From fc53809803cd2bc2434e312b19a18fa36776da12 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 12 Jun 2024 05:50:40 +0200 Subject: Adding upstream version 256. Signed-off-by: Daniel Baumann --- man/ukify.xml | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) (limited to 'man/ukify.xml') diff --git a/man/ukify.xml b/man/ukify.xml index b882de8..bf6f328 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -1,7 +1,7 @@ + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> @@ -67,6 +67,7 @@ Additional sections will be inserted into the UKI, either automatically or only if a specific option is provided. See the discussions of + Microcode=/, Cmdline=/, OSRelease=/, DeviceTree=/, @@ -99,7 +100,10 @@ the n-th boot phase path set will be signed by the n-th key. This can be used to build different trust policies for different phases of the boot. In the config file, PCRPrivateKey=, PCRPublicKey=, and Phases= are grouped into separate sections, - describing separate boot phases. + describing separate boot phases. If SigningEngine=/ + is specified, then the private keys arguments will be passed verbatim to OpenSSL as URIs, and the public + key arguments will be loaded as X.509 certificates, so that signing can be performed with an OpenSSL + engine. If a SecureBoot signing key is provided via the SecureBootPrivateKey=/ option, the resulting @@ -140,6 +144,12 @@ Also see the description of / and . + + Other tools that may be useful for inspect UKIs: + llvm-objdump1 + and pe-inspect. + + @@ -157,7 +167,7 @@ If no config file is provided via the option , ukify will try to look for a default configuration file in the following paths in this - order: /run/systemd/ukify.conf, /etc/systemd/ukify.conf, + order: /etc/systemd/ukify.conf, /run/systemd/ukify.conf, /usr/local/lib/systemd/ukify.conf, and /usr/lib/systemd/ukify.conf, and then load the first one found. ukify will proceed normally if no configuration file is specified and no default one is found. @@ -197,7 +207,7 @@ - + For all verbs except inspect, the first syntax is used. Specify an arbitrary additional section NAME. @@ -293,6 +303,16 @@ + + Microcode=UCODE + + + Path to initrd containing microcode updates. If not specified, the section + will not be present. + + + + Cmdline=TEXT|@PATH @@ -676,13 +696,13 @@ Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem See Also - - systemd1, - systemd-stub7, - systemd-boot7, - systemd-measure1, - systemd-pcrphase.service8 - + + systemd1 + systemd-stub7 + systemd-boot7 + systemd-measure1 + systemd-pcrphase.service8 + -- cgit v1.2.3