summaryrefslogtreecommitdiffstats
path: root/man/ukify.xml
diff options
context:
space:
mode:
Diffstat (limited to 'man/ukify.xml')
-rw-r--r--man/ukify.xml42
1 files changed, 31 insertions, 11 deletions
diff --git a/man/ukify.xml b/man/ukify.xml
index b882de8..bf6f328 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -1,7 +1,7 @@
<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="ukify" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='ENABLE_UKIFY'>
@@ -67,6 +67,7 @@
<para>Additional sections will be inserted into the UKI, either automatically or only if a specific
option is provided. See the discussions of
+ <varname>Microcode=</varname>/<option>--microcode=</option>,
<varname>Cmdline=</varname>/<option>--cmdline=</option>,
<varname>OSRelease=</varname>/<option>--os-release=</option>,
<varname>DeviceTree=</varname>/<option>--devicetree=</option>,
@@ -99,7 +100,10 @@
the n-th boot phase path set will be signed by the n-th key. This can be used to build different trust
policies for different phases of the boot. In the config file, <varname>PCRPrivateKey=</varname>,
<varname>PCRPublicKey=</varname>, and <varname>Phases=</varname> are grouped into separate sections,
- describing separate boot phases.</para>
+ describing separate boot phases. If <varname>SigningEngine=</varname>/<option>--signing-engine=</option>
+ is specified, then the private keys arguments will be passed verbatim to OpenSSL as URIs, and the public
+ key arguments will be loaded as X.509 certificates, so that signing can be performed with an OpenSSL
+ engine.</para>
<para>If a SecureBoot signing key is provided via the
<varname>SecureBootPrivateKey=</varname>/<option>--secureboot-private-key=</option> option, the resulting
@@ -140,6 +144,12 @@
<para>Also see the description of <option>-j</option>/<option>--json=</option> and
<option>--section=</option>.</para>
+
+ <para>Other tools that may be useful for inspect UKIs:
+ <citerefentry project='man-pages'><refentrytitle>llvm-objdump</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ <option>-p</option> and <command>pe-inspect</command>.
+ <!-- TODO: add link to pe-inspect man page when it gets one -->
+ </para>
</refsect2>
</refsect1>
@@ -157,7 +167,7 @@
<para>If no config file is provided via the option <option>--config=<replaceable>PATH</replaceable></option>,
<command>ukify</command> will try to look for a default configuration file in the following paths in this
- order: <filename>/run/systemd/ukify.conf</filename>, <filename>/etc/systemd/ukify.conf</filename>,
+ order: <filename>/etc/systemd/ukify.conf</filename>, <filename>/run/systemd/ukify.conf</filename>,
<filename>/usr/local/lib/systemd/ukify.conf</filename>, and <filename>/usr/lib/systemd/ukify.conf</filename>,
and then load the first one found. <command>ukify</command> will proceed normally if no configuration file
is specified and no default one is found.</para>
@@ -197,7 +207,7 @@
<varlistentry>
<term><option>--section=<replaceable>NAME</replaceable>:<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term>
- <term><option>--section=<replaceable>NAME</replaceable>:<arg choice="plain">text|binary</arg><optional>@<replaceable>PATH</replaceable></optional></option></term>
+ <term><option>--section=<replaceable>NAME</replaceable>:text|binary<optional>@<replaceable>PATH</replaceable></optional></option></term>
<listitem><para>For all verbs except <command>inspect</command>, the first syntax is used.
Specify an arbitrary additional section <literal><replaceable>NAME</replaceable></literal>.
@@ -294,6 +304,16 @@
</varlistentry>
<varlistentry>
+ <term><varname>Microcode=<replaceable>UCODE</replaceable></varname></term>
+ <term><option>--microcode=<replaceable>UCODE</replaceable></option></term>
+
+ <listitem><para>Path to initrd containing microcode updates. If not specified, the section
+ will not be present.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>Cmdline=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term>
<term><option>--cmdline=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term>
@@ -676,13 +696,13 @@ Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
<refsect1>
<title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- </para>
+ <para><simplelist type="inline">
+ <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ </simplelist></para>
</refsect1>
</refentry>