systemd/man/systemd-sbsign.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd-sbsign"
    xmlns:xi="http://www.w3.org/2001/XInclude">
  <refentryinfo>
    <title>systemd-sbsign</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-sbsign</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-sbsign</refname>
    <refpurpose>Sign PE binaries for EFI Secure Boot</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>systemd-sbsign</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
      <arg choice="req">COMMAND</arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-sbsign</command> can be used to sign PE binaries for EFI Secure Boot.</para>
  </refsect1>

  <refsect1>
    <title>Commands</title>

    <variablelist>
      <varlistentry>
        <term><option>sign</option></term>

        <listitem><para>Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its
        argument. If the PE binary already has a certificate table, the new signature will be added to it.
        Otherwise a new certificate table will be created. The signed PE binary will be written to the path
        specified with <option>--output=</option>.</para>

        <xi:include href="version-info.xml" xpointer="v257"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>validate-key</option></term>

        <listitem><para>Checks that we can load the private key specified with
        <option>--private-key=</option>. </para>

        <para>As a side effect, if the private key is loaded from a PIN-protected hardware token, this
        command can be used to cache the PIN in the kernel keyring. The
        <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC</varname> and
        <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE</varname> environment variables can be used to control
        how long and in which kernel keyring the PIN is cached.</para>

        <xi:include href="version-info.xml" xpointer="v257"/>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Options</title>
    <para>The following options are understood:</para>

    <variablelist>
      <varlistentry>
        <term><option>--output=<replaceable>PATH</replaceable></option></term>

        <listitem><para>Specifies the path where to write the signed PE binary.</para>

        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
        <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
        <term><option>--certificate=<replaceable>PATH</replaceable></option></term>

        <listitem><para>Set the Secure Boot private key and certificate for use with the
        <command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded
        X.509 certificate. The <option>--private-key=</option> option can take a path or a URI that will be
        passed to the OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
        <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
        signing engine or provider will be used to sign the PE binary.</para>

        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="no-pager"/>
      <xi:include href="standard-options.xml" xpointer="help"/>
      <xi:include href="standard-options.xml" xpointer="version"/>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para><simplelist type="inline">
      <member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
    </simplelist></para>
  </refsect1>
</refentry>
Introduce systemd-sbsign to do secure boot signing Currently in mkosi and ukify we use sbsigntools to do secure boot signing. This has multiple issues: - sbsigntools is practically unmaintained, sbvarsign is completely broken with the latest gnu-efi when built without -fshort-wchar and upstream has completely ignored my bug report about this. - sbsigntools only supports openssl engines and not the new providers API. - sbsigntools doesn't allow us to cache hardware token pins in the kernel keyring like we do nowadays when we sign stuff ourselves in systemd-repart or systemd-measure There are alternative tools like sbctl and pesign but these do not support caching hardware token pins in the kernel keyring either. To get around the issues with sbsigntools, let's introduce our own tool systemd-sbsign to do secure boot signing. This allows us to take advantage of our own openssl infra so that hardware token pins are cached in the kernel keyring as expected and we get openssl provider support as well. 2024-11-05 00:36:32 +01:00			`<?xml version='1.0'?> <!---nxml--->`
			`<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"`
			`"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">`
			`<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->`

			`<refentry id="systemd-sbsign"`
			`xmlns:xi="http://www.w3.org/2001/XInclude">`
			`<refentryinfo>`
			`<title>systemd-sbsign</title>`
			`<productname>systemd</productname>`
			`</refentryinfo>`

			`<refmeta>`
			`<refentrytitle>systemd-sbsign</refentrytitle>`
			`<manvolnum>1</manvolnum>`
			`</refmeta>`

			`<refnamediv>`
			`<refname>systemd-sbsign</refname>`
			`<refpurpose>Sign PE binaries for EFI Secure Boot</refpurpose>`
			`</refnamediv>`

			`<refsynopsisdiv>`
			`<cmdsynopsis>`
			`<command>systemd-sbsign</command>`
			`<arg choice="opt" rep="repeat">OPTIONS</arg>`
			`<arg choice="req">COMMAND</arg>`
			`</cmdsynopsis>`
			`</refsynopsisdiv>`

			`<refsect1>`
			`<title>Description</title>`

			`<para><command>systemd-sbsign</command> can be used to sign PE binaries for EFI Secure Boot.</para>`
			`</refsect1>`

			`<refsect1>`
			`<title>Commands</title>`

			`<variablelist>`
			`<varlistentry>`
			`<term><option>sign</option></term>`

			`<listitem><para>Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its`
			`argument. If the PE binary already has a certificate table, the new signature will be added to it.`
			`Otherwise a new certificate table will be created. The signed PE binary will be written to the path`
			`specified with <option>--output=</option>.</para>`

			`<xi:include href="version-info.xml" xpointer="v257"/>`
			`</listitem>`
			`</varlistentry>`
sbsign: Add validate-key verb This verb checks that we can load the specified private key. 2024-11-05 13:43:02 +01:00
			`<varlistentry>`
			`<term><option>validate-key</option></term>`

			`<listitem><para>Checks that we can load the private key specified with`
			`<option>--private-key=</option>. </para>`

			`<para>As a side effect, if the private key is loaded from a PIN-protected hardware token, this`
			`command can be used to cache the PIN in the kernel keyring. The`
			`<varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC</varname> and`
			`<varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE</varname> environment variables can be used to control`
			`how long and in which kernel keyring the PIN is cached.</para>`

			`<xi:include href="version-info.xml" xpointer="v257"/>`
			`</listitem>`
			`</varlistentry>`
Introduce systemd-sbsign to do secure boot signing Currently in mkosi and ukify we use sbsigntools to do secure boot signing. This has multiple issues: - sbsigntools is practically unmaintained, sbvarsign is completely broken with the latest gnu-efi when built without -fshort-wchar and upstream has completely ignored my bug report about this. - sbsigntools only supports openssl engines and not the new providers API. - sbsigntools doesn't allow us to cache hardware token pins in the kernel keyring like we do nowadays when we sign stuff ourselves in systemd-repart or systemd-measure There are alternative tools like sbctl and pesign but these do not support caching hardware token pins in the kernel keyring either. To get around the issues with sbsigntools, let's introduce our own tool systemd-sbsign to do secure boot signing. This allows us to take advantage of our own openssl infra so that hardware token pins are cached in the kernel keyring as expected and we get openssl provider support as well. 2024-11-05 00:36:32 +01:00			`</variablelist>`
			`</refsect1>`

			`<refsect1>`
			`<title>Options</title>`
			`<para>The following options are understood:</para>`

			`<variablelist>`
			`<varlistentry>`
			`<term><option>--output=<replaceable>PATH</replaceable></option></term>`

			`<listitem><para>Specifies the path where to write the signed PE binary.</para>`

			`<xi:include href="version-info.xml" xpointer="v257"/></listitem>`
			`</varlistentry>`

			`<varlistentry>`
			`<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>`
man: fix syntax error in systemd-sbsign.xml Follow-up for 5f163921e9ff6d735798db259c47543822f81b5c 2024-11-06 19:18:15 +00:00			`<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>`
Introduce systemd-sbsign to do secure boot signing Currently in mkosi and ukify we use sbsigntools to do secure boot signing. This has multiple issues: - sbsigntools is practically unmaintained, sbvarsign is completely broken with the latest gnu-efi when built without -fshort-wchar and upstream has completely ignored my bug report about this. - sbsigntools only supports openssl engines and not the new providers API. - sbsigntools doesn't allow us to cache hardware token pins in the kernel keyring like we do nowadays when we sign stuff ourselves in systemd-repart or systemd-measure There are alternative tools like sbctl and pesign but these do not support caching hardware token pins in the kernel keyring either. To get around the issues with sbsigntools, let's introduce our own tool systemd-sbsign to do secure boot signing. This allows us to take advantage of our own openssl infra so that hardware token pins are cached in the kernel keyring as expected and we get openssl provider support as well. 2024-11-05 00:36:32 +01:00			`<term><option>--certificate=<replaceable>PATH</replaceable></option></term>`

			`<listitem><para>Set the Secure Boot private key and certificate for use with the`
			`<command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded`
			`X.509 certificate. The <option>--private-key=</option> option can take a path or a URI that will be`
			`passed to the OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a`
			`<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL`
			`signing engine or provider will be used to sign the PE binary.</para>`

			`<xi:include href="version-info.xml" xpointer="v257"/></listitem>`
			`</varlistentry>`

			`<xi:include href="standard-options.xml" xpointer="no-pager"/>`
			`<xi:include href="standard-options.xml" xpointer="help"/>`
			`<xi:include href="standard-options.xml" xpointer="version"/>`
			`</variablelist>`
			`</refsect1>`

			`<refsect1>`
			`<title>See Also</title>`
			`<para><simplelist type="inline">`
			`<member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>`
			`</simplelist></para>`
			`</refsect1>`
			`</refentry>`