mirror of
https://github.com/systemd/systemd.git
synced 2025-01-21 22:04:01 +03:00
5f163921e9
Currently in mkosi and ukify we use sbsigntools to do secure boot signing. This has multiple issues: - sbsigntools is practically unmaintained, sbvarsign is completely broken with the latest gnu-efi when built without -fshort-wchar and upstream has completely ignored my bug report about this. - sbsigntools only supports openssl engines and not the new providers API. - sbsigntools doesn't allow us to cache hardware token pins in the kernel keyring like we do nowadays when we sign stuff ourselves in systemd-repart or systemd-measure There are alternative tools like sbctl and pesign but these do not support caching hardware token pins in the kernel keyring either. To get around the issues with sbsigntools, let's introduce our own tool systemd-sbsign to do secure boot signing. This allows us to take advantage of our own openssl infra so that hardware token pins are cached in the kernel keyring as expected and we get openssl provider support as well.
96 lines
3.5 KiB
XML
96 lines
3.5 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="systemd-sbsign"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<refentryinfo>
|
|
<title>systemd-sbsign</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>systemd-sbsign</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>systemd-sbsign</refname>
|
|
<refpurpose>Sign PE binaries for EFI Secure Boot</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>systemd-sbsign</command>
|
|
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
|
<arg choice="req">COMMAND</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para><command>systemd-sbsign</command> can be used to sign PE binaries for EFI Secure Boot.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Commands</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>sign</option></term>
|
|
|
|
<listitem><para>Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its
|
|
argument. If the PE binary already has a certificate table, the new signature will be added to it.
|
|
Otherwise a new certificate table will be created. The signed PE binary will be written to the path
|
|
specified with <option>--output=</option>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<para>The following options are understood:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>--output=<replaceable>PATH</replaceable></option></term>
|
|
|
|
<listitem><para>Specifies the path where to write the signed PE binary.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
|
|
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME<replaceable>]</option></term>
|
|
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
|
|
|
|
<listitem><para>Set the Secure Boot private key and certificate for use with the
|
|
<command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded
|
|
X.509 certificate. The <option>--private-key=</option> option can take a path or a URI that will be
|
|
passed to the OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
|
|
<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
|
|
signing engine or provider will be used to sign the PE binary.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
|
</varlistentry>
|
|
|
|
<xi:include href="standard-options.xml" xpointer="no-pager"/>
|
|
<xi:include href="standard-options.xml" xpointer="help"/>
|
|
<xi:include href="standard-options.xml" xpointer="version"/>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><simplelist type="inline">
|
|
<member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
</simplelist></para>
|
|
</refsect1>
|
|
</refentry>
|