system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-10-15 20:45:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
systemd/man/loader.conf.xml

342 lines
15 KiB
XML
Raw Normal View History

man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
<?xml version='1.0'?> <!--*-nxml-*-->
man: use same header for all files The "include" files had type "book" for some raeason. I don't think this is meaningful. Let's just use the same everywhere. $ perl -i -0pe 's^..DOCTYPE (book|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n "http^gms' man/*.xml
2019-03-14 13:40:58 +00:00
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
license: LGPL-2.1+ -> LGPL-2.1-or-later
2020-11-09 04:23:58 +00:00
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
man: do not install sd-boot man pages when -Dgnu-efi=false is set
2021-12-13 17:27:20 +00:00
<refentry id="loader.conf" conditional='HAVE_GNU_EFI'
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>loader.conf</title>
<productname>systemd</productname>
</refentryinfo>
<refmeta>
<refentrytitle>loader.conf</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>loader.conf</refname>
man: use systemd-boot instead of sd-boot
2018-06-15 05:25:22 +00:00
<refpurpose>Configuration file for systemd-boot</refpurpose>
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
</refnamediv>
<refsynopsisdiv>
<para><filename><replaceable>ESP</replaceable>/loader/loader.conf</filename>,
man: systemd-boot does not read loader.conf.d/*.conf Fixes #10923.
2018-11-25 21:58:28 +00:00
<filename><replaceable>ESP</replaceable>/loader/entries/*.conf</filename>
man: clarify that type #1 entries are also read from the XBOOTLDR partition
2022-03-21 23:21:36 +00:00
<filename><replaceable>XBOOTLDR</replaceable>/loader/entries/*.conf</filename>
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
</para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
man: cross-link to BLS in more places, use "Type #1", "Type #2" as appropriate
2022-03-21 11:16:35 +00:00
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> will
read <filename><replaceable>ESP</replaceable>/loader/loader.conf</filename>, and any files with the
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
<literal>.conf</literal> extension under
man: clarify that type #1 entries are also read from the XBOOTLDR partition
2022-03-21 23:21:36 +00:00
<filename><replaceable>ESP</replaceable>/loader/entries/</filename> on the EFI system partition (ESP),
and <filename><replaceable>XBOOTLDR</replaceable>/loader/entries/</filename> on the extended boot loader
partition (XBOOTLDR) as defined by <ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader
Specification</ulink>.
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
</para>
man: clarify the format used by sd-boot config files
2022-03-21 23:13:10 +00:00
<para>Each of these configuration files must consist of series of newline (i.e. ASCII code 10) separated
lines, each consisting of an option name, followed by whitespace, and the option
value. <literal>#</literal> may be used to start a comment line. Empty and comment lines are ignored. The
files use UTF-8 encoding.</para>
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
<para>Boolean arguments may be written as
sd-boot: Allow on/off and t/f for booleans too
2021-08-11 12:59:46 +00:00
<literal>yes</literal>/<literal>y</literal>/<literal>true</literal>/<literal>t</literal>/<literal>on</literal>/<literal>1</literal> or
<literal>no</literal>/<literal>n</literal>/<literal>false</literal>/<literal>f</literal>/<literal>off</literal>/<literal>0</literal>.
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
</para>
</refsect1>
<refsect1>
<title>Options</title>
man: clarify where the settings in type #1 entries are documented So (maybe weirdly) loader.conf(5) documents both loader.conf and type #1 entries (because they share a similar syntax). But it then only lists the options of loader.conf. Let's add an explicit hint where to find the documentation of the type #1 entries.
2022-03-21 23:14:22 +00:00
<para>The configuration options supported by
man: clarify that type #1 entries are also read from the XBOOTLDR partition
2022-03-21 23:21:36 +00:00
<filename><replaceable>ESP</replaceable>/loader/entries/*.conf</filename> and
<filename><replaceable>XBOOTLDR</replaceable>/loader/entries/*.conf</filename> files are defined as part
of the <ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader
Specification</ulink>.</para>
man: clarify where the settings in type #1 entries are documented So (maybe weirdly) loader.conf(5) documents both loader.conf and type #1 entries (because they share a similar syntax). But it then only lists the options of loader.conf. Let's add an explicit hint where to find the documentation of the type #1 entries.
2022-03-21 23:14:22 +00:00
<para>The following configuration are supported by the <filename>loader.conf</filename> configuration
file:</para>
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
<variablelist>
<varlistentry>
<term>default</term>
<listitem><para>A glob pattern to select the default entry. The default entry
may be changed in the boot menu itself, in which case the name of the
selected entry will be stored as an EFI variable, overriding this option.
sd-boot: Allow automatic entries to be default
2021-08-14 11:06:37 +00:00
</para>
sd-boot: Add support to boot last selected entry Fixes: #18994
2021-10-28 11:00:13 +00:00
<para>If set to <literal>@saved</literal> the chosen entry will be saved as an EFI variable
on every boot and automatically selected the next time the boot loader starts.</para>
sd-boot: Allow automatic entries to be default
2021-08-14 11:06:37 +00:00
<table>
<title>Automatically detected entries will use the following names:</title>
<tgroup cols='2'>
<colspec colname='name' />
<colspec colname='expl' />
<thead>
<row>
<entry>Name</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>auto-efi-default</entry>
<entry>EFI Default Loader</entry>
</row>
<row>
<entry>auto-efi-shell</entry>
<entry>EFI Shell</entry>
</row>
<row>
<entry>auto-osx</entry>
<entry>macOS</entry>
</row>
<row>
<entry>auto-reboot-to-firmware-setup</entry>
<entry>Reboot Into Firmware Interface</entry>
</row>
<row>
<entry>auto-windows</entry>
<entry>Windows Boot Manager</entry>
</row>
</tbody>
</tgroup>
boot: Drop use of MetaiMatch A future commit will add support for unicode collation protocol that allows case folding and comparing strings with locale awareness. But it only operates on whole strings, so fnmatch cannot use those without a heavy cost. Instead we just case fold the patterns instead (the IDs we try to match are already lower case).
2022-06-09 08:07:06 +00:00
</table>
tree-wide: fix typo
2022-06-15 05:50:34 +00:00
<para>Supported glob wildcard patterns are <literal>?</literal>, <literal>*</literal>, and
boot: Drop use of MetaiMatch A future commit will add support for unicode collation protocol that allows case folding and comparing strings with locale awareness. But it only operates on whole strings, so fnmatch cannot use those without a heavy cost. Instead we just case fold the patterns instead (the IDs we try to match are already lower case).
2022-06-09 08:07:06 +00:00
<literal>[…]</literal> (including ranges). Note that these patterns use the same syntax as
man: fix link to glob(3)
2022-07-04 17:59:06 +00:00
<citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
but do not support all features. In particular, set negation and named character classes are not
supported. The matching is done case-insensitively on the entry ID (as shown by <command>bootctl
boot: Drop use of MetaiMatch A future commit will add support for unicode collation protocol that allows case folding and comparing strings with locale awareness. But it only operates on whole strings, so fnmatch cannot use those without a heavy cost. Instead we just case fold the patterns instead (the IDs we try to match are already lower case).
2022-06-09 08:07:06 +00:00
list</command>).</para></listitem>
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
</varlistentry>
<varlistentry>
<term>timeout</term>
<listitem><para>How long the boot menu should be shown before the default
entry is booted, in seconds. This may be changed in the boot menu itself and
will be stored as an EFI variable in that case, overriding this option.
</para>
loader.conf: Clarify the default value of timeout.
