Re: Passing Kernel Params from systemd-boot for Secure Boot UKI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Really appreciate! I tried to create an PE "addon" using below:

echo "yockgen=b" > cmdline.txt

objcopy --input binary --output efi-app-x86_64 cmdline.txt bootdm_b.addon.efi

sudo sbsign --key ../../db.key --cert ../../db.crt --output bootdm_b.addon.signed bootdm_b.addon.efi

But failed at last step:
root@ubuntu:/mnt/EFI/Linux# sudo sbsign --key ../../db.key --cert ../../db.crt --output bootdm_b.addon.signed bootdm_b.addon.efi
Invalid PE header magic


Am I using correct tools to do these? 


Really appreciate your help.



-----Original Message-----
From: Lennart Poettering <lennart@xxxxxxxxxxxxxx> 
Sent: Tuesday, October 8, 2024 3:22 PM
To: Mah, Yock Gen <yock.gen.mah@xxxxxxxxx>
Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  Passing Kernel Params from systemd-boot for Secure Boot UKI

On Mo, 07.10.24 13:54, Mah, Yock Gen (yock.gen.mah@xxxxxxxxx) wrote:

> My Mariner OS is built with following features:
>
> 1, Unified Kernel Image (kernel+initrd+cmdline) 2. Systemd-boot as 
> boot loader 3. Secure Boot enabled 4. Multi boot
>
> Systemd-boot config files looks like below
>
> ```
> root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
> Title   Yockgen OS1 UKI
> efi     /EFI/Linux/linux-6.1.0-0.efi.signed
> options root=PARTUUID=xxxxx-xxxx-xxxxa ro quiet yockgen=1 ``` ``` 
> root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
> Title   Yockgen OS2 UKI
> efi     /EFI/Linux/linux-6.1.0-1.efi.signed
> options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2 ```
>
> With Secure Boot enabled, the /proc/cmdline is no longer overwritten by the systemd-boot configuration. The cmdline is shown those params during UKI built time.
>
> Runtime logs as below:
>
> ```
> root@YockgenOS [ ~ ]# cat /proc/cmdline
> BOOT_IMAGE=/boot/vmlinuz-6.6.43-1.cm2       rd.auto=1 root=PARTUUID=21f13e53-110f-4be5-b18a-fed745cacc87 init=/lib/systemd/systemd ro loglevel=3 no-vmw-sta crashkernel=256M lockdown=integrity lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 net.ifnames=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0
>
> root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
> Title   Yockgen OS1 UKI
> efi     /EFI/Linux/linux-6.1.0-0.efi.signed
> options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=1
>
>
> root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
> Title   Yockgen OS2 UKI
> efi     /EFI/Linux/linux-6.1.0-1.efi.signed
> options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2 ``` I 
> couldn't hardcode the 'yockgen' parameter during the build process, as its value depends on the runtime environment. This value needs to be assessed by a custom Dracut module during the initrd stage to mount specific devices.
>
> What could be the possible solution for this?
>
> Thanks a lot, of any guidance!

You have the following options:

1. You encode the full set of cmdline choices in the UKI. Starting
   with the upcoming v257 we support "multi-profile" UKIs, that
   basically allow you to encode multiple different but fixed choices,
   so that one UKI can synthesize multiple menu entries in sd-boot.

2. You use PE "addons" for the kernel cmdline. Which are PE binaries
   that resemble UKIs in structure, but do not contain any code
   (i.e. no real PE stub, and no .linux section). They can be
   SecureBoot signed like any other PE binary, which is how they are
   authenticated. You can drop them as "side-car" next to your UKI and
   their contents will be combined/override the relevant sections in
   the main UKI. This is already available in released systemd
   versions. See sd-stub man page for details.

Lennart

--
Lennart Poettering, Berlin
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux