mirror of
https://github.com/systemd/systemd
synced 2024-09-29 21:04:12 +00:00
parent
ff7580e280
commit
27140fc7d1
14
man/uki.conf.example
Normal file
14
man/uki.conf.example
Normal file
|
@ -0,0 +1,14 @@
|
|||
[UKI]
|
||||
SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem
|
||||
SecureBootCertificate=/etc/kernel/secure-boot.cert.pem
|
||||
|
||||
[PCRSignature:initrd]
|
||||
Phases=enter-initrd
|
||||
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
|
||||
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
|
||||
|
||||
[PCRSignature:system]
|
||||
Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
|
||||
enter-initrd:leave-initrd:sysinit:ready
|
||||
PCRPrivateKey=/etc/kernel/pcr-system.key.pem
|
||||
PCRPublicKey=/etc/kernel/pcr-system.pub.pem
|
|
@ -499,6 +499,36 @@ $ /usr/lib/systemd/ukify -c ukify.conf build \
|
|||
<para>This creates a signed PE binary that contains the additional kernel command line parameter
|
||||
<literal>debug</literal> with SBAT metadata referring to the owner of the addon.</para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<title>Decide signing policy and create certificate and keys</title>
|
||||
|
||||
<para>First, let's create an config file that specifies what signatures shall be made:</para>
|
||||
|
||||
<programlisting># cat >/etc/kernel/uki.conf <<EOF
|
||||
<xi:include href="uki.conf.example" parse="text" />EOF</programlisting>
|
||||
|
||||
<para>Next, we can generate the certificate and keys:</para>
|
||||
<programlisting># /usr/lib/systemd/ukify genkey --config=/etc/kernel/uki.conf
|
||||
Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem
|
||||
Writing SecureBoot certicate to /etc/kernel/secure-boot.cert.pem
|
||||
Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem
|
||||
Writing public key for PCR signing to /etc/kernel/pcr-initrd.pub.pem
|
||||
Writing private key for PCR signing to /etc/kernel/pcr-system.key.pem
|
||||
Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
|
||||
</programlisting>
|
||||
|
||||
<para>(Both operations need to be done as root to allow write access
|
||||
to <filename>/etc/kernel/</filename>.)</para>
|
||||
|
||||
<para>Subsequent invocations of using the config file
|
||||
(<command>/usr/lib/systemd/ukify build --config=/etc/kernel/uki.conf</command>)
|
||||
will use this certificate and key files. Note that the
|
||||
<citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||
plugin <filename>60-ukify.install</filename> uses <filename>/etc/kernel/uki.conf</filename>
|
||||
by default, so after this file has been created, installations of kernels that create a UKI on the
|
||||
local machine using <command>kernel-install</command> would perform signing using this config.</para>
|
||||
</example>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
|
Loading…
Reference in a new issue