2022-05-26 20:53:24 +00:00
<para>If set to <literal>menu-hidden</literal> or <literal>0</literal> (the default) no menu
sd-boot: Allow disabling timeout
2021-09-16 08:25:10 +00:00
is shown and the default entry will be booted immediately. The menu can be shown
by pressing and holding a key before systemd-boot is launched. Setting this to
<literal>menu-force</literal> disables the timeout while always showing the menu.</para>
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
</listitem>
</varlistentry>
<varlistentry>
<term>console-mode</term>
<listitem><para>This option configures the resolution of the console. Takes a
number or one of the special values listed below. The following values may be
used:</para>
<variablelist>
<varlistentry>
<term>0</term>
<listitem>
<para>Standard UEFI 80x25 mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term>1</term>
<listitem>
<para>80x50 mode, not supported by all devices</para>
</listitem>
</varlistentry>
<varlistentry>
<term>2</term>
<listitem>
<para>the first non-standard mode provided by the device
firmware, if any</para>
</listitem>
</varlistentry>
<varlistentry>
<term>auto</term>
<listitem>
<para>Pick a suitable mode automatically using heuristics</para>
</listitem>
</varlistentry>
<varlistentry>
<term>max</term>
<listitem>
<para>Pick the highest-numbered available mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term>keep</term>
<listitem>
<para>Keep the mode selected by firmware (the default)</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>editor</term>
<listitem><para>Takes a boolean argument. Enable (the default) or disable the
editor. The editor should be disabled if the machine can be accessed by
unauthorized persons.</para></listitem>
</varlistentry>
<varlistentry>
<term>auto-entries</term>
<listitem><para>Takes a boolean argument. Enable (the default) or disable
entries for other boot entries found on the boot partition. In particular,
this may be useful when loader entries are created to show replacement
descriptions for those entries.</para></listitem>
</varlistentry>
<varlistentry>
<term>auto-firmware</term>
sd-boot: Add keys to reboot into firmware interface This is useful if the auto-firmware setting has been disabled. The keys used here are based on what the majority of firmware employ in the wild. This also ensures there's a chance for the user to discover this in case they were too slow during POST or simply used the wrong ones.
2021-10-20 10:15:03 +00:00
<listitem><para>A boolean controlling the presence of the "Reboot into firmware" entry
(enabled by default). If this is disabled, the firmware interface may still be reached
by using the <keycap>f</keycap> key.</para></listitem>
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
</varlistentry>
man: document the systemd-random-seed rework
2019-07-22 12:19:33 +00:00
boot: Add PC speaker support Fixes: #17508
2022-01-14 13:27:08 +00:00
<varlistentry>
<term>beep</term>
[sd-boot] improve documentation of beep
2022-05-25 10:54:30 +00:00
<listitem><para>Takes a boolean argument. If timeout enabled beep every second, otherwise beep n times when n-th entry in boot menu is selected (default disabled).
boot: Beep n times for n-th entry
2022-01-16 14:57:38 +00:00
Currently, only x86 is supported, where it uses the PC speaker.</para></listitem>
boot: Add PC speaker support Fixes: #17508
2022-01-14 13:27:08 +00:00
</varlistentry>
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 18:13:28 +00:00
<varlistentry>
<term>secure-boot-enroll</term>
<listitem><para>Danger: this feature might soft-brick your device if used improperly.</para>
<para>Takes one of <literal>off</literal>, <literal>manual</literal> or <literal>force</literal>.
Controls the enrollment of secure boot keys. If set to <literal>off</literal>, no action whatsoever
is taken. If set to <literal>manual</literal> (the default) and the UEFI firmware is in setup-mode
then entries to manually enroll Secure Boot variables are created in the boot menu. If set to
<literal>force</literal>, in addition, if a directory named <filename>/loader/keys/auto/</filename>
exists on the ESP then the keys in that directory are enrolled automatically.</para>
<para>The different sets of variables can be set up under <filename>/loader/keys/<replaceable>NAME</replaceable></filename>
where <replaceable>NAME</replaceable> is the name that is going to be used as the name of the entry.
This allows to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime.</para>
<para>Supported secure boot variables are one database for authorized images, one key exchange key (KEK)
and one platform key (PK). For more information, refer to the <ulink url="https://uefi.org/specifications">UEFI specification</ulink>,
under Secure Boot and Driver Signing. Another resource that describe the interplay of the different variables is the
<ulink url="https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot">
EDK2 documentation</ulink>.</para>
<para>A complete set of UEFI variable includes <filename>db.esl</filename>, <filename>KEK.esl</filename>
and <filename>PK.esl</filename>. Note that these files need to be authenticated UEFI variables. See
below for an example of how to generate them from regular X.509 keys.</para>
boot: Follow-up fixes for #20255
2022-08-03 09:05:12 +00:00
<programlisting>uuid=$(systemd-id128 new --uuid)
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 18:13:28 +00:00
for key in PK KEK db; do
boot: Follow-up fixes for #20255
2022-08-03 09:05:12 +00:00
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 18:13:28 +00:00
