systemd/man/systemd-sbsign.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd-sbsign"
    xmlns:xi="http://www.w3.org/2001/XInclude">
  <refentryinfo>
    <title>systemd-sbsign</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-sbsign</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-sbsign</refname>
    <refpurpose>Sign PE binaries for EFI Secure Boot</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>systemd-sbsign</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
      <arg choice="req">COMMAND</arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-sbsign</command> can be used to sign PE binaries for EFI Secure Boot.</para>
  </refsect1>

  <refsect1>
    <title>Commands</title>

    <variablelist>
      <varlistentry>
        <term><option>sign</option></term>

        <listitem><para>Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its
        argument. If the PE binary already has a certificate table, the new signature will be added to it.
        Otherwise a new certificate table will be created. The signed PE binary will be written to the path
        specified with <option>--output=</option>.</para>

        <xi:include href="version-info.xml" xpointer="v257"/>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Options</title>
    <para>The following options are understood:</para>

    <variablelist>
      <varlistentry>
        <term><option>--output=<replaceable>PATH</replaceable></option></term>

        <listitem><para>Specifies the path where to write the signed PE binary.</para>

        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
        <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
        <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
        <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>

        <listitem><para>Set the Secure Boot private key and certificate for use with the
        <command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded
        X.509 certificate or a URI that's passed to the OpenSSL provider configured with
        <option>--certificate-source</option>. The <option>--certificate-source</option> takes one of
        <literal>file</literal> or <literal>provider</literal>, with the latter being followed by a specific
        provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. The
        <option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
        engine or provider, as specified by <option>--private-key-source=</option> as a
        <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
        signing engine or provider will be used to sign the PE binary.</para>

        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="help"/>
      <xi:include href="standard-options.xml" xpointer="version"/>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para><simplelist type="inline">
      <member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
    </simplelist></para>
  </refsect1>
</refentry>
Introduce systemd-sbsign to do secure boot signing Currently in mkosi and ukify we use sbsigntools to do secure boot signing. This has multiple issues: - sbsigntools is practically unmaintained, sbvarsign is completely broken with the latest gnu-efi when built without -fshort-wchar and upstream has completely ignored my bug report about this. - sbsigntools only supports openssl engines and not the new providers API. - sbsigntools doesn't allow us to cache hardware token pins in the kernel keyring like we do nowadays when we sign stuff ourselves in systemd-repart or systemd-measure There are alternative tools like sbctl and pesign but these do not support caching hardware token pins in the kernel keyring either. To get around the issues with sbsigntools, let's introduce our own tool systemd-sbsign to do secure boot signing. This allows us to take advantage of our own openssl infra so that hardware token pins are cached in the kernel keyring as expected and we get openssl provider support as well. 2024-11-05 02:36:32 +03:00			`<?xml version='1.0'?> <!---nxml--->`
			`<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"`
			`"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">`
			`<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->`

			`<refentry id="systemd-sbsign"`
			`xmlns:xi="http://www.w3.org/2001/XInclude">`
			`<refentryinfo>`
			`<title>systemd-sbsign</title>`
			`<productname>systemd</productname>`
			`</refentryinfo>`

			`<refmeta>`
			`<refentrytitle>systemd-sbsign</refentrytitle>`
			`<manvolnum>1</manvolnum>`
			`</refmeta>`

			`<refnamediv>`
			`<refname>systemd-sbsign</refname>`
			`<refpurpose>Sign PE binaries for EFI Secure Boot</refpurpose>`
			`</refnamediv>`

			`<refsynopsisdiv>`
			`<cmdsynopsis>`
			`<command>systemd-sbsign</command>`
			`<arg choice="opt" rep="repeat">OPTIONS</arg>`
			`<arg choice="req">COMMAND</arg>`
			`</cmdsynopsis>`
			`</refsynopsisdiv>`

			`<refsect1>`
			`<title>Description</title>`

			`<para><command>systemd-sbsign</command> can be used to sign PE binaries for EFI Secure Boot.</para>`
			`</refsect1>`

			`<refsect1>`
			`<title>Commands</title>`

			`<variablelist>`
			`<varlistentry>`
			`<term><option>sign</option></term>`

			`<listitem><para>Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its`
			`argument. If the PE binary already has a certificate table, the new signature will be added to it.`
			`Otherwise a new certificate table will be created. The signed PE binary will be written to the path`
			`specified with <option>--output=</option>.</para>`

			`<xi:include href="version-info.xml" xpointer="v257"/>`
			`</listitem>`
			`</varlistentry>`
			`</variablelist>`
			`</refsect1>`

			`<refsect1>`
			`<title>Options</title>`
			`<para>The following options are understood:</para>`

			`<variablelist>`
			`<varlistentry>`
			`<term><option>--output=<replaceable>PATH</replaceable></option></term>`

