From b750101eb236130cf056c675997decbac904cc49 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 17:35:18 +0200 Subject: Adding upstream version 252.22. Signed-off-by: Daniel Baumann --- man/loader.conf.xml | 359 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 359 insertions(+) create mode 100644 man/loader.conf.xml (limited to 'man/loader.conf.xml') diff --git a/man/loader.conf.xml b/man/loader.conf.xml new file mode 100644 index 0000000..6dfb6c0 --- /dev/null +++ b/man/loader.conf.xml @@ -0,0 +1,359 @@ + + + + + + + loader.conf + systemd + + + + loader.conf + 5 + + + + loader.conf + Configuration file for systemd-boot + + + + ESP/loader/loader.conf, + ESP/loader/entries/*.conf + XBOOTLDR/loader/entries/*.conf + + + + + Description + + + systemd-boot7 will + read ESP/loader/loader.conf, and any files with the + .conf extension under + ESP/loader/entries/ on the EFI system partition (ESP), + and XBOOTLDR/loader/entries/ on the extended boot loader + partition (XBOOTLDR) as defined by Boot Loader + Specification. + + + Each of these configuration files must consist of series of newline (i.e. ASCII code 10) separated + lines, each consisting of an option name, followed by whitespace, and the option + value. # may be used to start a comment line. Empty and comment lines are ignored. The + files use UTF-8 encoding. + + Boolean arguments may be written as + yes/y/true/t/on/1 or + no/n/false/f/off/0. + + + + + Options + + The configuration options supported by + ESP/loader/entries/*.conf and + XBOOTLDR/loader/entries/*.conf files are defined as part + of the Boot Loader + Specification. + + The following configuration are supported by the loader.conf configuration + file: + + + + default + + A glob pattern to select the default entry. The default entry + may be changed in the boot menu itself, in which case the name of the + selected entry will be stored as an EFI variable, overriding this option. + + + If set to @saved the chosen entry will be saved as an EFI variable + on every boot and automatically selected the next time the boot loader starts. + + + Automatically detected entries will use the following names: + + + + + + + Name + Description + + + + + auto-efi-default + EFI Default Loader + + + auto-efi-shell + EFI Shell + + + auto-osx + macOS + + + auto-reboot-to-firmware-setup + Reboot Into Firmware Interface + + + auto-windows + Windows Boot Manager + + + +
+ + Supported glob wildcard patterns are ?, *, and + […] (including ranges). Note that these patterns use the same syntax as + glob7, + but do not support all features. In particular, set negation and named character classes are not + supported. The matching is done case-insensitively on the entry ID (as shown by bootctl + list). + + + + timeout + + How long the boot menu should be shown before the default + entry is booted, in seconds. This may be changed in the boot menu itself and + will be stored as an EFI variable in that case, overriding this option. + + + If set to menu-hidden or 0 (the default) no menu + is shown and the default entry will be booted immediately. The menu can be shown + by pressing and holding a key before systemd-boot is launched. Setting this to + menu-force disables the timeout while always showing the menu. + + + + + console-mode + + This option configures the resolution of the console. Takes a + number or one of the special values listed below. The following values may be + used: + + + + 0 + + Standard UEFI 80x25 mode + + + + + 1 + + 80x50 mode, not supported by all devices + + + + + 2 + + the first non-standard mode provided by the device + firmware, if any + + + + + auto + + Pick a suitable mode automatically using heuristics + + + + + max + + Pick the highest-numbered available mode + + + + + keep + + Keep the mode selected by firmware (the default) + + + + + + + + + editor + + Takes a boolean argument. Enable (the default) or disable the + editor. The editor should be disabled if the machine can be accessed by + unauthorized persons. + + + + auto-entries + + Takes a boolean argument. Enable (the default) or disable + entries for other boot entries found on the boot partition. In particular, + this may be useful when loader entries are created to show replacement + descriptions for those entries. + + + + auto-firmware + + A boolean controlling the presence of the "Reboot into firmware" entry + (enabled by default). If this is disabled, the firmware interface may still be reached + by using the f key. + + + + beep + + Takes a boolean argument. If timeout enabled beep every second, otherwise beep n times when n-th entry in boot menu is selected (default disabled). + Currently, only x86 is supported, where it uses the PC speaker. + + + + secure-boot-enroll + + Danger: this feature might soft-brick your device if used improperly. + + Takes one of off, manual or force. + Controls the enrollment of secure boot keys. If set to off, no action whatsoever + is taken. If set to manual (the default) and the UEFI firmware is in setup-mode + then entries to manually enroll Secure Boot variables are created in the boot menu. If set to + force, in addition, if a directory named /loader/keys/auto/ + exists on the ESP then the keys in that directory are enrolled automatically. + + The different sets of variables can be set up under /loader/keys/NAME + where NAME is the name that is going to be used as the name of the entry. + This allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime. + + Supported secure boot variables are one database for authorized images, one key exchange key (KEK) + and one platform key (PK). For more information, refer to the UEFI specification, + under Secure Boot and Driver Signing. Another resource that describe the interplay of the different variables is the + + EDK2 documentation. + + A complete set of UEFI variable includes db.auth, KEK.auth + and PK.auth. Note that these files need to be authenticated UEFI variables. See + below for an example of how to generate them from regular X.509 keys. + + uuid=$(systemd-id128 new --uuid) +for key in PK KEK db; do + openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt" + openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" + cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl" +done + +for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do + curl "https://www.microsoft.com/pkiops/certs/${key}" --output "${key}" + sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%crt}esl" "${key}" +done + +# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows). +cat MicWinProPCA2011_2011-10-19.esl >> db.esl + +# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs +# and third-party boot loaders (including shim). This is highly recommended on real +# hardware as not including this may soft-brick your device (see next paragraph). +cat MicCorUEFCA2011_2011-06-27.esl >> db.esl + +# Optionally add Microsoft Corporation KEK CA 2011. Recommended if either of the +# Microsoft keys is used as the official UEFI revocation database is signed with this +# key. The revocation database can be updated with fwupdmgr1. +cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl + +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth + + + This feature is considered dangerous because even if all the required files are signed with the + keys being loaded, some files necessary for the system to function properly still won't be. This + is especially the case with Option ROMs (e.g. for storage controllers or graphics cards). See + Secure Boot and Option ROMs + for more details. + + + + reboot-for-bitlocker + + Caveat: This feature is experimental, and is likely to be changed (or removed in its + current form) in a future version of systemd. + + Work around BitLocker requiring a recovery key when the boot loader was + updated (disabled by default). + + Try to detect BitLocker encrypted drives along with an active TPM. If both are found + and Windows Boot Manager is selected in the boot menu, set the BootNext + EFI variable and restart the system. The firmware will then start Windows Boot Manager + directly, leaving the TPM PCRs in expected states so that Windows can unseal the encryption + key. This allows systemd-boot to be updated without having to provide the recovery key for + BitLocker drive unlocking. + + Note that the PCRs that Windows uses can be configured with the + Configure TPM platform validation profile for native UEFI firmware configurations + group policy under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. + When secure boot is enabled, changing this to PCRs 0,2,7,11 should be safe. + The TPM key protector needs to be removed and then added back for the PCRs on an already + encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed + up booting into Windows. + + + + random-seed-mode + + Takes one of off, with-system-token and + always. If off no random seed data is read off the ESP, nor + passed to the OS. If with-system-token (the default) + systemd-boot will read a random seed from the ESP (from the file + /loader/random-seed) only if the LoaderSystemToken EFI + variable is set, and then derive the random seed to pass to the OS from the combination. If + always the boot loader will do so even if LoaderSystemToken is + not set. This mode is useful in environments where protection against OS image reuse is not a + concern, and the random seed shall be used even with no further setup in place. Use bootctl + random-seed to initialize both the random seed file in the ESP and the system token EFI + variable. + + See Random Seeds for further + information. + + + + + + Example + + # /boot/efi/loader/loader.conf +timeout 0 +default 01234567890abcdef1234567890abdf0-* +editor no + + + The menu will not be shown by default (the menu can still be shown by + pressing and holding a key during boot). One of the entries with files with a + name starting with 01234567890abcdef1234567890abdf0- will be + selected by default. If more than one entry matches, the one with the highest + priority will be selected (generally the one with the highest version number). + The editor will be disabled, so it is not possible to alter the kernel command + line. + + + + See Also + + systemd-boot7, + bootctl1 + + + -- cgit v1.2.3