2018-03-11 18:22:09 +08:00
|
|
|
<?xml version='1.0'?> <!--*-nxml-*-->
|
2019-03-14 21:40:58 +08:00
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
2023-12-25 22:48:33 +08:00
|
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
2020-11-09 12:23:58 +08:00
|
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
2018-03-11 18:22:09 +08:00
|
|
|
|
2023-02-26 21:09:44 +08:00
|
|
|
<refentry id="systemd-boot" conditional='ENABLE_BOOTLOADER'
|
2018-03-11 18:22:09 +08:00
|
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
|
|
|
<refentryinfo>
|
2018-06-15 13:25:22 +08:00
|
|
|
<title>systemd-boot</title>
|
2018-03-11 18:22:09 +08:00
|
|
|
<productname>systemd</productname>
|
|
|
|
|
</refentryinfo>
|
|
|
|
|
|
|
|
|
|
<refmeta>
|
2018-06-15 13:25:22 +08:00
|
|
|
<refentrytitle>systemd-boot</refentrytitle>
|
2018-03-11 18:22:09 +08:00
|
|
|
<manvolnum>7</manvolnum>
|
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
|
|
<refnamediv>
|
2018-06-15 13:25:22 +08:00
|
|
|
<refname>systemd-boot</refname>
|
2018-03-11 18:22:09 +08:00
|
|
|
<refname>sd-boot</refname>
|
|
|
|
|
<refpurpose>A simple UEFI boot manager</refpurpose>
|
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
2019-02-12 23:13:57 +08:00
|
|
|
<para><command>systemd-boot</command> (short: <command>sd-boot</command>) is a simple UEFI boot
|
2021-09-21 22:52:57 +08:00
|
|
|
manager. It provides a textual menu to select the entry to boot and an editor for the kernel command
|
2019-02-12 23:13:57 +08:00
|
|
|
line. <command>systemd-boot</command> supports systems with UEFI firmware only.</para>
|
2018-06-20 17:59:11 +08:00
|
|
|
|
2019-07-22 20:19:33 +08:00
|
|
|
<para><command>systemd-boot</command> loads boot entry information from the EFI system partition (ESP),
|
|
|
|
|
usually mounted at <filename>/efi/</filename>, <filename>/boot/</filename>, or
|
2022-03-22 07:21:36 +08:00
|
|
|
<filename>/boot/efi/</filename> during OS runtime, as well as from the Extended Boot Loader partition
|
|
|
|
|
(XBOOTLDR) if it exists (usually mounted to <filename>/boot/</filename>). Configuration file fragments,
|
|
|
|
|
kernels, initrds and other EFI images to boot generally need to reside on the ESP or the Extended Boot
|
|
|
|
|
Loader partition. Linux kernels must be built with <option>CONFIG_EFI_STUB</option> to be able to be
|
|
|
|
|
directly executed as an EFI image. During boot <command>systemd-boot</command> automatically assembles a
|
|
|
|
|
list of boot entries from the following sources:</para>
|
2018-06-20 17:59:11 +08:00
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
|
<listitem><para>Boot entries defined with <ulink
|
2022-11-14 16:44:39 +08:00
|
|
|
url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink> Type #1
|
2022-03-21 19:16:35 +08:00
|
|
|
description files located in <filename>/loader/entries/</filename> on the ESP and the Extended Boot
|
|
|
|
|
Loader Partition. These usually describe Linux kernel images with associated initrd images, but
|
|
|
|
|
alternatively may also describe other arbitrary EFI executables.</para></listitem>
|
2018-06-20 17:59:11 +08:00
|
|
|
|
2022-11-14 16:44:39 +08:00
|
|
|
<listitem><para>Unified kernel images, <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot
|
2022-03-21 19:16:35 +08:00
|
|
|
Loader Specification</ulink> Type #2, which are executable EFI binaries in
|
|
|
|
|
<filename>/EFI/Linux/</filename> on the ESP and the Extended Boot Loader Partition.</para></listitem>
|
2018-06-20 17:59:11 +08:00
|
|
|
|
2022-03-21 19:16:35 +08:00
|
|
|
<listitem><para>The Microsoft Windows EFI boot manager, if installed.</para></listitem>
|
2018-06-20 17:59:11 +08:00
|
|
|
|
2022-03-21 19:16:35 +08:00
|
|
|
<listitem><para>The Apple macOS boot manager, if installed.</para></listitem>
|
2018-06-20 17:59:11 +08:00
|
|
|
|
2022-03-21 19:16:35 +08:00
|
|
|
<listitem><para>The EFI Shell binary, if installed.</para></listitem>
|
2018-06-20 17:59:11 +08:00
|
|
|
|
2023-10-07 00:46:28 +08:00
|
|
|
<listitem><para>A <literal>Reboot Into Firmware Interface option</literal>, if supported by the UEFI
|
|
|
|
|
firmware.</para></listitem>
|
This patch adds support for enrolling secure boot boot keys from sd-boot.
