Skip to content
This repository has been archived by the owner on Aug 11, 2023. It is now read-only.

Allow .cmdline to be omitted #61

Open
raldone01 opened this issue Mar 9, 2023 · 0 comments
Open

Allow .cmdline to be omitted #61

raldone01 opened this issue Mar 9, 2023 · 0 comments

Comments

@raldone01
Copy link

raldone01 commented Mar 9, 2023

I use refind and secure boot with custom keys.
If .cmdline is present in the UKI it ignores all options passed by the bootloader.
However if no .cmdline is present bootloader options are accepted.

Workaround add the following to /etc/sbupdate.conf:

# Generate a signed kernel image
#   $1: configuration name
#   $2: kernel name
function update_image() {
  local linux="/boot/vmlinuz-$2"
  local initrd="${INITRD[$1]:-/boot/initramfs-$1.img}"
  local cmdline="${CMDLINE[$1]:-${CMDLINE_DEFAULT}}"
  local output; output="$(output_name "$1")"

  echo "Generating and signing $(basename "${output}")"

  # Create a combined binary with systemd EFI stub. For additional information see:
  #   https://github.com/systemd/systemd/blob/master/src/boot/efi/stub.c
  #   https://github.com/systemd/systemd/blob/master/test/test-efi-create-disk.sh
  #
  # Prepend initramfs files are joined with the main initramfs in one image. Refer to:
  #   https://www.kernel.org/doc/Documentation/early-userspace/buffer-format.txt
  #   https://www.kernel.org/doc/Documentation/x86/microcode.txt


  #  --add-section .cmdline=<(printf "%s\0" "${cmdline}")            --change-section-vma .cmdline=0x30000  \

  objcopy \
    --add-section .osrel="/etc/os-release"                          --change-section-vma .osrel=0x20000    \
    --add-section .splash="${SPLASH}"                               --change-section-vma .splash=0x40000   \
    --add-section .linux="${linux}"                                 --change-section-vma .linux=0x2000000  \
    --add-section .initrd=<(cat "${INITRD_PREPEND[@]}" "${initrd}") --change-section-vma .initrd=0x3000000 \
    "${EFISTUB}" "${output}"
  wait $!

  # Sign the resulting output file
  sign_file --output "${output}" "${output}"
}

Official support for this would be nice.
As it reduces the security sbupdate could emit a warning if the DEFAULT_CMDLINE config is unset and skip embedding a .cmdline.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant