1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
systemd/man/loader.conf.xml

431 lines
19 KiB
XML
Raw Normal View History

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="loader.conf" conditional='ENABLE_BOOTLOADER'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>loader.conf</title>
<productname>systemd</productname>
</refentryinfo>
<refmeta>
<refentrytitle>loader.conf</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>loader.conf</refname>
<refpurpose>Configuration file for systemd-boot</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename><replaceable>ESP</replaceable>/loader/loader.conf</filename>,
<filename><replaceable>ESP</replaceable>/loader/entries/*.conf</filename>
<filename><replaceable>XBOOTLDR</replaceable>/loader/entries/*.conf</filename>
</para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> will
read <filename><replaceable>ESP</replaceable>/loader/loader.conf</filename>, and any files with the
<literal>.conf</literal> extension under
<filename><replaceable>ESP</replaceable>/loader/entries/</filename> on the EFI system partition (ESP),
and <filename><replaceable>XBOOTLDR</replaceable>/loader/entries/</filename> on the extended boot loader
partition (XBOOTLDR) as defined by <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader
Specification</ulink>.
</para>
<para>Each of these configuration files must consist of series of newline (i.e. ASCII code 10) separated
lines, each consisting of an option name, followed by whitespace, and the option
value. <literal>#</literal> may be used to start a comment line. Empty and comment lines are ignored. The
files use UTF-8 encoding.</para>
<para>Boolean arguments may be written as
<literal>yes</literal>/<literal>y</literal>/<literal>true</literal>/<literal>t</literal>/<literal>on</literal>/<literal>1</literal> or
<literal>no</literal>/<literal>n</literal>/<literal>false</literal>/<literal>f</literal>/<literal>off</literal>/<literal>0</literal>.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>The configuration options supported by
<filename><replaceable>ESP</replaceable>/loader/entries/*.conf</filename> and
<filename><replaceable>XBOOTLDR</replaceable>/loader/entries/*.conf</filename> files are defined as part
of the <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader
Specification</ulink>.</para>
<para>The following configuration are supported by the <filename>loader.conf</filename> configuration
file:</para>
<variablelist>
<varlistentry>
<term>default</term>
<listitem><para>A glob pattern to select the default entry. The default entry
may be changed in the boot menu itself, in which case the name of the
selected entry will be stored as an EFI variable, overriding this option.
</para>
<para>If set to <literal>@saved</literal> the chosen entry will be saved as an EFI variable
on every boot and automatically selected the next time the boot loader starts.</para>
<table>
<title>Automatically detected entries will use the following names:</title>
<tgroup cols='2'>
<colspec colname='name' />
<colspec colname='expl' />
<thead>
<row>
<entry>Name</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>auto-efi-default</entry>
<entry>EFI Default Loader</entry>
</row>
<row>
<entry>auto-efi-shell</entry>
<entry>EFI Shell</entry>
</row>
<row>
<entry>auto-osx</entry>
<entry>macOS</entry>
</row>
<row>
<entry>auto-poweroff</entry>
<entry>Power Off The System</entry>
</row>
<row>
<entry>auto-reboot</entry>
<entry>Reboot The System</entry>
</row>
<row>
<entry>auto-reboot-to-firmware-setup</entry>
<entry>Reboot Into Firmware Interface</entry>
</row>
<row>
<entry>auto-windows</entry>
<entry>Windows Boot Manager</entry>
</row>
</tbody>
</tgroup>
</table>
2022-06-15 08:50:34 +03:00
<para>Supported glob wildcard patterns are <literal>?</literal>, <literal>*</literal>, and
<literal>[…]</literal> (including ranges). Note that these patterns use the same syntax as
2022-07-04 20:59:06 +03:00
<citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
but do not support all features. In particular, set negation and named character classes are not
supported. The matching is done case-insensitively on the entry ID (as shown by <command>bootctl
list</command>).</para>
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<term>timeout</term>
<listitem><para>How long the boot menu should be shown before the default
entry is booted, in seconds. This may be changed in the boot menu itself and
will be stored as an EFI variable in that case, overriding this option.
</para>
sd-boot: add way to disable the 100ms delay when timeout=0 Currently we have a 100ms delay which allows for people to enter/show the boot menu even when timeout is set to zero. In a handful of cases, that may not be needed - both in terms of access policy, as well as latency. For example: the option to provide the boot menu may be hidden behind an "expert only" UX in the OS, to avoid end users from accidentally entering it. In addition, the current 100ms input polling may cause unexpected additional delays in the boot. Some example numbers from my SteamDeck: - boot counting/rename/flush doubles 300us -> 600us - seed/hash setup doubles 900us -> 1800us - kernel/image load gets ~40% slower 107ms -> 167ms It's not entirely clear why the UEFI calls gets slower, nevertheless the information in itself proves useful. This commit introduces a new option "menu-disabled", which omits the 100ms delay. The option is documented throughout the manual pages as well as the Boot Loader Specification. v2: - use STR_IN_SET v3: - drop erroneous whitespace v4: - add a new LoaderFeature bit, - don't change ABI keep TIMEOUT_* tokens the same - move new token in the 64bit range, update API and storage for it - change inc/dec behaviour to TIMEOUT_MIN : TIMEOUT_MENU_FORCE - user cannot opt-in from sd-boot itself, add assert_not_reached() v5: - s/Menu disablement control/Menu can be disabled/ - rewrap comments to 109 - use SYNTHETIC_ERRNO(EOPNOTSUPP) Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
2023-10-04 14:55:52 +03:00
<para>If set to <literal>menu-disabled</literal> or <literal>menu-hidden</literal> or <literal>0</literal>
(the default), no menu is shown and the default entry will be booted immediately. Unless
<literal>menu-disabled</literal> is used, the menu can be shown
2021-09-16 11:25:10 +03:00
by pressing and holding a key before systemd-boot is launched. Setting this to
<literal>menu-force</literal> disables the timeout while always showing the menu.</para>
<xi:include href="version-info.xml" xpointer="v239"/>
</listitem>
</varlistentry>
<varlistentry>
<term>console-mode</term>
<listitem><para>This option configures the resolution of the console. This may be changed in
the boot menu itself and will be stored as an EFI variable in that case, overriding this
option.</para>
<para>Takes a number or one of the special values listed below. The following
values may be used:</para>
<variablelist>
<varlistentry>
<term>0</term>
<listitem>
<para>Standard UEFI 80x25 mode</para>
<xi:include href="version-info.xml" xpointer="v239"/>
</listitem>
</varlistentry>
<varlistentry>
<term>1</term>
<listitem>
<para>80x50 mode, not supported by all devices</para>
<xi:include href="version-info.xml" xpointer="v239"/>
</listitem>
</varlistentry>
<varlistentry>
<term>2</term>
<listitem>
<para>the first non-standard mode provided by the device
firmware, if any</para>
<xi:include href="version-info.xml" xpointer="v239"/>
</listitem>
</varlistentry>
<varlistentry>
<term>auto</term>
<listitem>
<para>Pick a suitable mode automatically using heuristics</para>
<xi:include href="version-info.xml" xpointer="v239"/>
</listitem>
</varlistentry>
<varlistentry>
<term>max</term>
<listitem>
<para>Pick the highest-numbered available mode</para>
<xi:include href="version-info.xml" xpointer="v239"/>
</listitem>
</varlistentry>
<varlistentry>
<term>keep</term>
<listitem>
<para>Keep the mode selected by firmware (the default)</para>
<xi:include href="version-info.xml" xpointer="v239"/>
</listitem>
</varlistentry>
</variablelist>
<xi:include href="version-info.xml" xpointer="v239"/>
</listitem>
</varlistentry>
<varlistentry>
<term>editor</term>
<listitem><para>Takes a boolean argument. Enable (the default) or disable the
editor. The editor should be disabled if the machine can be accessed by
unauthorized persons.</para>
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<term>auto-entries</term>
<listitem><para>Takes a boolean argument. Enable (the default) or disable
entries for other boot entries found on the boot partition. In particular,
this may be useful when loader entries are created to show replacement
descriptions for those entries.</para>
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<term>auto-firmware</term>
<listitem><para>A boolean controlling the presence of the <literal>Reboot Into Firmware
Interface</literal> entry (enabled by default). If this is disabled, the firmware interface may still
be reached by using the <keycap>f</keycap> key.</para>
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<term>beep</term>
<listitem><para>Takes a boolean argument. If timeout enabled beep every second, otherwise beep n times when n-th entry in boot menu is selected (default disabled).
Currently, only x86 is supported, where it uses the PC speaker.</para>
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
<varlistentry>
<term>secure-boot-enroll</term>
<listitem><para>Danger: this feature might soft-brick your device if used improperly.</para>
<para>Controls enrollment of secure boot keys found on the ESP if the system is in setup mode:
<variablelist>
<varlistentry>
<term><option>off</option></term>
<listitem><para>No action is taken.</para>
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
<varlistentry>
<term><option>manual</option></term>
<listitem><para>Boot entries for found secure boot keys are created that allow manual
enrollment.</para>
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
<varlistentry>
<term><option>if-safe</option></term>
<listitem><para>Same behavior as <option>manual</option>, but will try to automatically
enroll the key <literal>auto</literal> if it is considered to be safe. Currently, this is only
the case if the system is running inside a virtual machine.</para>
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
<varlistentry>
<term><option>force</option></term>
<listitem><para>Always enroll the <literal>auto</literal> key if found. Note that a warning
message with a timeout will still be shown if this operation is unknown to be safe.</para>
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
</variablelist>
</para>
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
man: fix issues reported by the manpage-l10n project Fixes #25780. > Man page: crypttab.5 > Issue 1: Missing fullstop > Issue 2: I<cipher=>, I<hash=>, I<size=> → B<cipher=>, B<hash=>, B<size=> > > "Force LUKS mode\\&. When this mode is used, the following options are " > "ignored since they are provided by the LUKS header on the device: " > "I<cipher=>, I<hash=>, I<size=>" Seems OK to me. The full stop is there and has been for at least a few years. And we use <option> for the markup, which is appropriate here. > Man page: crypttab.5 > Issue 1: Missing fullstop > Issue 2: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-size=>, I<size=> → B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-size=>, B<size=> > > "Use TrueCrypt encryption mode\\&. When this mode is used, the following " > "options are ignored since they are provided by the TrueCrypt header on the " > "device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-" > "size=>, I<size=>" Same. > Man page: journalctl.1 > Issue 1: make be → may be Fixed. > Issue 2: below\\&. → below: Fixed. > Man page: journalctl.1 > Issue: Colon at the end? > > "The following commands are understood\\&. If none is specified the default " > "is to display journal records\\&." > msgstr "" > "Die folgenden Befehle werden verstanden\\&. Falls keiner festgelegt ist, ist " > "die Anzeige von Journal-Datensätzen die Vorgabe\\&." This is a bit awkward, but I'm not sure how to fix it. > Man page: kernel-install.8 > Issue: methods a fallback → methods fallback It was correct, but I added a comma to make the sense clearer. > Man page: loader.conf.5 > Issue 1: secure boot variables → Secure Boot variables > Issue 2: one → one for (multiple times) > > "Supported secure boot variables are one database for authorized images, one " > "key exchange key (KEK) and one platform key (PK)\\&. For more information, " > "refer to the \\m[blue]B<UEFI specification>\\m[]\\&\\s-2\\u[2]\\d\\s+2, " > "under Secure Boot and Driver Signing\\&. Another resource that describe the " > "interplay of the different variables is the \\m[blue]B<EDK2 " > "documentation>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&." "one of" would sound strange. "One this and one that" is OK. > Man page: loader.conf.5 > Issue: systemd-boot → B<systemd-boot>(7) Fixed. > Man page: logind.conf.5 > Issue: systemd-logind → B<systemd-logind>(8) We use <filename>systemd-logind</> on subsequent references… I think that's good enough. > Man page: nss-myhostname.8 > Issue: B<getent> → B<getent>(1) Fixed. > Man page: nss-resolve.8 > Issue: B<systemd-resolved> → B<systemd-resolved>(8) The first reference does this, subsequent are shorter. > Man page: os-release.5 > Issue: Portable Services → Portable Services Documentation? Updated. > Man page: pam_systemd_home.8 > Issue: auth and account use "reason", while session and password do not? Reworded. > Man page: portablectl.1 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: repart.d.5 > Issue: The partition → the partition Fixed. > Man page: repart.d.5 > Issue: B<systemd-repart> → B<systemd-repart>(8) The first reference does this. I also change this one, because it's pretty far down in the text. > Man page: systemd.1 > Issue: kernel command line twice? > > "Takes a boolean argument\\&. If false disables importing credentials from " > "the kernel command line, qemu_fw_cfg subsystem or the kernel command line\\&." Apparently this was fixed already. > Man page: systemd-boot.7 > Issue: enrollement → enrollment Fixed. > Man page: systemd-cryptenroll.1 > Issue: multiple cases: any specified → the specified Reworded. > Man page: systemd-cryptenroll.1 > Issue: If this this → If this Fixed tree-wide. > Man page: systemd-cryptsetup-generator.8 > Issue: and the initrd → and in the initrd "Is honoured by the initrd" is OK, because we often speak about the initrd as a single unit. But in the same paragraph we also used "in the initrd", which makes the other use look sloppy. I changed it to "in the initrd" everywhere in that file. > Man page: systemd.directives.7 > Issue: Why are these two quoted (but not others)? > > "B<\\*(Aqh\\*(Aq>" > > B<\\*(Aqs\\*(Aq>" > > "B<\\*(Aqy\\*(Aq>" This is autogenerated from files… We use slightly different markup in different files, and it's just too hard to make it consistent. We gave up on this. > Man page: systemd.exec.5 > Issue 1: B<at>(1p) → B<at>(1) > Issue 2: B<crontab>(1p) → B<crontab>(1) Fixed. > Man page: systemd.exec.5 > Issue: B<select()> → B<select>(2) Fixed. > Man page: systemd.exec.5 > Issue: qemu → B<qemu>(1) The man page doesn't seem to be in any of the canonical places on the web. I added a link to online docs. > Man page: systemd.exec.5 > Issue: variable → variables Seems to be fixed already. > Man page: systemd-integritysetup-generator.8 > Issue: systemd-integritysetup-generator → B<systemd-integritysetup-generator> I changed <filename> to <command>. > Man page: systemd-integritysetup-generator.8 > Issue: superfluous comma at the end Already fixed. > Man page: systemd-measure.1 > Issue: (see B<--pcr-bank=>) below → (see B<--pcr-bank=> below) Reworded. > Man page: systemd-measure.1 > Issue: =PATH> → =>I<PATH> Fixed. > Man page: systemd-measure.1.po > Issue: B<--bank=DIGEST> → B<--bank=>I<DIGEST> Fixed. > Man page: systemd.netdev.5 > Issue: os the → on the Appears to have been fixed already. > Man page: systemd.netdev.5 > Issue: Onboard → On-board (as in previous string) Updated. > Man page: systemd.network.5 > Issue: B<systemd-networkd> -> B<systemd-networkd>(8) First reference does this, subsequent do not. > Man page: systemd.network.5 > Issue: B<netlabelctl> → B<netlabelctl>(8) First reference does this, subsequent do not. > Man page: systemd.network.5 > Issue: Missing verb (aquired? configured?) in the half sentence starting with "or by a " I dropped the comma. > Man page: systemd-nspawn.1 > Issue: All host users outside of that range → All other host users Reworded. > # FIXME no effect → no effect\\&. > #. type: Plain text > #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed > msgid "" > "Whichever ID mapping option is used, the same mapping will be used for users " > "and groups IDs\\&. If B<rootidmap> is used, the group owning the bind " > "mounted directory will have no effect" A period is added. Not sure if there's some other issue. > Man page: systemd-oomd.service.8 > Issue: B<systemd> → B<systemd>(1) Done. > Man page: systemd.path.5 > Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5) > Issue 2: This section does not (yet?) exist Fixed. > Man page: systemd-pcrphase.service.8 > Issue 1: indicate phases into TPM2 PCR 11 ?? > Issue 2: Colon at the end of the paragraph? Fixed. > Man page: systemd-pcrphase.service.8 > Issue: final boot phase → final shutdown phase? Updated. > Man page: systemd-pcrphase.service.8 > Issue: for the the → for the Fixed tree-wide. > Man page: systemd-portabled.service.8 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: systemd-pstore.service.8 > Issue: Here and the following paragraphs: . → \\&. // Upstream: What does this comment mean? // You normally write \\&. for a full dot (full stop etc.); here you write only "." (i.e. a plain dot). > > "and we look up \"localhost\", nss-dns will send the following queries to " > "systemd-resolved listening on 127.0.0.53:53: first \"localhost.foobar.com\", " > "then \"localhost.barbar.com\", and finally \"localhost\". If (hopefully) the " > "first two queries fail, systemd-resolved will synthesize an answer for the " > "third query." Looks all OK to me. > Man page: systemd.resource-control.5 > Issue: Missing closing bracket after link to Control Groups version 1 Fixed. > Man page: systemd-sysext.8 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: systemd.timer.5 > Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5) > Issue 2: This section does not (yet?) exist Fixed. > Man page: systemd.unit.5 > Issue: that is → that are Fixed. > Man page: systemd-veritysetup-generator.8 > Issue: systemd-veritysetup-generator → B<systemd-veritysetup-generator> > > "systemd-veritysetup-generator implements B<systemd.generator>(7)\\&." > > "systemd-veritysetup-generator understands the following kernel command line " > "parameters:" Updated. > Man page: systemd-volatile-root.service.8 > Issue: initrdyes → Initrd Fixed. > Man page: sysupdate.d.5 > Issue: : → \\&. (As above in TRANSFER) Updated. > Man page: sysupdate.d.5 > Issue: some → certain Updated. > Man page: sysupdate.d.5 > Issue 1: i\\&.e\\& → I\\&.e\\& Fixed. > Issue 2: the image → the system "image" seems correct. > Man page: tmpfiles.d.5 > Issue: systemd-tmpfiles → B<systemd-tmpfiles>(8) Updated.
2023-01-11 18:45:59 +03:00
<para>The different sets of variables can be set up under
<filename>/loader/keys/<replaceable>NAME</replaceable></filename> where
<replaceable>NAME</replaceable> is the name that is going to be used as the name of the entry. This
allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime.
</para>
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
<para>Supported Secure Boot variables are one database for authorized images, one for the key
exchange key (KEK) and one for the platform key (PK). For more information, refer to the
<ulink url="https://uefi.org/specifications">UEFI specification</ulink>, under Secure Boot and Driver
man: fix issues reported by the manpage-l10n project Fixes #25780. > Man page: crypttab.5 > Issue 1: Missing fullstop > Issue 2: I<cipher=>, I<hash=>, I<size=> → B<cipher=>, B<hash=>, B<size=> > > "Force LUKS mode\\&. When this mode is used, the following options are " > "ignored since they are provided by the LUKS header on the device: " > "I<cipher=>, I<hash=>, I<size=>" Seems OK to me. The full stop is there and has been for at least a few years. And we use <option> for the markup, which is appropriate here. > Man page: crypttab.5 > Issue 1: Missing fullstop > Issue 2: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-size=>, I<size=> → B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-size=>, B<size=> > > "Use TrueCrypt encryption mode\\&. When this mode is used, the following " > "options are ignored since they are provided by the TrueCrypt header on the " > "device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-" > "size=>, I<size=>" Same. > Man page: journalctl.1 > Issue 1: make be → may be Fixed. > Issue 2: below\\&. → below: Fixed. > Man page: journalctl.1 > Issue: Colon at the end? > > "The following commands are understood\\&. If none is specified the default " > "is to display journal records\\&." > msgstr "" > "Die folgenden Befehle werden verstanden\\&. Falls keiner festgelegt ist, ist " > "die Anzeige von Journal-Datensätzen die Vorgabe\\&." This is a bit awkward, but I'm not sure how to fix it. > Man page: kernel-install.8 > Issue: methods a fallback → methods fallback It was correct, but I added a comma to make the sense clearer. > Man page: loader.conf.5 > Issue 1: secure boot variables → Secure Boot variables > Issue 2: one → one for (multiple times) > > "Supported secure boot variables are one database for authorized images, one " > "key exchange key (KEK) and one platform key (PK)\\&. For more information, " > "refer to the \\m[blue]B<UEFI specification>\\m[]\\&\\s-2\\u[2]\\d\\s+2, " > "under Secure Boot and Driver Signing\\&. Another resource that describe the " > "interplay of the different variables is the \\m[blue]B<EDK2 " > "documentation>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&." "one of" would sound strange. "One this and one that" is OK. > Man page: loader.conf.5 > Issue: systemd-boot → B<systemd-boot>(7) Fixed. > Man page: logind.conf.5 > Issue: systemd-logind → B<systemd-logind>(8) We use <filename>systemd-logind</> on subsequent references… I think that's good enough. > Man page: nss-myhostname.8 > Issue: B<getent> → B<getent>(1) Fixed. > Man page: nss-resolve.8 > Issue: B<systemd-resolved> → B<systemd-resolved>(8) The first reference does this, subsequent are shorter. > Man page: os-release.5 > Issue: Portable Services → Portable Services Documentation? Updated. > Man page: pam_systemd_home.8 > Issue: auth and account use "reason", while session and password do not? Reworded. > Man page: portablectl.1 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: repart.d.5 > Issue: The partition → the partition Fixed. > Man page: repart.d.5 > Issue: B<systemd-repart> → B<systemd-repart>(8) The first reference does this. I also change this one, because it's pretty far down in the text. > Man page: systemd.1 > Issue: kernel command line twice? > > "Takes a boolean argument\\&. If false disables importing credentials from " > "the kernel command line, qemu_fw_cfg subsystem or the kernel command line\\&." Apparently this was fixed already. > Man page: systemd-boot.7 > Issue: enrollement → enrollment Fixed. > Man page: systemd-cryptenroll.1 > Issue: multiple cases: any specified → the specified Reworded. > Man page: systemd-cryptenroll.1 > Issue: If this this → If this Fixed tree-wide. > Man page: systemd-cryptsetup-generator.8 > Issue: and the initrd → and in the initrd "Is honoured by the initrd" is OK, because we often speak about the initrd as a single unit. But in the same paragraph we also used "in the initrd", which makes the other use look sloppy. I changed it to "in the initrd" everywhere in that file. > Man page: systemd.directives.7 > Issue: Why are these two quoted (but not others)? > > "B<\\*(Aqh\\*(Aq>" > > B<\\*(Aqs\\*(Aq>" > > "B<\\*(Aqy\\*(Aq>" This is autogenerated from files… We use slightly different markup in different files, and it's just too hard to make it consistent. We gave up on this. > Man page: systemd.exec.5 > Issue 1: B<at>(1p) → B<at>(1) > Issue 2: B<crontab>(1p) → B<crontab>(1) Fixed. > Man page: systemd.exec.5 > Issue: B<select()> → B<select>(2) Fixed. > Man page: systemd.exec.5 > Issue: qemu → B<qemu>(1) The man page doesn't seem to be in any of the canonical places on the web. I added a link to online docs. > Man page: systemd.exec.5 > Issue: variable → variables Seems to be fixed already. > Man page: systemd-integritysetup-generator.8 > Issue: systemd-integritysetup-generator → B<systemd-integritysetup-generator> I changed <filename> to <command>. > Man page: systemd-integritysetup-generator.8 > Issue: superfluous comma at the end Already fixed. > Man page: systemd-measure.1 > Issue: (see B<--pcr-bank=>) below → (see B<--pcr-bank=> below) Reworded. > Man page: systemd-measure.1 > Issue: =PATH> → =>I<PATH> Fixed. > Man page: systemd-measure.1.po > Issue: B<--bank=DIGEST> → B<--bank=>I<DIGEST> Fixed. > Man page: systemd.netdev.5 > Issue: os the → on the Appears to have been fixed already. > Man page: systemd.netdev.5 > Issue: Onboard → On-board (as in previous string) Updated. > Man page: systemd.network.5 > Issue: B<systemd-networkd> -> B<systemd-networkd>(8) First reference does this, subsequent do not. > Man page: systemd.network.5 > Issue: B<netlabelctl> → B<netlabelctl>(8) First reference does this, subsequent do not. > Man page: systemd.network.5 > Issue: Missing verb (aquired? configured?) in the half sentence starting with "or by a " I dropped the comma. > Man page: systemd-nspawn.1 > Issue: All host users outside of that range → All other host users Reworded. > # FIXME no effect → no effect\\&. > #. type: Plain text > #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed > msgid "" > "Whichever ID mapping option is used, the same mapping will be used for users " > "and groups IDs\\&. If B<rootidmap> is used, the group owning the bind " > "mounted directory will have no effect" A period is added. Not sure if there's some other issue. > Man page: systemd-oomd.service.8 > Issue: B<systemd> → B<systemd>(1) Done. > Man page: systemd.path.5 > Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5) > Issue 2: This section does not (yet?) exist Fixed. > Man page: systemd-pcrphase.service.8 > Issue 1: indicate phases into TPM2 PCR 11 ?? > Issue 2: Colon at the end of the paragraph? Fixed. > Man page: systemd-pcrphase.service.8 > Issue: final boot phase → final shutdown phase? Updated. > Man page: systemd-pcrphase.service.8 > Issue: for the the → for the Fixed tree-wide. > Man page: systemd-portabled.service.8 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: systemd-pstore.service.8 > Issue: Here and the following paragraphs: . → \\&. // Upstream: What does this comment mean? // You normally write \\&. for a full dot (full stop etc.); here you write only "." (i.e. a plain dot). > > "and we look up \"localhost\", nss-dns will send the following queries to " > "systemd-resolved listening on 127.0.0.53:53: first \"localhost.foobar.com\", " > "then \"localhost.barbar.com\", and finally \"localhost\". If (hopefully) the " > "first two queries fail, systemd-resolved will synthesize an answer for the " > "third query." Looks all OK to me. > Man page: systemd.resource-control.5 > Issue: Missing closing bracket after link to Control Groups version 1 Fixed. > Man page: systemd-sysext.8 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: systemd.timer.5 > Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5) > Issue 2: This section does not (yet?) exist Fixed. > Man page: systemd.unit.5 > Issue: that is → that are Fixed. > Man page: systemd-veritysetup-generator.8 > Issue: systemd-veritysetup-generator → B<systemd-veritysetup-generator> > > "systemd-veritysetup-generator implements B<systemd.generator>(7)\\&." > > "systemd-veritysetup-generator understands the following kernel command line " > "parameters:" Updated. > Man page: systemd-volatile-root.service.8 > Issue: initrdyes → Initrd Fixed. > Man page: sysupdate.d.5 > Issue: : → \\&. (As above in TRANSFER) Updated. > Man page: sysupdate.d.5 > Issue: some → certain Updated. > Man page: sysupdate.d.5 > Issue 1: i\\&.e\\& → I\\&.e\\& Fixed. > Issue 2: the image → the system "image" seems correct. > Man page: tmpfiles.d.5 > Issue: systemd-tmpfiles → B<systemd-tmpfiles>(8) Updated.
2023-01-11 18:45:59 +03:00
Signing. Another resource that describe the interplay of the different variables is the
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
<ulink url="https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot">
EDK2 documentation</ulink>.</para>
<para>A complete set of UEFI variable includes <filename>db.auth</filename>, <filename>KEK.auth</filename>
and <filename>PK.auth</filename>. Note that these files need to be authenticated UEFI variables. See
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
below for an example of how to generate them from regular X.509 keys.</para>
2022-08-03 12:05:12 +03:00
<programlisting>uuid=$(systemd-id128 new --uuid)
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
for key in PK KEK db; do
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.pem"
openssl x509 -outform DER -in "${key}.pem" -out "${key}.der"
sbsiglist --owner "${uuid}" --type x509 --output "${key}.esl" "${key}.der"
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
done
# See also: <ulink url="https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance">Windows Secure Boot Key Creation and Management Guidance</ulink>
curl --location \
"https://go.microsoft.com/fwlink/p/?linkid=321192" -o ms-db-2011.der \
"https://go.microsoft.com/fwlink/p/?linkid=321185" -o ms-kek-2011.der \
"https://go.microsoft.com/fwlink/p/?linkid=321194" -o ms-uefi-db-2011.der \
"https://go.microsoft.com/fwlink/p/?linkid=2239776" -o ms-db-2023.der \
"https://go.microsoft.com/fwlink/p/?linkid=2239775" -o ms-kek-2023.der \
"https://go.microsoft.com/fwlink/p/?linkid=2239872" -o ms-uefi-db-2023.der
2023-09-30 10:30:24 +03:00
sha1sum -c &lt;&lt;END
580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d ms-db-2011.der
31590bfd89c9d74ed087dfac66334b3931254b30 ms-kek-2011.der
46def63b5ce61cf8ba0de2e6639c1019d0ed14f3 ms-uefi-db-2011.der
45a0fa32604773c82433c3b7d59e7466b3ac0c67 ms-db-2023.der
459ab6fb5e284d272d5e3e6abc8ed663829d632b ms-kek-2023.der
b5eeb4a6706048073f0ed296e7f580a790b59eaa ms-uefi-db-2023.der
END
for key in ms-*.der; do
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%der}esl" "${key}"
done
# Optionally add Microsoft Windows certificates (needed to boot into Windows).
cat ms-db-*.esl >>db.esl
# Optionally add Microsoft UEFI certificates for firmware drivers / option ROMs and third-party
# boot loaders (including shim). This is highly recommended on real hardware as not including this
# may soft-brick your device (see next paragraph).
cat ms-uefi-*.esl >>db.esl
# Optionally add Microsoft KEK certificates. Recommended if either of the Microsoft keys is used as
# the official UEFI revocation database is signed with this key. The revocation database can be
# updated with <citerefentry project='man-pages'><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
cat ms-kek-*.esl >>KEK.esl
attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS
sbvarsign --attr "${attr}" --key PK.key --cert PK.pem --output PK.auth PK PK.esl
sbvarsign --attr "${attr}" --key PK.key --cert PK.pem --output KEK.auth KEK KEK.esl
sbvarsign --attr "${attr}" --key KEK.key --cert KEK.pem --output db.auth db db.esl
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
</programlisting>
<para>This feature is considered dangerous because even if all the required files are signed with the
keys being loaded, some files necessary for the system to function properly still won't be. This
is especially the case with Option ROMs (e.g. for storage controllers or graphics cards). See
<ulink url="https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom">Secure Boot and Option ROMs</ulink>
for more details.</para>
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
This patch adds support for enrolling secure boot boot keys from sd-boot. ***DANGER*** NOTE ***DANGER*** This feature might result in your device becoming soft-brick as outlined below, please use this feature carefully. ***DANGER*** NOTE ***DANGER*** If secure-boot-enrollment is set to no, then no action whatsoever is performed, no matter the files on the ESP. If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment is set to either manual or force then sd-boot will generate enrollment entries named after the directories they are in. The entries are shown at the very bottom of the list and can be selected by the user from the menu. If the user selects it, the user is shown a screen allowing for cancellation before a timeout. The enrollment proceeds if the action is not cancelled after the timeout. Additionally, if the secure-boot-enroll option is set to 'force' then the keys located in the directory named 'auto' are going to be enrolled automatically. The user is still going to be shown a screen allowing them to cancel the action if they want to, however the enrollment will proceed automatically after a timeout without user cancellation. After keys are enrolled, the system reboots with secure boot enabled therefore, it is ***critical*** to ensure that everything needed for the system to boot is signed properly (sd-boot itself, kernel, initramfs, PCI option ROMs). This feature currently only allows loading the most simple set of variables: PK, KEK and db. The files need to be prepared with cert-to-efi-sig-list and then signed with sign-efi-sig-list. Here is a short example to generate your own keys and the right files for auto-enrollement. ` keys="PK KEK DB" uuid="{$(systemd-id128 new -u)}" for key in ${keys}; do openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt" openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign" done sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl ` Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in order to run. You can sign the binaries with the sbsign tool, for example: ` sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage ` Example: Assuming the system has been put in Setup Mode: ` $ESP/loader/keys/auto/db.esl $ESP/loader/keys/auto/KEK.esl $ESP/loader/keys/auto/PK.esl $ESP/loader/keys/Linux Only/db.esl $ESP/loader/keys/Linux Only/KEK.esl $ESP/loader/keys/Linux Only/PK.esl $ESP/loader/keys/Linux and Windows/db.esl $ESP/loader/keys/Linux and Windows/KEK.esl $ESP/loader/keys/Linux and Windows/PK.esl ` If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto' directory. If not, three new boot entries are available to the user in order to enroll either the 'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-09 21:13:28 +03:00
</varlistentry>
<varlistentry>
<term>reboot-for-bitlocker</term>
<listitem><para>Caveat: This feature is experimental, and is likely to be changed (or removed in its
current form) in a future version of systemd.</para>
<para>Work around BitLocker requiring a recovery key when the boot loader was
updated (disabled by default).</para>
man: fix issues reported by the manpage-l10n project Fixes #25780. > Man page: crypttab.5 > Issue 1: Missing fullstop > Issue 2: I<cipher=>, I<hash=>, I<size=> → B<cipher=>, B<hash=>, B<size=> > > "Force LUKS mode\\&. When this mode is used, the following options are " > "ignored since they are provided by the LUKS header on the device: " > "I<cipher=>, I<hash=>, I<size=>" Seems OK to me. The full stop is there and has been for at least a few years. And we use <option> for the markup, which is appropriate here. > Man page: crypttab.5 > Issue 1: Missing fullstop > Issue 2: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-size=>, I<size=> → B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-size=>, B<size=> > > "Use TrueCrypt encryption mode\\&. When this mode is used, the following " > "options are ignored since they are provided by the TrueCrypt header on the " > "device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-" > "size=>, I<size=>" Same. > Man page: journalctl.1 > Issue 1: make be → may be Fixed. > Issue 2: below\\&. → below: Fixed. > Man page: journalctl.1 > Issue: Colon at the end? > > "The following commands are understood\\&. If none is specified the default " > "is to display journal records\\&." > msgstr "" > "Die folgenden Befehle werden verstanden\\&. Falls keiner festgelegt ist, ist " > "die Anzeige von Journal-Datensätzen die Vorgabe\\&." This is a bit awkward, but I'm not sure how to fix it. > Man page: kernel-install.8 > Issue: methods a fallback → methods fallback It was correct, but I added a comma to make the sense clearer. > Man page: loader.conf.5 > Issue 1: secure boot variables → Secure Boot variables > Issue 2: one → one for (multiple times) > > "Supported secure boot variables are one database for authorized images, one " > "key exchange key (KEK) and one platform key (PK)\\&. For more information, " > "refer to the \\m[blue]B<UEFI specification>\\m[]\\&\\s-2\\u[2]\\d\\s+2, " > "under Secure Boot and Driver Signing\\&. Another resource that describe the " > "interplay of the different variables is the \\m[blue]B<EDK2 " > "documentation>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&." "one of" would sound strange. "One this and one that" is OK. > Man page: loader.conf.5 > Issue: systemd-boot → B<systemd-boot>(7) Fixed. > Man page: logind.conf.5 > Issue: systemd-logind → B<systemd-logind>(8) We use <filename>systemd-logind</> on subsequent references… I think that's good enough. > Man page: nss-myhostname.8 > Issue: B<getent> → B<getent>(1) Fixed. > Man page: nss-resolve.8 > Issue: B<systemd-resolved> → B<systemd-resolved>(8) The first reference does this, subsequent are shorter. > Man page: os-release.5 > Issue: Portable Services → Portable Services Documentation? Updated. > Man page: pam_systemd_home.8 > Issue: auth and account use "reason", while session and password do not? Reworded. > Man page: portablectl.1 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: repart.d.5 > Issue: The partition → the partition Fixed. > Man page: repart.d.5 > Issue: B<systemd-repart> → B<systemd-repart>(8) The first reference does this. I also change this one, because it's pretty far down in the text. > Man page: systemd.1 > Issue: kernel command line twice? > > "Takes a boolean argument\\&. If false disables importing credentials from " > "the kernel command line, qemu_fw_cfg subsystem or the kernel command line\\&." Apparently this was fixed already. > Man page: systemd-boot.7 > Issue: enrollement → enrollment Fixed. > Man page: systemd-cryptenroll.1 > Issue: multiple cases: any specified → the specified Reworded. > Man page: systemd-cryptenroll.1 > Issue: If this this → If this Fixed tree-wide. > Man page: systemd-cryptsetup-generator.8 > Issue: and the initrd → and in the initrd "Is honoured by the initrd" is OK, because we often speak about the initrd as a single unit. But in the same paragraph we also used "in the initrd", which makes the other use look sloppy. I changed it to "in the initrd" everywhere in that file. > Man page: systemd.directives.7 > Issue: Why are these two quoted (but not others)? > > "B<\\*(Aqh\\*(Aq>" > > B<\\*(Aqs\\*(Aq>" > > "B<\\*(Aqy\\*(Aq>" This is autogenerated from files… We use slightly different markup in different files, and it's just too hard to make it consistent. We gave up on this. > Man page: systemd.exec.5 > Issue 1: B<at>(1p) → B<at>(1) > Issue 2: B<crontab>(1p) → B<crontab>(1) Fixed. > Man page: systemd.exec.5 > Issue: B<select()> → B<select>(2) Fixed. > Man page: systemd.exec.5 > Issue: qemu → B<qemu>(1) The man page doesn't seem to be in any of the canonical places on the web. I added a link to online docs. > Man page: systemd.exec.5 > Issue: variable → variables Seems to be fixed already. > Man page: systemd-integritysetup-generator.8 > Issue: systemd-integritysetup-generator → B<systemd-integritysetup-generator> I changed <filename> to <command>. > Man page: systemd-integritysetup-generator.8 > Issue: superfluous comma at the end Already fixed. > Man page: systemd-measure.1 > Issue: (see B<--pcr-bank=>) below → (see B<--pcr-bank=> below) Reworded. > Man page: systemd-measure.1 > Issue: =PATH> → =>I<PATH> Fixed. > Man page: systemd-measure.1.po > Issue: B<--bank=DIGEST> → B<--bank=>I<DIGEST> Fixed. > Man page: systemd.netdev.5 > Issue: os the → on the Appears to have been fixed already. > Man page: systemd.netdev.5 > Issue: Onboard → On-board (as in previous string) Updated. > Man page: systemd.network.5 > Issue: B<systemd-networkd> -> B<systemd-networkd>(8) First reference does this, subsequent do not. > Man page: systemd.network.5 > Issue: B<netlabelctl> → B<netlabelctl>(8) First reference does this, subsequent do not. > Man page: systemd.network.5 > Issue: Missing verb (aquired? configured?) in the half sentence starting with "or by a " I dropped the comma. > Man page: systemd-nspawn.1 > Issue: All host users outside of that range → All other host users Reworded. > # FIXME no effect → no effect\\&. > #. type: Plain text > #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed > msgid "" > "Whichever ID mapping option is used, the same mapping will be used for users " > "and groups IDs\\&. If B<rootidmap> is used, the group owning the bind " > "mounted directory will have no effect" A period is added. Not sure if there's some other issue. > Man page: systemd-oomd.service.8 > Issue: B<systemd> → B<systemd>(1) Done. > Man page: systemd.path.5 > Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5) > Issue 2: This section does not (yet?) exist Fixed. > Man page: systemd-pcrphase.service.8 > Issue 1: indicate phases into TPM2 PCR 11 ?? > Issue 2: Colon at the end of the paragraph? Fixed. > Man page: systemd-pcrphase.service.8 > Issue: final boot phase → final shutdown phase? Updated. > Man page: systemd-pcrphase.service.8 > Issue: for the the → for the Fixed tree-wide. > Man page: systemd-portabled.service.8 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: systemd-pstore.service.8 > Issue: Here and the following paragraphs: . → \\&. // Upstream: What does this comment mean? // You normally write \\&. for a full dot (full stop etc.); here you write only "." (i.e. a plain dot). > > "and we look up \"localhost\", nss-dns will send the following queries to " > "systemd-resolved listening on 127.0.0.53:53: first \"localhost.foobar.com\", " > "then \"localhost.barbar.com\", and finally \"localhost\". If (hopefully) the " > "first two queries fail, systemd-resolved will synthesize an answer for the " > "third query." Looks all OK to me. > Man page: systemd.resource-control.5 > Issue: Missing closing bracket after link to Control Groups version 1 Fixed. > Man page: systemd-sysext.8 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: systemd.timer.5 > Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5) > Issue 2: This section does not (yet?) exist Fixed. > Man page: systemd.unit.5 > Issue: that is → that are Fixed. > Man page: systemd-veritysetup-generator.8 > Issue: systemd-veritysetup-generator → B<systemd-veritysetup-generator> > > "systemd-veritysetup-generator implements B<systemd.generator>(7)\\&." > > "systemd-veritysetup-generator understands the following kernel command line " > "parameters:" Updated. > Man page: systemd-volatile-root.service.8 > Issue: initrdyes → Initrd Fixed. > Man page: sysupdate.d.5 > Issue: : → \\&. (As above in TRANSFER) Updated. > Man page: sysupdate.d.5 > Issue: some → certain Updated. > Man page: sysupdate.d.5 > Issue 1: i\\&.e\\& → I\\&.e\\& Fixed. > Issue 2: the image → the system "image" seems correct. > Man page: tmpfiles.d.5 > Issue: systemd-tmpfiles → B<systemd-tmpfiles>(8) Updated.
2023-01-11 18:45:59 +03:00
<para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found and
Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal> EFI variable
and restart the system. The firmware will then start Windows Boot Manager directly, leaving the TPM
PCRs in expected states so that Windows can unseal the encryption key. This allows
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> to
be updated without having to provide the recovery key for BitLocker drive unlocking.</para>
<para>Note that the PCRs that Windows uses can be configured with the
<literal>Configure TPM platform validation profile for native UEFI firmware configurations</literal>
group policy under <literal>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</literal>.
man: fix issues reported by the manpage-l10n project Fixes #25780. > Man page: crypttab.5 > Issue 1: Missing fullstop > Issue 2: I<cipher=>, I<hash=>, I<size=> → B<cipher=>, B<hash=>, B<size=> > > "Force LUKS mode\\&. When this mode is used, the following options are " > "ignored since they are provided by the LUKS header on the device: " > "I<cipher=>, I<hash=>, I<size=>" Seems OK to me. The full stop is there and has been for at least a few years. And we use <option> for the markup, which is appropriate here. > Man page: crypttab.5 > Issue 1: Missing fullstop > Issue 2: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-size=>, I<size=> → B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-size=>, B<size=> > > "Use TrueCrypt encryption mode\\&. When this mode is used, the following " > "options are ignored since they are provided by the TrueCrypt header on the " > "device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-" > "size=>, I<size=>" Same. > Man page: journalctl.1 > Issue 1: make be → may be Fixed. > Issue 2: below\\&. → below: Fixed. > Man page: journalctl.1 > Issue: Colon at the end? > > "The following commands are understood\\&. If none is specified the default " > "is to display journal records\\&." > msgstr "" > "Die folgenden Befehle werden verstanden\\&. Falls keiner festgelegt ist, ist " > "die Anzeige von Journal-Datensätzen die Vorgabe\\&." This is a bit awkward, but I'm not sure how to fix it. > Man page: kernel-install.8 > Issue: methods a fallback → methods fallback It was correct, but I added a comma to make the sense clearer. > Man page: loader.conf.5 > Issue 1: secure boot variables → Secure Boot variables > Issue 2: one → one for (multiple times) > > "Supported secure boot variables are one database for authorized images, one " > "key exchange key (KEK) and one platform key (PK)\\&. For more information, " > "refer to the \\m[blue]B<UEFI specification>\\m[]\\&\\s-2\\u[2]\\d\\s+2, " > "under Secure Boot and Driver Signing\\&. Another resource that describe the " > "interplay of the different variables is the \\m[blue]B<EDK2 " > "documentation>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&." "one of" would sound strange. "One this and one that" is OK. > Man page: loader.conf.5 > Issue: systemd-boot → B<systemd-boot>(7) Fixed. > Man page: logind.conf.5 > Issue: systemd-logind → B<systemd-logind>(8) We use <filename>systemd-logind</> on subsequent references… I think that's good enough. > Man page: nss-myhostname.8 > Issue: B<getent> → B<getent>(1) Fixed. > Man page: nss-resolve.8 > Issue: B<systemd-resolved> → B<systemd-resolved>(8) The first reference does this, subsequent are shorter. > Man page: os-release.5 > Issue: Portable Services → Portable Services Documentation? Updated. > Man page: pam_systemd_home.8 > Issue: auth and account use "reason", while session and password do not? Reworded. > Man page: portablectl.1 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: repart.d.5 > Issue: The partition → the partition Fixed. > Man page: repart.d.5 > Issue: B<systemd-repart> → B<systemd-repart>(8) The first reference does this. I also change this one, because it's pretty far down in the text. > Man page: systemd.1 > Issue: kernel command line