***DANGER*** NOTE ***DANGER***
This feature might result in your device becoming soft-brick as outlined
below, please use this feature carefully.
***DANGER*** NOTE ***DANGER***
If secure-boot-enrollment is set to no, then no action whatsoever is performed,
no matter the files on the ESP.
If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment
is set to either manual or force then sd-boot will generate enrollment entries
named after the directories they are in. The entries are shown at the very bottom
of the list and can be selected by the user from the menu. If the user selects it,
the user is shown a screen allowing for cancellation before a timeout. The enrollment
proceeds if the action is not cancelled after the timeout.
Additionally, if the secure-boot-enroll option is set to 'force' then the keys
located in the directory named 'auto' are going to be enrolled automatically. The user
is still going to be shown a screen allowing them to cancel the action if they want to,
however the enrollment will proceed automatically after a timeout without
user cancellation.
After keys are enrolled, the system reboots with secure boot enabled therefore, it is
***critical*** to ensure that everything needed for the system to boot is signed
properly (sd-boot itself, kernel, initramfs, PCI option ROMs).
This feature currently only allows loading the most simple set of variables: PK, KEK
and db.
The files need to be prepared with cert-to-efi-sig-list and then signed with
sign-efi-sig-list.
Here is a short example to generate your own keys and the right files for
auto-enrollement.
`
keys="PK KEK DB"
uuid="{$(systemd-id128 new -u)}"
for key in ${keys}; do
openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign"
done
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl
`
Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in
order to run. You can sign the binaries with the sbsign tool, for example:
`
sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage
`
Example:
Assuming the system has been put in Setup Mode:
`
$ESP/loader/keys/auto/db.esl
$ESP/loader/keys/auto/KEK.esl
$ESP/loader/keys/auto/PK.esl
$ESP/loader/keys/Linux Only/db.esl
$ESP/loader/keys/Linux Only/KEK.esl
$ESP/loader/keys/Linux Only/PK.esl
$ESP/loader/keys/Linux and Windows/db.esl
$ESP/loader/keys/Linux and Windows/KEK.esl
$ESP/loader/keys/Linux and Windows/PK.esl
`
If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto'
directory.
If not, three new boot entries are available to the user in order to enroll either the
'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-10 02:13:28 +08:00
|
|
|
|
man: fix issues reported by the manpage-l10n project
Fixes #25780.
> Man page: crypttab.5
> Issue 1: Missing fullstop
> Issue 2: I<cipher=>, I<hash=>, I<size=> → B<cipher=>, B<hash=>, B<size=>
>
> "Force LUKS mode\\&. When this mode is used, the following options are "
> "ignored since they are provided by the LUKS header on the device: "
> "I<cipher=>, I<hash=>, I<size=>"
Seems OK to me. The full stop is there and has been for at least a few years. And we use <option> for the markup, which is appropriate here.
> Man page: crypttab.5
> Issue 1: Missing fullstop
> Issue 2: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-size=>, I<size=> → B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-size=>, B<size=>
>
> "Use TrueCrypt encryption mode\\&. When this mode is used, the following "
> "options are ignored since they are provided by the TrueCrypt header on the "
> "device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-"
> "size=>, I<size=>"
Same.
> Man page: journalctl.1
> Issue 1: make be → may be
Fixed.
> Issue 2: below\\&. → below:
Fixed.
> Man page: journalctl.1
> Issue: Colon at the end?
>
> "The following commands are understood\\&. If none is specified the default "
> "is to display journal records\\&."
> msgstr ""
> "Die folgenden Befehle werden verstanden\\&. Falls keiner festgelegt ist, ist "
> "die Anzeige von Journal-Datensätzen die Vorgabe\\&."
This is a bit awkward, but I'm not sure how to fix it.
> Man page: kernel-install.8
> Issue: methods a fallback → methods fallback
It was correct, but I added a comma to make the sense clearer.
> Man page: loader.conf.5
> Issue 1: secure boot variables → Secure Boot variables
> Issue 2: one → one for (multiple times)
>
> "Supported secure boot variables are one database for authorized images, one "
> "key exchange key (KEK) and one platform key (PK)\\&. For more information, "
> "refer to the \\m[blue]B<UEFI specification>\\m[]\\&\\s-2\\u[2]\\d\\s+2, "
> "under Secure Boot and Driver Signing\\&. Another resource that describe the "
> "interplay of the different variables is the \\m[blue]B<EDK2 "
> "documentation>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&."
"one of" would sound strange. "One this and one that" is OK.
> Man page: loader.conf.5
> Issue: systemd-boot → B<systemd-boot>(7)
Fixed.
> Man page: logind.conf.5
> Issue: systemd-logind → B<systemd-logind>(8)
We use <filename>systemd-logind</> on subsequent references… I think that's good enough.
> Man page: nss-myhostname.8
> Issue: B<getent> → B<getent>(1)
Fixed.
> Man page: nss-resolve.8
> Issue: B<systemd-resolved> → B<systemd-resolved>(8)
The first reference does this, subsequent are shorter.
> Man page: os-release.5
> Issue: Portable Services → Portable Services Documentation?
Updated.
> Man page: pam_systemd_home.8
> Issue: auth and account use "reason", while session and password do not?
Reworded.
> Man page: portablectl.1
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: repart.d.5
> Issue: The partition → the partition
Fixed.
> Man page: repart.d.5
> Issue: B<systemd-repart> → B<systemd-repart>(8)
The first reference does this. I also change this one, because it's pretty far down in the text.
> Man page: systemd.1
> Issue: kernel command line twice?
>
> "Takes a boolean argument\\&. If false disables importing credentials from "
> "the kernel command line, qemu_fw_cfg subsystem or the kernel command line\\&."
Apparently this was fixed already.
> Man page: systemd-boot.7
> Issue: enrollement → enrollment
Fixed.
> Man page: systemd-cryptenroll.1
> Issue: multiple cases: any specified → the specified
Reworded.
> Man page: systemd-cryptenroll.1
> Issue: If this this → If this
Fixed tree-wide.
> Man page: systemd-cryptsetup-generator.8
> Issue: and the initrd → and in the initrd
"Is honoured by the initrd" is OK, because we often speak about the initrd as a single unit. But in the same paragraph we also used "in the initrd", which makes the other use look sloppy. I changed it to "in the initrd" everywhere in that file.
> Man page: systemd.directives.7
> Issue: Why are these two quoted (but not others)?
>
> "B<\\*(Aqh\\*(Aq>"
>
> B<\\*(Aqs\\*(Aq>"
>
> "B<\\*(Aqy\\*(Aq>"
This is autogenerated from files… We use slightly different markup in different files, and it's just too hard to make it consistent. We gave up on this.
> Man page: systemd.exec.5
> Issue 1: B<at>(1p) → B<at>(1)
> Issue 2: B<crontab>(1p) → B<crontab>(1)
Fixed.
