Yes addons have to be signed, otherwise it would defeat their purpose. OSTree should to switch to other mechanisms, like credentials stored in the ESP ( https://systemd.io/CREDENTIALS/ ), instead of using the kernel command line. On Tue, 15 Oct 2024 at 11:45, Srinivas Naik <nivasnaik@xxxxxxxxx> wrote: > > Hi All, > I have a question on this, when secure boot is enabled, addons file also must be signed? > On devices which use OSTree for OTA, there is a need to update the command line parameter at run time with the latest SHA deployment. > How to do this on secure boot enabled devices since command line parameters mentioned in the config file will not be picked. > > Thanks > Srinivas > > On Thu, Oct 10, 2024 at 4:13 AM Mah, Yock Gen <yock.gen.mah@xxxxxxxxx> wrote: >> >> It's works, really appreciate your help, Lennart! >> >> -----Original Message----- >> From: Lennart Poettering <lennart@xxxxxxxxxxxxxx> >> Sent: Tuesday, October 8, 2024 9:39 PM >> To: Mah, Yock Gen <yock.gen.mah@xxxxxxxxx> >> Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx >> Subject: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI >> >> On Di, 08.10.24 12:37, Mah, Yock Gen (yock.gen.mah@xxxxxxxxx) wrote: >> >> > Really appreciate! I tried to create an PE "addon" using below: >> > >> > echo "yockgen=b" > cmdline.txt >> > >> > objcopy --input binary --output efi-app-x86_64 cmdline.txt >> > bootdm_b.addon.efi >> >> This doesn't look right. You must insert the cmdline in the ".cmdline" >> PE section, of course. As mentioned, addons follow the same structure as UKIs after all. >> >> We generally recommend using ukify for generating UKIs and PE addons. >> >> The man page even has an example doing exactly what you need to do: >> >> https://github.com/systemd/systemd/blob/main/man/ukify.xml#L674 >> >> Lennart >> >> -- >> Lennart Poettering, Berlin
Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- From: Luca Boccassi <luca.boccassi@xxxxxxxxx>
- Date: Tue, 15 Oct 2024 11:57:19 +0100
- Cc: "Mah, Yock Gen" <yock.gen.mah@xxxxxxxxx>, Lennart Poettering <lennart@xxxxxxxxxxxxxx>, "systemd-devel@xxxxxxxxxxxxxxxxxxxxx" <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <CA+2WEYVMJJUkUDE564ohwpN_zxLi8+72WEKb=1mvj2xr1J3wNg@mail.gmail.com>
- References: <SJ2PR11MB7645FB4F085CF16A839E28A2D97D2@SJ2PR11MB7645.namprd11.prod.outlook.com> <ZwTdnRJX6VVy3cpW@gardel-login> <SJ2PR11MB76456C57B4920705114CBC73D97E2@SJ2PR11MB7645.namprd11.prod.outlook.com> <ZwU2CQH8K14esqNt@gardel-login> <SJ2PR11MB76454D37E853D8432D5B1C4DD97F2@SJ2PR11MB7645.namprd11.prod.outlook.com> <CA+2WEYVMJJUkUDE564ohwpN_zxLi8+72WEKb=1mvj2xr1J3wNg@mail.gmail.com>
- Follow-Ups:
- Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- From: Srinivas Naik
- Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- References:
- Passing Kernel Params from systemd-boot for Secure Boot UKI
- From: Mah, Yock Gen
- Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- From: Lennart Poettering
- Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- From: Mah, Yock Gen
- Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- From: Lennart Poettering
- Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- From: Mah, Yock Gen
- Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- From: Srinivas Naik
- Passing Kernel Params from systemd-boot for Secure Boot UKI
- Prev by Date: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- Next by Date: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- Previous by thread: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- Next by thread: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
- Index(es):
 |