Thanks a lot for the details. Will go through them and get back to you.
Thanks
Srinivas
On Tue, Oct 15, 2024 at 4:27 PM Luca Boccassi <luca.boccassi@xxxxxxxxx> wrote:
Yes addons have to be signed, otherwise it would defeat their purpose.
OSTree should to switch to other mechanisms, like credentials stored
in the ESP ( https://systemd.io/CREDENTIALS/ ), instead of using the
kernel command line.
On Tue, 15 Oct 2024 at 11:45, Srinivas Naik <nivasnaik@xxxxxxxxx> wrote:
>
> Hi All,
> I have a question on this, when secure boot is enabled, addons file also must be signed?
> On devices which use OSTree for OTA, there is a need to update the command line parameter at run time with the latest SHA deployment.
> How to do this on secure boot enabled devices since command line parameters mentioned in the config file will not be picked.
>
> Thanks
> Srinivas
>
> On Thu, Oct 10, 2024 at 4:13 AM Mah, Yock Gen <yock.gen.mah@xxxxxxxxx> wrote:
>>
>> It's works, really appreciate your help, Lennart!
>>
>> -----Original Message-----
>> From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
>> Sent: Tuesday, October 8, 2024 9:39 PM
>> To: Mah, Yock Gen <yock.gen.mah@xxxxxxxxx>
>> Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
>> Subject: Re: Passing Kernel Params from systemd-boot for Secure Boot UKI
>>
>> On Di, 08.10.24 12:37, Mah, Yock Gen (yock.gen.mah@xxxxxxxxx) wrote:
>>
>> > Really appreciate! I tried to create an PE "addon" using below:
>> >
>> > echo "yockgen=b" > cmdline.txt
>> >
>> > objcopy --input binary --output efi-app-x86_64 cmdline.txt
>> > bootdm_b.addon.efi
>>
>> This doesn't look right. You must insert the cmdline in the ".cmdline"
>> PE section, of course. As mentioned, addons follow the same structure as UKIs after all.
>>
>> We generally recommend using ukify for generating UKIs and PE addons.
>>
>> The man page even has an example doing exactly what you need to do:
>>
>> https://github.com/systemd/systemd/blob/main/man/ukify.xml#L674
>>
>> Lennart
>>
>> --
>> Lennart Poettering, Berlin
