Yes addons have to be signed, otherwise it would defeat their purpose. OSTree should to switch to other mechanisms, like credentials stored in the ESP ( https://systemd.io/CREDENTIALS/ ), instead of using the kernel command line. On Tue, 15 Oct 2024 at 11:45, Srinivas Naik <nivasnaik@xxxxxxxxx> wrote: > > Hi All, > I have a question on this, when secure boot is enabled, addons file also must be signed? > On devices which use OSTree for OTA, there is a need to update the command line parameter at run time with the latest SHA deployment. > How to do this on secure boot enabled devices since command line parameters mentioned in the config file will not be picked. > > Thanks > Srinivas > > On Thu, Oct 10, 2024 at 4:13 AM Mah, Yock Gen <yock.gen.mah@xxxxxxxxx> wrote: >> >> It's works, really appreciate your help, Lennart! >> >> -----Original Message----- >> From: Lennart Poettering <lennart@xxxxxxxxxxxxxx> >> Sent: Tuesday, October 8, 2024 9:39 PM >> To: Mah, Yock Gen <yock.gen.mah@xxxxxxxxx> >> Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx >> Subject: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI >> >> On Di, 08.10.24 12:37, Mah, Yock Gen (yock.gen.mah@xxxxxxxxx) wrote: >> >> > Really appreciate! I tried to create an PE "addon" using below: >> > >> > echo "yockgen=b" > cmdline.txt >> > >> > objcopy --input binary --output efi-app-x86_64 cmdline.txt >> > bootdm_b.addon.efi >> >> This doesn't look right. You must insert the cmdline in the ".cmdline" >> PE section, of course. As mentioned, addons follow the same structure as UKIs after all. >> >> We generally recommend using ukify for generating UKIs and PE addons. >> >> The man page even has an example doing exactly what you need to do: >> >> https://github.com/systemd/systemd/blob/main/man/ukify.xml#L674 >> >> Lennart >> >> -- >> Lennart Poettering, Berlin