From ef3e110a0712f2b37ec23d2060728b62b9c5d741 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 18 Sep 2023 11:08:55 +0200 Subject: [PATCH 1/3] man: drop duplicate .uname documentation, add .sbat documentation This fixes the PE section documentation in the systemd-stub man page: for some reason .uname was listed twice, and .sbat was still missing. Address that. Also, let's reorder things to to match the "canonical" ordering we also use for measurement in sd-stub. The order makes sense and there's really no reason to depart from that here. Minor other tweaks. Reverts b6f2e6860220aa89550f690b12246c4e8eb6e908, among other things --- man/systemd-stub.xml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml index 06a71bc4fb..b211339076 100644 --- a/man/systemd-stub.xml +++ b/man/systemd-stub.xml @@ -52,6 +52,9 @@ individual resources at once. Specifically it may include: + + The ELF Linux kernel images will be looked for in the .linux PE section of the executed image. @@ -59,11 +62,14 @@ os-release5 file of the OS the kernel belongs to, in the .osrel PE section. - Kernel version information, i.e. the output of uname -r for the - kernel included in the UKI, in the .uname PE section. + The kernel command line to pass to the invoked kernel will be looked for in the + .cmdline PE section. - The initrd will be loaded from the .initrd PE section. - + The initrd will be loaded from the .initrd PE + section. + + A boot splash (in Windows .BMP format) to show on screen before + invoking the kernel will be looked for in the .splash PE section. A compiled binary DeviceTree will be looked for in the .dtb PE section. @@ -71,11 +77,8 @@ Kernel version information, i.e. the output of uname -r for the kernel included in the UKI, in the .uname PE section. - The kernel command line to pass to the invoked kernel will be looked for in the - .cmdline PE section. - - A boot splash (in Windows .BMP format) to show on screen before - invoking the kernel will be looked for in the .splash PE section. + SBAT revocation + metadata, in the .sbat PE section. A set of cryptographic signatures for expected TPM2 PCR values when this kernel is booted, in JSON format, in the .pcrsig section. This is useful for implementing TPM2 From 652d2bfb61d8c3a586581e606dfcb77ba3dae4e1 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 18 Sep 2023 11:19:17 +0200 Subject: [PATCH 2/3] man: link UKI spec from sd-stub --- man/systemd-stub.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml index b211339076..a34b925c56 100644 --- a/man/systemd-stub.xml +++ b/man/systemd-stub.xml @@ -119,6 +119,9 @@ and systemd-creds1 will automatically use files present under these paths to unlock protected resources (encrypted storage or credentials) or bind encryption to booted kernels. + + For further details about the UKI concept, see the UKI specification. From e75386bd84d569c02cb5e6810af678427369f0a3 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 18 Sep 2023 11:19:26 +0200 Subject: [PATCH 3/3] man: fix counting of resource types --- man/systemd-stub.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml index a34b925c56..84ed47a1ec 100644 --- a/man/systemd-stub.xml +++ b/man/systemd-stub.xml @@ -127,7 +127,7 @@ Companion Files - The systemd-stub UEFI boot stub automatically collects two types of auxiliary + The systemd-stub UEFI boot stub automatically collects three types of auxiliary companion files optionally placed in drop-in directories on the same partition as the EFI binary, dynamically generates cpio initrd archives from them, and passes them to the kernel. Specifically: