diff options
| author | Emanuele Giuseppe Esposito <eesposit@redhat.com> | 2023-05-04 11:48:47 -0400 |
|---|---|---|
| committer | Emanuele Giuseppe Esposito <eesposit@redhat.com> | 2023-05-10 09:18:27 -0400 |
| commit | c1e8d1727b64cc38821140312c7c3348300d81a0 (patch) | |
| tree | d450622294663899ef76cf464275ba8137f81236 /man | |
| parent | e673c5c2d904d821719b2d21746ef91482acf8b4 (diff) | |
| download | systemd-c1e8d1727b64cc38821140312c7c3348300d81a0.tar.gz | |
ukify: support pesign as alternative to sbsign
sbsign is not available everywhere, for example RHEL does not have it.
Add pesign as alternative to it.
pesign will use options "--secureboot-certificate-name" (mandatory) and
"--secureboot-certificate-dir" (optional), while sbsign will use
"--secureboot-private-key" and "--secureboot-certificate".
By default, use sbsign. If no key/cert is provided or sbsign is not found,
try pesign.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Diffstat (limited to 'man')
| -rw-r--r-- | man/ukify.xml | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/man/ukify.xml b/man/ukify.xml index cc711190fa..f5a2fcc3e8 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -254,12 +254,22 @@ </varlistentry> <varlistentry> + <term><varname>SecureBootSigningTool=<replaceable>SIGNER</replaceable></varname></term> + <term><option>--signtool=<replaceable>SIGNER</replaceable></option></term> + + <listitem><para>Whether to use <literal>sbsign</literal> or <literal>pesign</literal>. + Depending on this choice, different parameters are required in order to sign an image. + Defaults to <literal>sbsign</literal>.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>SecureBootPrivateKey=<replaceable>SB_KEY</replaceable></varname></term> <term><option>--secureboot-private-key=<replaceable>SB_KEY</replaceable></option></term> <listitem><para>A path to a private key to use for signing of the resulting binary. If the <varname>SigningEngine=</varname>/<option>--signing-engine=</option> option is used, this may also be - an engine-specific designation.</para></listitem> + an engine-specific designation. This option is required by + <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para></listitem> </varlistentry> <varlistentry> @@ -268,7 +278,25 @@ <listitem><para>A path to a certificate to use for signing of the resulting binary. If the <varname>SigningEngine=</varname>/<option>--signing-engine=</option> option is used, this may also - be an engine-specific designation.</para></listitem> + be an engine-specific designation. This option is required by + <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SecureBootCertificateDir=<replaceable>SB_PATH</replaceable></varname></term> + <term><option>--secureboot-certificate-dir=<replaceable>SB_PATH</replaceable></option></term> + + <listitem><para>A path to a nss certificate database directory to use for signing of the resulting binary. + Takes effect when <varname>SecureBootSigningTool=pesign</varname>/<option>--signtool=pesign</option> is used. + Defaults to <filename>/etc/pki/pesign</filename>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SecureBootCertificateName=<replaceable>SB_CERTNAME</replaceable></varname></term> + <term><option>--secureboot-certificate-name=<replaceable>SB_CERTNAME</replaceable></option></term> + + <listitem><para>The name of the nss certificate database entry to use for signing of the resulting binary. + This option is required by <varname>SecureBootSigningTool=pesign</varname>/<option>--signtool=pesign</option>.</para></listitem> </varlistentry> <varlistentry> |