twice? > > "Takes a boolean argument\\&. If false disables importing credentials from " > "the kernel command line, qemu_fw_cfg subsystem or the kernel command line\\&." Apparently this was fixed already. > Man page: systemd-boot.7 > Issue: enrollement → enrollment Fixed. > Man page: systemd-cryptenroll.1 > Issue: multiple cases: any specified → the specified Reworded. > Man page: systemd-cryptenroll.1 > Issue: If this this → If this Fixed tree-wide. > Man page: systemd-cryptsetup-generator.8 > Issue: and the initrd → and in the initrd "Is honoured by the initrd" is OK, because we often speak about the initrd as a single unit. But in the same paragraph we also used "in the initrd", which makes the other use look sloppy. I changed it to "in the initrd" everywhere in that file. > Man page: systemd.directives.7 > Issue: Why are these two quoted (but not others)? > > "B<\\*(Aqh\\*(Aq>" > > B<\\*(Aqs\\*(Aq>" > > "B<\\*(Aqy\\*(Aq>" This is autogenerated from files… We use slightly different markup in different files, and it's just too hard to make it consistent. We gave up on this. > Man page: systemd.exec.5 > Issue 1: B<at>(1p) → B<at>(1) > Issue 2: B<crontab>(1p) → B<crontab>(1) Fixed. > Man page: systemd.exec.5 > Issue: B<select()> → B<select>(2) Fixed. > Man page: systemd.exec.5 > Issue: qemu → B<qemu>(1) The man page doesn't seem to be in any of the canonical places on the web. I added a link to online docs. > Man page: systemd.exec.5 > Issue: variable → variables Seems to be fixed already. > Man page: systemd-integritysetup-generator.8 > Issue: systemd-integritysetup-generator → B<systemd-integritysetup-generator> I changed <filename> to <command>. > Man page: systemd-integritysetup-generator.8 > Issue: superfluous comma at the end Already fixed. > Man page: systemd-measure.1 > Issue: (see B<--pcr-bank=>) below → (see B<--pcr-bank=> below) Reworded. > Man page: systemd-measure.1 > Issue: =PATH> → =>I<PATH> Fixed. > Man page: systemd-measure.1.po > Issue: B<--bank=DIGEST> → B<--bank=>I<DIGEST> Fixed. > Man page: systemd.netdev.5 > Issue: os the → on the Appears to have been fixed already. > Man page: systemd.netdev.5 > Issue: Onboard → On-board (as in previous string) Updated. > Man page: systemd.network.5 > Issue: B<systemd-networkd> -> B<systemd-networkd>(8) First reference does this, subsequent do not. > Man page: systemd.network.5 > Issue: B<netlabelctl> → B<netlabelctl>(8) First reference does this, subsequent do not. > Man page: systemd.network.5 > Issue: Missing verb (aquired? configured?) in the half sentence starting with "or by a " I dropped the comma. > Man page: systemd-nspawn.1 > Issue: All host users outside of that range → All other host users Reworded. > # FIXME no effect → no effect\\&. > #. type: Plain text > #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed > msgid "" > "Whichever ID mapping option is used, the same mapping will be used for users " > "and groups IDs\\&. If B<rootidmap> is used, the group owning the bind " > "mounted directory will have no effect" A period is added. Not sure if there's some other issue. > Man page: systemd-oomd.service.8 > Issue: B<systemd> → B<systemd>(1) Done. > Man page: systemd.path.5 > Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5) > Issue 2: This section does not (yet?) exist Fixed. > Man page: systemd-pcrphase.service.8 > Issue 1: indicate phases into TPM2 PCR 11 ?? > Issue 2: Colon at the end of the paragraph? Fixed. > Man page: systemd-pcrphase.service.8 > Issue: final boot phase → final shutdown phase? Updated. > Man page: systemd-pcrphase.service.8 > Issue: for the the → for the Fixed tree-wide. > Man page: systemd-portabled.service.8 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: systemd-pstore.service.8 > Issue: Here and the following paragraphs: . → \\&. // Upstream: What does this comment mean? // You normally write \\&. for a full dot (full stop etc.); here you write only "." (i.e. a plain dot). > > "and we look up \"localhost\", nss-dns will send the following queries to " > "systemd-resolved listening on 127.0.0.53:53: first \"localhost.foobar.com\", " > "then \"localhost.barbar.com\", and finally \"localhost\". If (hopefully) the " > "first two queries fail, systemd-resolved will synthesize an answer for the " > "third query." Looks all OK to me. > Man page: systemd.resource-control.5 > Issue: Missing closing bracket after link to Control Groups version 1 Fixed. > Man page: systemd-sysext.8 > Issue: In systemd-portabled.service(8): Portable Services Documentation Updated. > Man page: systemd.timer.5 > Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5) > Issue 2: This section does not (yet?) exist Fixed. > Man page: systemd.unit.5 > Issue: that is → that are Fixed. > Man page: systemd-veritysetup-generator.8 > Issue: systemd-veritysetup-generator → B<systemd-veritysetup-generator> > > "systemd-veritysetup-generator implements B<systemd.generator>(7)\\&." > > "systemd-veritysetup-generator understands the following kernel command line " > "parameters:" Updated. > Man page: systemd-volatile-root.service.8 > Issue: initrdyes → Initrd Fixed. > Man page: sysupdate.d.5 > Issue: : → \\&. (As above in TRANSFER) Updated. > Man page: sysupdate.d.5 > Issue: some → certain Updated. > Man page: sysupdate.d.5 > Issue 1: i\\&.e\\& → I\\&.e\\& Fixed. > Issue 2: the image → the system "image" seems correct. > Man page: tmpfiles.d.5 > Issue: systemd-tmpfiles → B<systemd-tmpfiles>(8) Updated.
2023-01-11 18:45:59 +03:00
When Secure Boot is enabled, changing this to PCRs <literal>0,2,7,11</literal> should be safe.
The TPM key protector needs to be removed and then added back for the PCRs on an already
encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed
up booting into Windows.</para>
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<programlisting># /boot/efi/loader/loader.conf
timeout 0
default 01234567890abcdef1234567890abdf0-*
editor no
</programlisting>
<para>The menu will not be shown by default (the menu can still be shown by
pressing and holding a key during boot). One of the entries with files with a
name starting with <literal>01234567890abcdef1234567890abdf0-</literal> will be
selected by default. If more than one entry matches, the one with the highest
priority will be selected (generally the one with the highest version number).
The editor will be disabled, so it is not possible to alter the kernel command
line.</para>
</refsect1>
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>