> Man page: systemd.exec.5
> Issue: B<select()> → B<select>(2)
Fixed.
> Man page: systemd.exec.5
> Issue: qemu → B<qemu>(1)
The man page doesn't seem to be in any of the canonical places on the web.
I added a link to online docs.
> Man page: systemd.exec.5
> Issue: variable → variables
Seems to be fixed already.
> Man page: systemd-integritysetup-generator.8
> Issue: systemd-integritysetup-generator → B<systemd-integritysetup-generator>
I changed <filename> to <command>.
> Man page: systemd-integritysetup-generator.8
> Issue: superfluous comma at the end
Already fixed.
> Man page: systemd-measure.1
> Issue: (see B<--pcr-bank=>) below → (see B<--pcr-bank=> below)
Reworded.
> Man page: systemd-measure.1
> Issue: =PATH> → =>I<PATH>
Fixed.
> Man page: systemd-measure.1.po
> Issue: B<--bank=DIGEST> → B<--bank=>I<DIGEST>
Fixed.
> Man page: systemd.netdev.5
> Issue: os the → on the
Appears to have been fixed already.
> Man page: systemd.netdev.5
> Issue: Onboard → On-board (as in previous string)
Updated.
> Man page: systemd.network.5
> Issue: B<systemd-networkd> -> B<systemd-networkd>(8)
First reference does this, subsequent do not.
> Man page: systemd.network.5
> Issue: B<netlabelctl> → B<netlabelctl>(8)
First reference does this, subsequent do not.
> Man page: systemd.network.5
> Issue: Missing verb (aquired? configured?) in the half sentence starting with "or by a "
I dropped the comma.
> Man page: systemd-nspawn.1
> Issue: All host users outside of that range → All other host users
Reworded.
> # FIXME no effect → no effect\\&.
> #. type: Plain text
> #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed
> msgid ""
> "Whichever ID mapping option is used, the same mapping will be used for users "
> "and groups IDs\\&. If B<rootidmap> is used, the group owning the bind "
> "mounted directory will have no effect"
A period is added. Not sure if there's some other issue.
> Man page: systemd-oomd.service.8
> Issue: B<systemd> → B<systemd>(1)
Done.
> Man page: systemd.path.5
> Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5)
> Issue 2: This section does not (yet?) exist
Fixed.
> Man page: systemd-pcrphase.service.8
> Issue 1: indicate phases into TPM2 PCR 11 ??
> Issue 2: Colon at the end of the paragraph?
Fixed.
> Man page: systemd-pcrphase.service.8
> Issue: final boot phase → final shutdown phase?
Updated.
> Man page: systemd-pcrphase.service.8
> Issue: for the the → for the
Fixed tree-wide.
> Man page: systemd-portabled.service.8
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: systemd-pstore.service.8
> Issue: Here and the following paragraphs: . → \\&. // Upstream: What does this comment mean? // You normally write \\&. for a full dot (full stop etc.); here you write only "." (i.e. a plain dot).
>
> "and we look up \"localhost\", nss-dns will send the following queries to "
> "systemd-resolved listening on 127.0.0.53:53: first \"localhost.foobar.com\", "
> "then \"localhost.barbar.com\", and finally \"localhost\". If (hopefully) the "
> "first two queries fail, systemd-resolved will synthesize an answer for the "
> "third query."
Looks all OK to me.
> Man page: systemd.resource-control.5
> Issue: Missing closing bracket after link to Control Groups version 1
Fixed.
> Man page: systemd-sysext.8
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: systemd.timer.5
> Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5)
> Issue 2: This section does not (yet?) exist
Fixed.
> Man page: systemd.unit.5
> Issue: that is → that are
Fixed.
> Man page: systemd-veritysetup-generator.8
> Issue: systemd-veritysetup-generator → B<systemd-veritysetup-generator>
>
> "systemd-veritysetup-generator implements B<systemd.generator>(7)\\&."
>
> "systemd-veritysetup-generator understands the following kernel command line "
> "parameters:"
Updated.
> Man page: systemd-volatile-root.service.8
> Issue: initrdyes → Initrd
Fixed.
> Man page: sysupdate.d.5
> Issue: : → \\&. (As above in TRANSFER)
Updated.
> Man page: sysupdate.d.5
> Issue: some → certain
Updated.
> Man page: sysupdate.d.5
> Issue 1: i\\&.e\\& → I\\&.e\\&
Fixed.
> Issue 2: the image → the system
"image" seems correct.
> Man page: tmpfiles.d.5
> Issue: systemd-tmpfiles → B<systemd-tmpfiles>(8)
Updated.
2023-01-11 23:45:59 +08:00
|
|
|
<listitem><para>Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided
|
This patch adds support for enrolling secure boot boot keys from sd-boot.
***DANGER*** NOTE ***DANGER***
This feature might result in your device becoming soft-brick as outlined
below, please use this feature carefully.
***DANGER*** NOTE ***DANGER***
If secure-boot-enrollment is set to no, then no action whatsoever is performed,
no matter the files on the ESP.
If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment
is set to either manual or force then sd-boot will generate enrollment entries
named after the directories they are in. The entries are shown at the very bottom
of the list and can be selected by the user from the menu. If the user selects it,
the user is shown a screen allowing for cancellation before a timeout. The enrollment
proceeds if the action is not cancelled after the timeout.
Additionally, if the secure-boot-enroll option is set to 'force' then the keys
located in the directory named 'auto' are going to be enrolled automatically. The user
is still going to be shown a screen allowing them to cancel the action if they want to,
however the enrollment will proceed automatically after a timeout without
user cancellation.
After keys are enrolled, the system reboots with secure boot enabled therefore, it is
***critical*** to ensure that everything needed for the system to boot is signed
properly (sd-boot itself, kernel, initramfs, PCI option ROMs).
This feature currently only allows loading the most simple set of variables: PK, KEK
and db.
The files need to be prepared with cert-to-efi-sig-list and then signed with
sign-efi-sig-list.
Here is a short example to generate your own keys and the right files for
auto-enrollement.
`
keys="PK KEK DB"
uuid="{$(systemd-id128 new -u)}"
for key in ${keys}; do
openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign"
done
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl
`
Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in
order to run. You can sign the binaries with the sbsign tool, for example:
`
sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage
`
Example:
Assuming the system has been put in Setup Mode:
`
$ESP/loader/keys/auto/db.esl
$ESP/loader/keys/auto/KEK.esl
$ESP/loader/keys/auto/PK.esl
$ESP/loader/keys/Linux Only/db.esl
$ESP/loader/keys/Linux Only/KEK.esl
$ESP/loader/keys/Linux Only/PK.esl
$ESP/loader/keys/Linux and Windows/db.esl
$ESP/loader/keys/Linux and Windows/KEK.esl
$ESP/loader/keys/Linux and Windows/PK.esl
`
If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto'
directory.
If not, three new boot entries are available to the user in order to enroll either the
'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-10 02:13:28 +08:00
|
|
|
on the ESP.</para></listitem>
|
2018-06-20 17:59:11 +08:00
|
|
|
</itemizedlist>
|
|
|
|
|
|
2019-07-22 20:19:33 +08:00
|
|
|
<para><command>systemd-boot</command> supports the following features:</para>
|
|
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
|
<listitem><para>Basic boot manager configuration changes (such as timeout
|
|
|
|
|
configuration, default boot entry selection, …) may be made directly from the boot loader UI at
|
|
|
|
|
boot-time, as well as during system runtime with EFI variables.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The boot manager integrates with the <command>systemctl</command> command to implement
|
|
|
|
|
features such as <command>systemctl reboot --boot-loader-entry=…</command> (for rebooting into a
|
|
|
|
|
specific boot menu entry, i.e. "reboot into Windows") and <command>systemctl reboot
|
|
|
|
|
--boot-loader-menu=…</command> (for rebooting into the boot loader menu), by implementing the <ulink
|
|
|
|
|
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>. See
|
|
|
|
|
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
|
2021-07-09 17:56:54 +08:00
|
|
|
<listitem><para>An EFI variable set by the boot loader informs the OS about the EFI System Partition used
|
|
|
|
|
during boot. This is then used to automatically mount the correct EFI System Partition to
|
2019-07-22 20:19:33 +08:00
|
|
|
<filename>/efi/</filename> or <filename>/boot/</filename> during OS runtime. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
|
for details.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The boot manager provides information about the boot time spent in UEFI firmware using
|
|
|
|
|
the <ulink url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>. This
|
|
|
|
|
information can be displayed using
|
|
|
|
|
<citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
|
|
|
|
</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The boot manager implements boot counting and automatic fallback to older, working boot
|
|
|
|
|
entries on failure. See <ulink url="https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT">Automatic Boot
|
|
|
|
|
Assessment</ulink>.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The boot manager optionally reads a random seed from the ESP partition, combines it
|
2019-12-24 20:50:04 +08:00
|
|
|
with a 'system token' stored in a persistent EFI variable and derives a random seed to use by the OS as
|
2020-07-06 16:49:59 +08:00
|
|
|
entropy pool initialization, providing a full entropy pool during early boot.</para></listitem>
|
This patch adds support for enrolling secure boot boot keys from sd-boot.
***DANGER*** NOTE ***DANGER***
This feature might result in your device becoming soft-brick as outlined
below, please use this feature carefully.
***DANGER*** NOTE ***DANGER***
If secure-boot-enrollment is set to no, then no action whatsoever is performed,
no matter the files on the ESP.
If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment
is set to either manual or force then sd-boot will generate enrollment entries
named after the directories they are in. The entries are shown at the very bottom
of the list and can be selected by the user from the menu. If the user selects it,
the user is shown a screen allowing for cancellation before a timeout. The enrollment
proceeds if the action is not cancelled after the timeout.
Additionally, if the secure-boot-enroll option is set to 'force' then the keys
located in the directory named 'auto' are going to be enrolled automatically. The user
is still going to be shown a screen allowing them to cancel the action if they want to,
however the enrollment will proceed automatically after a timeout without
user cancellation.
After keys are enrolled, the system reboots with secure boot enabled therefore, it is
***critical*** to ensure that everything needed for the system to boot is signed
properly (sd-boot itself, kernel, initramfs, PCI option ROMs).
This feature currently only allows loading the most simple set of variables: PK, KEK
and db.
The files need to be prepared with cert-to-efi-sig-list and then signed with
sign-efi-sig-list.
Here is a short example to generate your own keys and the right files for
auto-enrollement.
`
keys="PK KEK DB"
uuid="{$(systemd-id128 new -u)}"
for key in ${keys}; do
openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign"
done
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl
`
Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in
order to run. You can sign the binaries with the sbsign tool, for example:
`
sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage
`
Example:
Assuming the system has been put in Setup Mode:
`
$ESP/loader/keys/auto/db.esl
$ESP/loader/keys/auto/KEK.esl
$ESP/loader/keys/auto/PK.esl
$ESP/loader/keys/Linux Only/db.esl
$ESP/loader/keys/Linux Only/KEK.esl
$ESP/loader/keys/Linux Only/PK.esl
$ESP/loader/keys/Linux and Windows/db.esl
$ESP/loader/keys/Linux and Windows/KEK.esl
$ESP/loader/keys/Linux and Windows/PK.esl
`
If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto'
directory.
If not, three new boot entries are available to the user in order to enroll either the
'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-10 02:13:28 +08:00
|
|
|
|
man: fix issues reported by the manpage-l10n project
Fixes #25780.
