git-history.diyao.me Git - systemd/.git/commit

author	Luca Boccassi <bluca@debian.org>
	Thu, 11 May 2023 23:55:58 +0000 (00:55 +0100)
committer	Luca Boccassi <bluca@debian.org>
	Wed, 24 May 2023 14:02:36 +0000 (15:02 +0100)
commit	05c9f9c2517c54b98d55f08f8afa67c79be861e8
tree	135d6335286bf6ec789fbd2e6fd862d9b236d68c	tree \| snapshot
parent	c67d5a027d7a34ab19a12f7585dd7c143d82481d	commit \| diff

stub: allow loading and verifying cmdline addons

Files placed in /EFI/Linux/UKI.efi.extra.d/ and /loader/addons/ are
opened and verified using the LoadImage protocol, and will thus get
verified via shim/firmware.
If they are valid signed PE files, the .cmdline section will be
extracted and appended. If there are multiple addons in each directory,
they will be parsed in alphanumerical order.

Optionally the .uname sections are also matched if present, so
that they can be used to filter out addons as well if needed, and only
addons that correspond exactly to the UKI being loaded are used.
It is recommended to also always add a .sbat section to addons, so
that they can be mass-revoked with just a policy update.

The files must have a .addon.efi suffix.

Files in the per-UKI directory are parsed, sorted, measured and
appended first. Then, files in the generic directory are processed.

man/systemd-stub.xml		diff \| blob \| history
mkosi.presets/00-base/mkosi.build		diff \| blob \| history
mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh		diff \| blob \| history
src/boot/efi/addon.c		diff \| blob \| history
src/boot/efi/meson.build		diff \| blob \| history
src/boot/efi/stub.c		diff \| blob \| history