--all>" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Print all sections (with B verb)\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 255\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "B<--json>" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Generate JSON output (with B verb)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<-h>, B<--help>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Print a short help text and exit\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B<--version>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Print a short version string and exit\\&." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "[UKI] section" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--linux=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "A path to the kernel binary\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "III<\\&.\\&.\\&.>, B<--initrd=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Zero or more initrd paths\\&. In the configuration file, items are separated " "by whitespace\\&. The initrds are combined in the order of specification, " "with the initrds specified in the config file first\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "III<|>I<@PATH>, B<--cmdline=>IB<|>I<@PATH>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "The kernel command line (the \"\\&.cmdline\" section)\\&. The argument may " "be a literal string, or \"@\" followed by a path name\\&. If not specified, " "no command line will be embedded\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "III<|>I<@PATH>, B<--os-release=>IB<|>I<@PATH>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "The os-release description (the \"\\&.osrel\" section)\\&. The argument may " "be a literal string, or \"@\" followed by a path name\\&. If not specified, " "the B(5) file will be picked up from the host system\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--devicetree=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "The devicetree description (the \"\\&.dtb\" section)\\&. The argument is a " "path to a compiled binary DeviceTree file\\&. If not specified, the section " "will not be present\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--splash=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "A picture to display during boot (the \"\\&.splash\" section)\\&. The " "argument is a path to a BMP file\\&. If not specified, the section will not " "be present\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--pcrpkey=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "A path to a public key to embed in the \"\\&.pcrpkey\" section\\&. If not " "specified, and there\\*(Aqs exactly one I/B<--pcr-public-" "key=> argument, that key will be used\\&. Otherwise, the section will not be " "present\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--uname=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Specify the kernel version (as in B, the \"\\&.uname\" " "section)\\&. If not specified, an attempt will be made to extract the " "version string from the kernel image\\&. It is recommended to pass this " "explicitly if known, because the extraction is based on heuristics and not " "very reliable\\&. If not specified and extraction fails, the section will " "not be present\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--pcr-banks=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "A comma or space-separated list of PCR banks to sign a policy for\\&. If not " "present, all known banks will be used (\"sha1\", \"sha256\", \"sha384\", " "\"sha512\"), which will fail if not supported by the system\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--signtool=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Whether to use \"sbsign\" or \"pesign\"\\&. Depending on this choice, " "different parameters are required in order to sign an image\\&. Defaults to " "\"sbsign\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "II, B<--secureboot-private-key=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "A path to a private key to use for signing of the resulting binary\\&. If " "the I/B<--signing-engine=> option is used, this may also be " "an engine-specific designation\\&. This option is required by " "I/B<--signtool=sbsign>\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "II, B<--secureboot-certificate=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "A path to a certificate to use for signing of the resulting binary\\&. If " "the I/B<--signing-engine=> option is used, this may also be " "an engine-specific designation\\&. This option is required by " "I/B<--signtool=sbsign>\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "II, B<--secureboot-certificate-" "dir=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "A path to a nss certificate database directory to use for signing of the " "resulting binary\\&. Takes effect when I/B<--" "signtool=pesign> is used\\&. Defaults to /etc/pki/pesign\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "II, B<--secureboot-certificate-" "name=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "The name of the nss certificate database entry to use for signing of the " "resulting binary\\&. This option is required by " "I/B<--signtool=pesign>\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "II, B<--secureboot-certificate-" "validity=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Period of validity (in days) for a certificate created by B\\&. " "Defaults to 3650, i\\&.e\\&. 10 years\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--signing-engine=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "An \"engine\" for signing of the resulting binary\\&. This option is " "currently passed verbatim to the B<--engine=> option of B(1)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--sign-kernel>, B<--no-sign-kernel>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "Override the detection of whether to sign the Linux binary itself before it " "is embedded in the combined image\\&. If not specified, it will be signed if " "a SecureBoot signing key is provided via the I/B<--" "secureboot-private-key=> option and the binary has not already been " "signed\\&. If I/B<--sign-kernel> is true, and the binary has " "already been signed, the signature will be appended anyway\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "III<|>I<@PATH>, B<--sbat=>IB<|>I<@PATH>" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed msgid "" "SBAT metadata associated with the UKI or addon\\&. SBAT policies are useful " "to revoke whole groups of UKIs or addons with a single, static policy update " "that does not take space in DBX/MOKX\\&. If not specified manually, a " "default metadata entry consisting of \"uki,1,UKI,uki,1,https://uapi-group\\&." "org/specifications/specs/unified_kernel_image/\" for UKIs and \"uki-addon,1," "UKI Addon,addon,1,https://www\\&.freedesktop\\&.org/software/systemd/man/" "latest/systemd-stub\\&.html\" for addons will be used, to ensure it is " "always possible to revoke them\\&. For more information on SBAT see " "\\m[blue]B\\m[]\\&\\s-2\\u[2]\\d\\s+2\\&." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "[PCRSignature:IR<] section>" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "In the config file, those options are grouped by section\\&. On the command " "line, they must be specified in the same order\\&. The sections specified in " "both sources are combined\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--pcr-private-key=>I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "A private key to use for signing PCR policies\\&. On the command line, this " "option may be specified more than once, in which case multiple signatures " "will be made\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--pcr-public-key=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "A public key to use for signing PCR policies\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "On the command line, this option may be specified more than once, similarly " "to the B<--pcr-private-key=> option\\&. If not present, the public keys will " "be extracted from the private keys\\&. On the command line, if present, this " "option must be specified the same number of times as the B<--pcr-private-" "key=> option\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "II, B<--phases=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "A comma or space-separated list of colon-separated phase paths to sign a " "policy for\\&. Each set of boot phase paths will be signed with the " "corresponding private key\\&. If not present, the default of B(1) will be used\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "On the command line, when this argument is present, it must appear the same " "number of times as the B<--pcr-private-key=> option\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "EXAMPLES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "$ ukify build \\e\n" " --linux=/lib/modules/6\\&.0\\&.9-300\\&.fc37\\&.x86_64/vmlinuz \\e\n" " --initrd=/some/path/initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img \\e\n" " --cmdline=\\*(Aqquiet