You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Aug 11, 2023. It is now read-only.
I use refind and secure boot with custom keys.
If .cmdline is present in the UKI it ignores all options passed by the bootloader.
However if no .cmdline is present bootloader options are accepted.
Workaround add the following to /etc/sbupdate.conf:
# Generate a signed kernel image
# $1: configuration name
# $2: kernel name
function update_image() {
local linux="/boot/vmlinuz-$2"
local initrd="${INITRD[$1]:-/boot/initramfs-$1.img}"
local cmdline="${CMDLINE[$1]:-${CMDLINE_DEFAULT}}"
local output; output="$(output_name "$1")"
echo "Generating and signing $(basename "${output}")"
# Create a combined binary with systemd EFI stub. For additional information see:
# https://github.com/systemd/systemd/blob/master/src/boot/efi/stub.c
# https://github.com/systemd/systemd/blob/master/test/test-efi-create-disk.sh
#
# Prepend initramfs files are joined with the main initramfs in one image. Refer to:
# https://www.kernel.org/doc/Documentation/early-userspace/buffer-format.txt
# https://www.kernel.org/doc/Documentation/x86/microcode.txt
# --add-section .cmdline=<(printf "%s\0" "${cmdline}") --change-section-vma .cmdline=0x30000 \
objcopy \
--add-section .osrel="/etc/os-release" --change-section-vma .osrel=0x20000 \
--add-section .splash="${SPLASH}" --change-section-vma .splash=0x40000 \
--add-section .linux="${linux}" --change-section-vma .linux=0x2000000 \
--add-section .initrd=<(cat "${INITRD_PREPEND[@]}" "${initrd}") --change-section-vma .initrd=0x3000000 \
"${EFISTUB}" "${output}"
wait $!
# Sign the resulting output file
sign_file --output "${output}" "${output}"
}
Official support for this would be nice.
As it reduces the security sbupdate could emit a warning if the DEFAULT_CMDLINE config is unset and skip embedding a .cmdline.
The text was updated successfully, but these errors were encountered:
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I use refind and secure boot with custom keys.
If
.cmdline
is present in the UKI it ignores all options passed by the bootloader.However if no
.cmdline
is present bootloader options are accepted.Workaround add the following to
/etc/sbupdate.conf
:Official support for this would be nice.
As it reduces the security sbupdate could emit a warning if the
DEFAULT_CMDLINE
config is unset and skip embedding a.cmdline
.The text was updated successfully, but these errors were encountered: