Hi All,
I have a question on this, when secure boot is enabled, addons file also must be signed?On devices which use OSTree for OTA, there is a need to update the command line parameter at run time with the latest SHA deployment.
How to do this on secure boot enabled devices since command line parameters mentioned in the config file will not be picked.
Thanks
Srinivas
On Thu, Oct 10, 2024 at 4:13 AM Mah, Yock Gen <yock.gen.mah@xxxxxxxxx> wrote:
It's works, really appreciate your help, Lennart!
-----Original Message-----
From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
Sent: Tuesday, October 8, 2024 9:39 PM
To: Mah, Yock Gen <yock.gen.mah@xxxxxxxxx>
Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
On Di, 08.10.24 12:37, Mah, Yock Gen (yock.gen.mah@xxxxxxxxx) wrote:
> Really appreciate! I tried to create an PE "addon" using below:
>
> echo "yockgen=b" > cmdline.txt
>
> objcopy --input binary --output efi-app-x86_64 cmdline.txt
> bootdm_b.addon.efi
This doesn't look right. You must insert the cmdline in the ".cmdline"
PE section, of course. As mentioned, addons follow the same structure as UKIs after all.
We generally recommend using ukify for generating UKIs and PE addons.
The man page even has an example doing exactly what you need to do:
https://github.com/systemd/systemd/blob/main/man/ukify.xml#L674
Lennart
--
Lennart Poettering, Berlin