rw\\*(Aq\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "This creates an unsigned UKI \\&./vmlinuz\\&.unsigned\\&.efi\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "$ ukify build \\e\n" " --linux=/lib/modules/6\\&.0\\&.9-300\\&.fc37\\&.x86_64/vmlinuz \\e\n" " --initrd=early_cpio \\e\n" " --initrd=/some/path/initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img \\e\n" " --sbat=\\*(Aqsbat,1,SBAT Version,sbat,1,https://github\\&.com/rhboot/shim/blob/main/SBAT\\&.md\n" " uki\\&.author\\&.myimage,1,UKI for System,uki\\&.author\\&.myimage,1,https://uapi-group\\&.org/specifications/specs/unified_kernel_image/\\*(Aq \\e\n" " --pcr-private-key=pcr-private-initrd-key\\&.pem \\e\n" " --pcr-public-key=pcr-public-initrd-key\\&.pem \\e\n" " --phases=\\*(Aqenter-initrd\\*(Aq \\e\n" " --pcr-private-key=pcr-private-system-key\\&.pem \\e\n" " --pcr-public-key=pcr-public-system-key\\&.pem \\e\n" " --phases=\\*(Aqenter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \\e\n" " enter-initrd:leave-initrd:sysinit:ready\\*(Aq \\e\n" " --pcr-banks=sha384,sha512 \\e\n" " --secureboot-private-key=sb\\&.key \\e\n" " --secureboot-certificate=sb\\&.cert \\e\n" " --sign-kernel \\e\n" " --cmdline=\\*(Aqquiet rw rhgb\\*(Aq\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "This creates a signed UKI \\&./vmlinuz\\&.signed\\&.efi\\&. The initrd " "section contains two concatenated parts, early_cpio and " "initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img\\&. The policy embedded " "in the \"\\&.pcrsig\" section will be signed for the initrd (the B phase) with the key pcr-private-initrd-key\\&.pem, and for the main " "system (phases B, B, B) with the key pcr-" "private-system-key\\&.pem\\&. The Linux binary and the resulting combined " "image will be signed with the SecureBoot key sb\\&.key\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "This is the same as the previous example, but this time the configuration is " "stored in a file:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "$ cat ukify\\&.conf\n" "[UKI]\n" "Initrd=early_cpio\n" "Cmdline=quiet rw rhgb\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "SecureBootPrivateKey=sb\\&.key\n" "SecureBootCertificate=sb\\&.cert\n" "SignKernel=yes\n" "PCRBanks=sha384,sha512\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "[PCRSignature:initrd]\n" "PCRPrivateKey=pcr-private-initrd-key\\&.pem\n" "PCRPublicKey=pcr-public-initrd-key\\&.pem\n" "Phases=enter-initrd\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "[PCRSignature:system]\n" "PCRPrivateKey=pcr-private-system-key\\&.pem\n" "PCRPublicKey=pcr-public-system-key\\&.pem\n" "Phases=enter-initrd:leave-initrd\n" " enter-initrd:leave-initrd:sysinit\n" " enter-initrd:leave-initrd:sysinit:ready\n" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "" "$ ukify -c ukify\\&.conf build \\e\n" " --linux=/lib/modules/6\\&.0\\&.9-300\\&.fc37\\&.x86_64/vmlinuz \\e\n" " --initrd=/some/path/initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img\n" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "One \"initrd\" (early_cpio) is specified in the config file, and the other " "initrd (initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img) is specified on " "the command line\\&. This may be useful for example when the first initrd " "contains microcode for the CPU and does not need to be updated when the " "kernel version changes, unlike the actual initrd\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "ukify build \\e\n" " --secureboot-private-key=sb\\&.key \\e\n" " --secureboot-certificate=sb\\&.cert \\e\n" " --cmdline=\\*(Aqdebug\\*(Aq \\e\n" " --sbat=\\*(Aqsbat,1,SBAT Version,sbat,1,https://github\\&.com/rhboot/shim/blob/main/SBAT\\&.md\n" " uki-addon\\&.author,1,UKI Addon for System,uki-addon\\&.author,1,https://www\\&.freedesktop\\&.org/software/systemd/man/systemd-stub\\&.html\\*(Aq\n" " --output=debug\\&.cmdline\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "This creates a signed PE binary that contains the additional kernel command " "line parameter \"debug\" with SBAT metadata referring to the owner of the " "addon\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "First, let\\*(Aqs create an config file that specifies what signatures shall " "be made:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "# cat E/etc/kernel/uki\\&.conf EEEOF\n" "[UKI]\n" "SecureBootPrivateKey=/etc/kernel/secure-boot\\&.key\\&.pem\n" "SecureBootCertificate=/etc/kernel/secure-boot\\&.cert\\&.pem\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "[PCRSignature:initrd]\n" "Phases=enter-initrd\n" "PCRPrivateKey=/etc/kernel/pcr-initrd\\&.key\\&.pem\n" "PCRPublicKey=/etc/kernel/pcr-initrd\\&.pub\\&.pem\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "" "[PCRSignature:system]\n" "Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit\n" " enter-initrd:leave-initrd:sysinit:ready\n" "PCRPrivateKey=/etc/kernel/pcr-system\\&.key\\&.pem\n" "PCRPublicKey=/etc/kernel/pcr-system\\&.pub\\&.pem\n" "EOF\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Next, we can generate the certificate and keys:" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed #, no-wrap msgid "" "# ukify genkey --config=/etc/kernel/uki\\&.conf\n" "Writing SecureBoot private key to /etc/kernel/secure-boot\\&.key\\&.pem\n" "Writing SecureBoot certificate to /etc/kernel/secure-boot\\&.cert\\&.pem\n" "Writing private key for PCR signing to /etc/kernel/pcr-initrd\\&.key\\&.pem\n" "Writing public key for PCR signing to /etc/kernel/pcr-initrd\\&.pub\\&.pem\n" "Writing private key for PCR signing to /etc/kernel/pcr-system\\&.key\\&.pem\n" "Writing public key for PCR signing to /etc/kernel/pcr-system\\&.pub\\&.pem\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "(Both operations need to be done as root to allow write access to /etc/" "kernel/\\&.)" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Subsequent invocations using the config file (B) will use this certificate and key files\\&. Note that " "the B(8) plugin 60-ukify\\&.install uses /etc/kernel/uki\\&." "conf by default, so after this file has been created, installations of " "kernels that create a UKI on the local machine using B will " "perform signing using this config\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "SEE ALSO" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "" "B(1), B(7), B(7), B(1), B(8)" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "NOTES" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid " 1." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "Unified Kernel Image (UKI)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "\\%https://uapi-group.org/specifications/specs/unified_kernel_image/" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed #, no-wrap msgid " 2." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Shim documentation" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-tumbleweed msgid "\\%https://github.com/rhboot/shim/blob/main/SBAT.md" msgstr "" #. type: TH #: debian-bookworm #, no-wrap msgid "systemd 254" msgstr "" #. type: Plain text #: debian-bookworm msgid "B [OPTIONS...] build" msgstr "" #. type: Plain text #: debian-bookworm msgid "" "Note: this command is experimental for now\\&. While it is intended to " "become a regular component of systemd, it might still change in behaviour " "and interface\\&." msgstr "" #. type: Plain text #: debian-bookworm msgid "" "If the stub and/or the kernel contain \"\\&.sbat\" sections they will be " "merged in the UKI so that revocation updates affecting either are considered " "when the UKI is loaded by Shim\\&. For more information on SBAT see " "\\m[blue]B\\m[]\\&\\s-2\\u[2]\\d\\s+2" msgstr "" #. type: SS #: debian-bookworm #, no-wrap msgid "Commandline-only options" msgstr "" #. type: Plain text #: debian-bookworm msgid "" "Load configuration from the given config file\\&. In general, settings " "specified in the config file have lower precedence than the settings " "specified via options\\&. In cases where the commandline option does not " "fully override the config file setting are explicitly mentioned in the " "descriptions of individual options\\&." msgstr "" #. type: Plain text #: debian-bookworm msgid "B<--section=>IB<:>IB<|>I<@PATH>" msgstr "" #. type: Plain text #: debian-bookworm msgid "" "Specify an arbitrary additional section \"I\"\\&. Note that the name " "is used as-is, and if the section name should start with a dot, it must be " "included in I\\&. The argument may be a literal string, or \"@\" " "followed by a path name\\&. This option may be specified more than once\\&. " "Any sections specified in this fashion will be inserted (in order) before " "the \"\\&.linux\" section which is always last\\&." msgstr "" #. type: Plain text #: debian-bookworm msgid "" "Print a summary of loaded config and exit\\&. This is useful to check how " "the options form the configuration file and the commandline are combined\\&." msgstr "" #. type: Plain text #: debian-bookworm msgid "" "SBAT metadata associated with the UKI or addon\\&. SBAT policies are useful " "to revoke whole groups of UKIs or addons with a single, static policy update " "that does not take space in DBX/MOKX\\&. If not specified manually, a " "default metadata entry consisting of \"uki,1,UKI,uki,1,https://www\\&." "freedesktop\\&.org/software/systemd/man/systemd-stub\\&.html\" will be used, " "to ensure it is always possible to revoke UKIs and addons\\&. For more " "information on SBAT see \\m[blue]B\\m[]\\&\\s-2\\u[2]\\d\\s+2" msgstr "" #. type: Plain text #: debian-bookworm msgid "" "In the config file, those options are grouped by section\\&. On the " "commandline, they must be specified in the same order\\&. The sections " "specified in both sources are combined\\&." msgstr "" #. type: Plain text #: debian-bookworm msgid "" "A private key to use for signing PCR policies\\&. On the commandline, this " "option may be specified more than once, in which case multiple signatures " "will be made\\&." msgstr "" #. type: Plain text #: debian-bookworm msgid "" "On the commandline, this option may be specified more than once, similarly " "to the B<--pcr-private-key=> option\\&. If not present, the public keys will " "be extracted from the private keys\\&. On the commandline, if present, the " "this option must be specified the same number of times as the B<--pcr-" "private-key=> option\\&." msgstr "" #. type: Plain text #: debian-bookworm msgid "" "On the commandline, when this argument is present, it must appear the same " "number of times as the B<--pcr-private-key=> option\\&." msgstr "" #. type: Plain text #: debian-bookworm #, no-wrap msgid "" "$ /usr/lib/systemd/ukify build \\e\n" " --linux=/lib/modules/6\\&.0\\&.9-300\\&.fc37\\&.x86_64/vmlinuz \\e\n" " --initrd=early_cpio \\e\n" " --initrd=/some/path/initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img \\e\n" " --sbat=\\*(Aqsbat,1,SBAT Version,sbat,1,https://github\\&.com/rhboot/shim/blob/main/SBAT\\&.md\n" " uki\\&.author\\&.myimage,1,UKI for System,uki\\&.author\\&.myimage,1,https://www\\&.freedesktop\\&.org/software/systemd/man/systemd-stub\\&.html\\*(Aq \\e\n" " --pcr-private-key=pcr-private-initrd-key\\&.pem \\e\n" " --pcr-public-key=pcr-public-initrd-key\\&.pem \\e\n" " --phases=\\*(Aqenter-initrd\\*(Aq \\e\n" " --pcr-private-key=pcr-private-system-key\\&.pem \\e\n" " --pcr-public-key=pcr-public-system-key\\&.pem \\e\n" " --phases=\\*(Aqenter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \\e\n" " enter-initrd:leave-initrd:sysinit:ready\\*(Aq \\e\n" " --pcr-banks=sha384,sha512 \\e\n" " --secureboot-private-key=sb\\&.key \\e\n" " --secureboot-certificate=sb\\&.cert \\e\n" " --sign-kernel \\e\n" " --cmdline=\\*(Aqquiet rw rhgb\\*(Aq\n" msgstr "" #. type: Plain text #: debian-bookworm #, no-wrap msgid "" "$ /usr/lib/systemd/ukify -c ukify\\&.conf build \\e\n" " --linux=/lib/modules/6\\&.0\\&.9-300\\&.fc37\\&.x86_64/vmlinuz \\e\n" " --initrd=/some/path/initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img\n" msgstr "" #. type: Plain text #: debian-bookworm msgid "" "One \"initrd\" (early_cpio) is specified in the config file, and the other " "initrd (initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img) is specified on " "the commandline\\&. This may be useful for example when the first initrd " "contains microcode for the CPU and does not need to be updated when the " "kernel version changes, unlike the actual initrd\\&." msgstr "" #. type: Plain text #: debian-bookworm fedora-40 #, no-wrap msgid "" "ukify build \\e\n" " --secureboot-private-key=sb\\&.key \\e\n" " --secureboot-certificate=sb\\&.cert \\e\n" " --cmdline=\\*(Aqdebug\\*(Aq \\e\n" " --sbat=\\*(Aqsbat,1,SBAT Version,sbat,1,https://github\\&.com/rhboot/shim/blob/main/SBAT\\&.md\n" " uki\\&.addon\\&.author,1,UKI Addon for System,uki\\&.addon\\&.author,1,https://www\\&.freedesktop\\&.org/software/systemd/man/systemd-stub\\&.html\\*(Aq\n" " --output=debug\\&.cmdline\n" msgstr "" #. type: Plain text #: debian-bookworm #, no-wrap msgid "" "# /usr/lib/systemd/ukify genkey --config=/etc/kernel/uki\\&.conf\n" "Writing SecureBoot private key to /etc/kernel/secure-boot\\&.key\\&.pem\n" "Writing SecureBoot certificate to /etc/kernel/secure-boot\\&.cert\\&.pem\n" "Writing private key for PCR signing to /etc/kernel/pcr-initrd\\&.key\\&.pem\n" "Writing public key for PCR signing to /etc/kernel/pcr-initrd\\&.pub\\&.pem\n" "Writing private key for PCR signing to /etc/kernel/pcr-system\\&.key\\&.pem\n" "Writing public key for PCR signing to /etc/kernel/pcr-system\\&.pub\\&.pem\n" msgstr "" #. type: Plain text #: debian-bookworm msgid "" "Subsequent invocations of using the config file (B) will use this certificate and key " "files\\&. Note that the B(8) plugin 60-ukify\\&.install " "uses /etc/kernel/uki\\&.conf by default, so after this file has been " "created, installations of kernels that create a UKI on the local machine " "using B would perform signing using this config\\&." msgstr "" #. type: Plain text #: debian-bookworm msgid "Shim's documentation." msgstr "" #. type: TH #: debian-unstable fedora-rawhide #, no-wrap msgid "systemd 256~rc3" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "Additional sections will be inserted into the UKI, either automatically or " "only if a specific option is provided\\&. See the discussions of " "I/B<--microcode=>, I/B<--cmdline=>, I/B<--" "os-release=>, I/B<--devicetree=>, I/B<--splash=>, " "I/B<--pcrpkey=>, I/B<--uname=>, I/B<--sbat=>, and " "B<--section=> below\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "The calculation of PCR values is done for specific boot phase paths\\&. " "Those can be specified with the I/B<--phases=> option\\&. If not " "specified, the default provided by B is used\\&. It is also " "possible to specify the I/B<--pcr-private-key=>, " "I/B<--pcr-public-key=>, and I/B<--phases=> arguments " "more than once\\&. Signatures will then be performed with each of the " "specified keys\\&. On the command line, when both B<--phases=> and B<--pcr-" "private-key=> are used, they must be specified the same number of times, and " "then the n-th boot phase path set will be signed by the n-th key\\&. This " "can be used to build different trust policies for different phases of the " "boot\\&. In the config file, I, I, and " "I are grouped into separate sections, describing separate boot " "phases\\&. If I/B<--signing-engine=> is specified, then the " "private keys arguments will be passed verbatim to OpenSSL as URIs, and the " "public key arguments will be loaded as X\\&.509 certificates, so that " "signing can be performed with an OpenSSL engine\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "Other tools that may be useful for inspect UKIs: B(1) B<-p> " "and B\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "If no config file is provided via the option B<--config=>I, B " "will try to look for a default configuration file in the following paths in " "this order: /etc/systemd/ukify\\&.conf, /run/systemd/ukify\\&.conf, /usr/" "local/lib/systemd/ukify\\&.conf, and /usr/lib/systemd/ukify\\&.conf, and " "then load the first one found\\&. B will proceed normally if no " "configuration file is specified and no default one is found\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "B<--section=>IB<:>IB<|>I<@PATH>, B<--section=>IB<:text|" "binary>B<[@>I]" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "II, B<--microcode=>I" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "Path to initrd containing microcode updates\\&. If not specified, the " "section will not be present\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "Added in version 256\\&." msgstr "" #. type: Plain text #: fedora-40 msgid "" "SBAT metadata associated with the UKI or addon\\&. SBAT policies are useful " "to revoke whole groups of UKIs or addons with a single, static policy update " "that does not take space in DBX/MOKX\\&. If not specified manually, a " "default metadata entry consisting of \"uki,1,UKI,uki,1,https://www\\&." "freedesktop\\&.org/software/systemd/man/systemd-stub\\&.html\" will be used, " "to ensure it is always possible to revoke UKIs and addons\\&. For more " "information on SBAT see \\m[blue]B\\m[]\\&\\s-2\\u[2]\\d\\s+2\\&." msgstr "" #. type: Plain text #: fedora-40 #, no-wrap msgid "" "$ ukify build \\e\n" " --linux=/lib/modules/6\\&.0\\&.9-300\\&.fc37\\&.x86_64/vmlinuz \\e\n" " --initrd=early_cpio \\e\n" " --initrd=/some/path/initramfs-6\\&.0\\&.9-300\\&.fc37\\&.x86_64\\&.img \\e\n" " --sbat=\\*(Aqsbat,1,SBAT Version,sbat,1,https://github\\&.com/rhboot/shim/blob/main/SBAT\\&.md\n" " uki\\&.author\\&.myimage,1,UKI for System,uki\\&.author\\&.myimage,1,https://www\\&.freedesktop\\&.org/software/systemd/man/systemd-stub\\&.html\\*(Aq \\e\n" " --pcr-private-key=pcr-private-initrd-key\\&.pem \\e\n" " --pcr-public-key=pcr-public-initrd-key\\&.pem \\e\n" " --phases=\\*(Aqenter-initrd\\*(Aq \\e\n" " --pcr-private-key=pcr-private-system-key\\&.pem \\e\n" " --pcr-public-key=pcr-public-system-key\\&.pem \\e\n" " --phases=\\*(Aqenter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \\e\n" " enter-initrd:leave-initrd:sysinit:ready\\*(Aq \\e\n" " --pcr-banks=sha384,sha512 \\e\n" " --secureboot-private-key=sb\\&.key \\e\n" " --secureboot-certificate=sb\\&.cert \\e\n" " --sign-kernel \\e\n" " --cmdline=\\*(Aqquiet rw rhgb\\*(Aq\n" msgstr ""