			`<listitem><para>Specifies the path where to write the signed PE binary.</para>`

			`<xi:include href="version-info.xml" xpointer="v257"/></listitem>`
			`</varlistentry>`

			`<varlistentry>`
			`<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>`
man: fix syntax error in systemd-sbsign.xml Follow-up for 5f163921e9ff6d735798db259c47543822f81b5c 2024-11-06 22:18:15 +03:00			`<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>`
Introduce systemd-sbsign to do secure boot signing Currently in mkosi and ukify we use sbsigntools to do secure boot signing. This has multiple issues: - sbsigntools is practically unmaintained, sbvarsign is completely broken with the latest gnu-efi when built without -fshort-wchar and upstream has completely ignored my bug report about this. - sbsigntools only supports openssl engines and not the new providers API. - sbsigntools doesn't allow us to cache hardware token pins in the kernel keyring like we do nowadays when we sign stuff ourselves in systemd-repart or systemd-measure There are alternative tools like sbctl and pesign but these do not support caching hardware token pins in the kernel keyring either. To get around the issues with sbsigntools, let's introduce our own tool systemd-sbsign to do secure boot signing. This allows us to take advantage of our own openssl infra so that hardware token pins are cached in the kernel keyring as expected and we get openssl provider support as well. 2024-11-05 02:36:32 +03:00			`<term><option>--certificate=<replaceable>PATH</replaceable></option></term>`
tree-wide: Introduce --certificate-source= option This allows loading the X.509 certificate from an OpenSSL provider instead of a file system path. This allows loading certficates directly from hardware tokens instead of having to export them to a file on disk first. 2024-11-06 20:08:26 +03:00			`<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>`
Introduce systemd-sbsign to do secure boot signing Currently in mkosi and ukify we use sbsigntools to do secure boot signing. This has multiple issues: - sbsigntools is practically unmaintained, sbvarsign is completely broken with the latest gnu-efi when built without -fshort-wchar and upstream has completely ignored my bug report about this. - sbsigntools only supports openssl engines and not the new providers API. - sbsigntools doesn't allow us to cache hardware token pins in the kernel keyring like we do nowadays when we sign stuff ourselves in systemd-repart or systemd-measure There are alternative tools like sbctl and pesign but these do not support caching hardware token pins in the kernel keyring either. To get around the issues with sbsigntools, let's introduce our own tool systemd-sbsign to do secure boot signing. This allows us to take advantage of our own openssl infra so that hardware token pins are cached in the kernel keyring as expected and we get openssl provider support as well. 2024-11-05 02:36:32 +03:00
			`<listitem><para>Set the Secure Boot private key and certificate for use with the`
			`<command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded`
tree-wide: Introduce --certificate-source= option This allows loading the X.509 certificate from an OpenSSL provider instead of a file system path. This allows loading certficates directly from hardware tokens instead of having to export them to a file on disk first. 2024-11-06 20:08:26 +03:00			`X.509 certificate or a URI that's passed to the OpenSSL provider configured with`
			`<option>--certificate-source</option>. The <option>--certificate-source</option> takes one of`
			`<literal>file</literal> or <literal>provider</literal>, with the latter being followed by a specific`
			`provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. The`
			`<option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL`
			`engine or provider, as specified by <option>--private-key-source=</option> as a`
Introduce systemd-sbsign to do secure boot signing Currently in mkosi and ukify we use sbsigntools to do secure boot signing. This has multiple issues: - sbsigntools is practically unmaintained, sbvarsign is completely broken with the latest gnu-efi when built without -fshort-wchar and upstream has completely ignored my bug report about this. - sbsigntools only supports openssl engines and not the new providers API. - sbsigntools doesn't allow us to cache hardware token pins in the kernel keyring like we do nowadays when we sign stuff ourselves in systemd-repart or systemd-measure There are alternative tools like sbctl and pesign but these do not support caching hardware token pins in the kernel keyring either. To get around the issues with sbsigntools, let's introduce our own tool systemd-sbsign to do secure boot signing. This allows us to take advantage of our own openssl infra so that hardware token pins are cached in the kernel keyring as expected and we get openssl provider support as well. 2024-11-05 02:36:32 +03:00			`<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL`
			`signing engine or provider will be used to sign the PE binary.</para>`

			`<xi:include href="version-info.xml" xpointer="v257"/></listitem>`
			`</varlistentry>`

			`<xi:include href="standard-options.xml" xpointer="help"/>`
			`<xi:include href="standard-options.xml" xpointer="version"/>`
			`</variablelist>`
			`</refsect1>`

			`<refsect1>`
			`<title>See Also</title>`
			`<para><simplelist type="inline">`
			`<member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>`
			`</simplelist></para>`
			`</refsect1>`
			`</refentry>`