1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-29 15:22:07 +03:00
Commit Graph

33 Commits

Author SHA1 Message Date
Luca Boccassi
84033dd405 man: fix typo found by Lintian 2022-10-31 21:17:47 +00:00
Jan Janssen
adb9485acb man: Add instructions for Microsoft secure boot keys
Adding Microsoft keys by default is recommended because firmware drivers
might be signed by it.

This also changes the file ending from .esl to .auth as that is used by
sign-efi-sig-list manpage and other sources.
2022-08-04 10:03:48 +02:00
Jan Janssen
f234a56db5 boot: Follow-up fixes for #20255 2022-08-03 11:05:12 +02:00
Vincent Dagonneau
e6b0cfad51 This patch adds support for enrolling secure boot boot keys from sd-boot.
***DANGER*** NOTE ***DANGER***

This feature might result in your device becoming soft-brick as outlined
below, please use this feature carefully.

***DANGER*** NOTE ***DANGER***

If secure-boot-enrollment is set to no, then no action whatsoever is performed,
no matter the files on the ESP.

If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment
is set to either manual or force then sd-boot will generate enrollment entries
named after the directories they are in. The entries are shown at the very bottom
of the list and can be selected by the user from the menu. If the user selects it,
the user is shown a screen allowing for cancellation before a timeout. The enrollment
proceeds if the action is not cancelled after the timeout.

Additionally, if the secure-boot-enroll option is set to 'force' then the keys
located in the directory named 'auto' are going to be enrolled automatically. The user
is still going to be shown a screen allowing them to cancel the action if they want to,
however the enrollment will proceed automatically after a timeout without
user cancellation.

After keys are enrolled, the system reboots with secure boot enabled therefore, it is
***critical*** to ensure that everything needed for the system to boot is signed
properly (sd-boot itself, kernel, initramfs, PCI option ROMs).

This feature currently only allows loading the most simple set of variables: PK, KEK
and db.

The files need to be prepared with cert-to-efi-sig-list and then signed with
sign-efi-sig-list.

Here is a short example to generate your own keys and the right files for
auto-enrollement.

`
keys="PK KEK DB"
uuid="{$(systemd-id128 new -u)}"
for key in ${keys}; do
	openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
	openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
	cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign"
done

sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl
`

Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in
order to run. You can sign the binaries with the sbsign tool, for example:

`
sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage
`

Example:

Assuming the system has been put in Setup Mode:

`
$ESP/loader/keys/auto/db.esl
$ESP/loader/keys/auto/KEK.esl
$ESP/loader/keys/auto/PK.esl
$ESP/loader/keys/Linux Only/db.esl
$ESP/loader/keys/Linux Only/KEK.esl
$ESP/loader/keys/Linux Only/PK.esl
$ESP/loader/keys/Linux and Windows/db.esl
$ESP/loader/keys/Linux and Windows/KEK.esl
$ESP/loader/keys/Linux and Windows/PK.esl
`

If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto'
directory.

If not, three new boot entries are available to the user in order to enroll either the
'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-08-03 10:11:08 +02:00
Zbigniew Jędrzejewski-Szmek
6f52e1c63b man: fix link to glob(3) 2022-07-05 21:49:12 +02:00
Yu Watanabe
172cbcdc8b tree-wide: fix typo 2022-06-15 14:50:34 +09:00
Jan Janssen
23742af522 boot: Drop use of MetaiMatch
A future commit will add support for unicode collation protocol that
allows case folding and comparing strings with locale awareness. But it
only operates on whole strings, so fnmatch cannot use those without a
heavy cost. Instead we just case fold the patterns instead (the IDs we
try to match are already lower case).
2022-06-09 12:50:13 +02:00
Eduard Tolosa
815068d3a3 loader.conf: Clarify the default value of timeout. 2022-05-27 06:48:18 +09:00
Rahil Bhimjiani
97e7d4945d [sd-boot] improve documentation of beep 2022-05-25 14:20:14 +02:00
Lennart Poettering
cafa9d87b4 man: clarify that type #1 entries are also read from the XBOOTLDR partition 2022-03-22 00:23:25 +01:00
Lennart Poettering
d212b862bf man: clarify where the settings in type #1 entries are documented
So (maybe weirdly) loader.conf(5) documents both loader.conf and type #1
entries (because they share a similar syntax). But it then only lists
the options of loader.conf. Let's add an explicit hint where to find
the documentation of the type #1 entries.
2022-03-22 00:22:07 +01:00
Lennart Poettering
84df0f315a man: clarify the format used by sd-boot config files 2022-03-22 00:22:07 +01:00
Zbigniew Jędrzejewski-Szmek
a0aa38389d man: cross-link to BLS in more places, use "Type #1", "Type #2" as appropriate 2022-03-21 12:16:54 +01:00
Lennart Poettering
deb5c820ca sd-boot: disable bitlocker reboot feature for now
Conceptually the feature is great and should exist, but in its current
form should be worked to be generic (i.e. not specific to
Windows/Bitlocker, but appliable to any boot entry), not be global (but
be a per-entry thing), not require a BootXXXX entry to exist, and not
check for the BitLocker signature (as TPMs are not just used for
BitLocker).

Since we want to get 251 released, mark it in the documentation, in NEWS
and in code as experimental and make clear it will be reworked in a
future release. Also, make it opt-in to make it less likely people come
to rely on it without reading up on it, and understanding that it will
likely change sooner or later.

Follow-up for: #22043
See: #22390
2022-03-16 18:39:57 +01:00
Jan Janssen
cc25bedb29 boot: Beep n times for n-th entry 2022-01-17 00:05:35 +00:00
Jan Janssen
85d2f13b6f boot: Add PC speaker support
Fixes: #17508
2022-01-16 10:34:01 +00:00
Jan Janssen
661615a0af boot: Add BitLocker TPM key sealing workaround
Fixes: #21891
2022-01-10 16:40:16 +01:00
Davide Cavalca
ba38a24de3 man: do not install sd-boot man pages when -Dgnu-efi=false is set 2021-12-14 00:08:55 +00:00
Jan Janssen
ee4fd9cbd4 sd-boot: Add support to boot last selected entry
Fixes: #18994
2021-10-29 13:57:24 +02:00
Jan Janssen
e6cab77eca sd-boot: Add keys to reboot into firmware interface
This is useful if the auto-firmware setting has been disabled. The
keys used here are based on what the majority of firmware employ in
the wild.
This also ensures there's a chance for the user to discover this in
case they were too slow during POST or simply used the wrong ones.
2021-10-22 19:12:55 +02:00
Jan Janssen
52b6b35643 sd-boot: Allow disabling timeout 2021-10-08 15:26:55 +02:00
Jan Janssen
64bb56e58b sd-boot: Allow automatic entries to be default 2021-08-16 15:52:15 +02:00
Jan Janssen
dba0c9832b sd-boot: Allow on/off and t/f for booleans too 2021-08-12 16:10:06 +02:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
ml
992622c428 man: fix typo in loader.conf(5) 2020-03-22 20:22:03 +01:00
Lennart Poettering
93f5910078 docs: add longer document about systemd and random number seeds 2019-07-25 18:31:20 +02:00
Lennart Poettering
39867bb9fb man: document the systemd-random-seed rework 2019-07-25 18:31:20 +02:00
Zbigniew Jędrzejewski-Szmek
3a54a15760 man: use same header for all files
The "include" files had type "book" for some raeason. I don't think this
is meaningful. Let's just use the same everywhere.

$ perl -i -0pe 's^..DOCTYPE (book|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n  "http^gms' man/*.xml
2019-03-14 14:42:05 +01:00
Zbigniew Jędrzejewski-Szmek
0307f79171 man: standarize on one-line license header
No need to waste space, and uniformity is good.

$ perl -i -0pe 's|\n+<!--\s*SPDX-License-Identifier: LGPL-2.1..\s*-->|\n<!-- SPDX-License-Identifier: LGPL-2.1+ -->|gms' man/*.xml
2019-03-14 14:29:37 +01:00
Yu Watanabe
cbae79b8d0 man: systemd-boot does not read loader.conf.d/*.conf
Fixes #10923.
2018-11-26 06:58:31 +09:00
Yu Watanabe
70c8db7555 man: use systemd-boot instead of sd-boot 2018-06-15 14:27:37 +09:00
Zbigniew Jędrzejewski-Szmek
fdbbee37d5 man: drop unused <authorgroup> tags from man sources
Docbook styles required those to be present, even though the templates that we
use did not show those names anywhere. But something changed semi-recently (I
would suspect docbook templates, but there was only a minor version bump in
recent years, and the changelog does not suggest anything related), and builds
now work without those entries. Let's drop this dead weight.

Tested with F26-F29, debian unstable.

$ perl -i -0pe 's/\s*<authorgroup>.*<.authorgroup>//gms' man/*xml
2018-06-14 12:22:18 +02:00
Zbigniew Jędrzejewski-Szmek
f37d383582 man: add some basic documentation for sd-boot (#8379)
I'm sure this can be improved in various ways, but I think
it's a good start.
2018-03-11 19:22:09 +09:00