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.tmp"
done
sign-efi-sig-list -c PK.crt -k PK.key PK PK.tmp PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.tmp KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.tmp db.esl
</programlisting>
<para>This feature is considered dangerous because even if all the required files are signed with the
keys being loaded, some files necessary for the system to function properly still won't be. This
is especially the case with Option ROMs (e.g. for storage controllers or graphics cards). See
<ulink url="https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom">Secure Boot and Option ROMs</ulink>
for more details.</para></listitem>
</varlistentry>
boot: Add BitLocker TPM key sealing workaround Fixes: #21891
2022-01-07 10:15:28 +00:00
<varlistentry>
<term>reboot-for-bitlocker</term>
sd-boot: disable bitlocker reboot feature for now Conceptually the feature is great and should exist, but in its current form should be worked to be generic (i.e. not specific to Windows/Bitlocker, but appliable to any boot entry), not be global (but be a per-entry thing), not require a BootXXXX entry to exist, and not check for the BitLocker signature (as TPMs are not just used for BitLocker). Since we want to get 251 released, mark it in the documentation, in NEWS and in code as experimental and make clear it will be reworked in a future release. Also, make it opt-in to make it less likely people come to rely on it without reading up on it, and understanding that it will likely change sooner or later. Follow-up for: #22043 See: #22390
2022-03-16 11:01:37 +00:00
<listitem><para>Caveat: This feature is experimental, and is likely to be changed (or removed in its
current form) in a future version of systemd.</para>
<para>Work around BitLocker requiring a recovery key when the boot loader was
updated (disabled by default).</para>
boot: Add BitLocker TPM key sealing workaround Fixes: #21891
2022-01-07 10:15:28 +00:00
<para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found
and Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal>
EFI variable and restart the system. The firmware will then start Windows Boot Manager
directly, leaving the TPM PCRs in expected states so that Windows can unseal the encryption
key. This allows systemd-boot to be updated without having to provide the recovery key for
BitLocker drive unlocking.</para>
<para>Note that the PCRs that Windows uses can be configured with the
<literal>Configure TPM platform validation profile for native UEFI firmware configurations</literal>
group policy under <literal>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</literal>.
When secure boot is enabled, changing this to PCRs <literal>0,2,7,11</literal> should be safe.
The TPM key protector needs to be removed and then added back for the PCRs on an already
encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed
up booting into Windows.</para></listitem>
</varlistentry>
man: document the systemd-random-seed rework
2019-07-22 12:19:33 +00:00
<varlistentry>
<term>random-seed-mode</term>
<listitem><para>Takes one of <literal>off</literal>, <literal>with-system-token</literal> and
<literal>always</literal>. If <literal>off</literal> no random seed data is read off the ESP, nor
passed to the OS. If <literal>with-system-token</literal> (the default)
<command>systemd-boot</command> will read a random seed from the ESP (from the file
<filename>/loader/random-seed</filename>) only if the <varname>LoaderSystemToken</varname> EFI
variable is set, and then derive the random seed to pass to the OS from the combination. If
<literal>always</literal> the boot loader will do so even if <varname>LoaderSystemToken</varname> is
not set. This mode is useful in environments where protection against OS image reuse is not a
man: fix typo in loader.conf(5)
2020-03-22 18:00:21 +00:00
concern, and the random seed shall be used even with no further setup in place. Use <command>bootctl
man: document the systemd-random-seed rework
2019-07-22 12:19:33 +00:00
random-seed</command> to initialize both the random seed file in the ESP and the system token EFI
docs: add longer document about systemd and random number seeds
2019-07-22 16:13:26 +00:00
variable.</para>
<para>See <ulink url="https://systemd.io/RANDOM_SEEDS">Random Seeds</ulink> for further
information.</para></listitem>
man: document the systemd-random-seed rework
2019-07-22 12:19:33 +00:00
</varlistentry>
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<programlisting># /boot/efi/loader/loader.conf
timeout 0
default 01234567890abcdef1234567890abdf0-*
editor no
</programlisting>
<para>The menu will not be shown by default (the menu can still be shown by
pressing and holding a key during boot). One of the entries with files with a
name starting with <literal>01234567890abcdef1234567890abdf0-</literal> will be
selected by default. If more than one entry matches, the one with the highest
priority will be selected (generally the one with the highest version number).
The editor will be disabled, so it is not possible to alter the kernel command
line.</para>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
man: use systemd-boot instead of sd-boot
2018-06-15 05:25:22 +00:00
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
man: add some basic documentation for sd-boot (#8379) I'm sure this can be improved in various ways, but I think it's a good start.
2018-03-11 10:22:09 +00:00
<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
Reference in a new issue Copy permalink