> Man page: crypttab.5
> Issue 1: Missing fullstop
> Issue 2: I<cipher=>, I<hash=>, I<size=> → B<cipher=>, B<hash=>, B<size=>
>
> "Force LUKS mode\\&. When this mode is used, the following options are "
> "ignored since they are provided by the LUKS header on the device: "
> "I<cipher=>, I<hash=>, I<size=>"
Seems OK to me. The full stop is there and has been for at least a few years. And we use <option> for the markup, which is appropriate here.
> Man page: crypttab.5
> Issue 1: Missing fullstop
> Issue 2: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-size=>, I<size=> → B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-size=>, B<size=>
>
> "Use TrueCrypt encryption mode\\&. When this mode is used, the following "
> "options are ignored since they are provided by the TrueCrypt header on the "
> "device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-"
> "size=>, I<size=>"
Same.
> Man page: journalctl.1
> Issue 1: make be → may be
Fixed.
> Issue 2: below\\&. → below:
Fixed.
> Man page: journalctl.1
> Issue: Colon at the end?
>
> "The following commands are understood\\&. If none is specified the default "
> "is to display journal records\\&."
> msgstr ""
> "Die folgenden Befehle werden verstanden\\&. Falls keiner festgelegt ist, ist "
> "die Anzeige von Journal-Datensätzen die Vorgabe\\&."
This is a bit awkward, but I'm not sure how to fix it.
> Man page: kernel-install.8
> Issue: methods a fallback → methods fallback
It was correct, but I added a comma to make the sense clearer.
> Man page: loader.conf.5
> Issue 1: secure boot variables → Secure Boot variables
> Issue 2: one → one for (multiple times)
>
> "Supported secure boot variables are one database for authorized images, one "
> "key exchange key (KEK) and one platform key (PK)\\&. For more information, "
> "refer to the \\m[blue]B<UEFI specification>\\m[]\\&\\s-2\\u[2]\\d\\s+2, "
> "under Secure Boot and Driver Signing\\&. Another resource that describe the "
> "interplay of the different variables is the \\m[blue]B<EDK2 "
> "documentation>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&."
"one of" would sound strange. "One this and one that" is OK.
> Man page: loader.conf.5
> Issue: systemd-boot → B<systemd-boot>(7)
Fixed.
> Man page: logind.conf.5
> Issue: systemd-logind → B<systemd-logind>(8)
We use <filename>systemd-logind</> on subsequent references… I think that's good enough.
> Man page: nss-myhostname.8
> Issue: B<getent> → B<getent>(1)
Fixed.
> Man page: nss-resolve.8
> Issue: B<systemd-resolved> → B<systemd-resolved>(8)
The first reference does this, subsequent are shorter.
> Man page: os-release.5
> Issue: Portable Services → Portable Services Documentation?
Updated.
> Man page: pam_systemd_home.8
> Issue: auth and account use "reason", while session and password do not?
Reworded.
> Man page: portablectl.1
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: repart.d.5
> Issue: The partition → the partition
Fixed.
> Man page: repart.d.5
> Issue: B<systemd-repart> → B<systemd-repart>(8)
The first reference does this. I also change this one, because it's pretty far down in the text.
> Man page: systemd.1
> Issue: kernel command line twice?
>
> "Takes a boolean argument\\&. If false disables importing credentials from "
> "the kernel command line, qemu_fw_cfg subsystem or the kernel command line\\&."
Apparently this was fixed already.
> Man page: systemd-boot.7
> Issue: enrollement → enrollment
Fixed.
> Man page: systemd-cryptenroll.1
> Issue: multiple cases: any specified → the specified
Reworded.
> Man page: systemd-cryptenroll.1
> Issue: If this this → If this
Fixed tree-wide.
> Man page: systemd-cryptsetup-generator.8
> Issue: and the initrd → and in the initrd
"Is honoured by the initrd" is OK, because we often speak about the initrd as a single unit. But in the same paragraph we also used "in the initrd", which makes the other use look sloppy. I changed it to "in the initrd" everywhere in that file.
> Man page: systemd.directives.7
> Issue: Why are these two quoted (but not others)?
>
> "B<\\*(Aqh\\*(Aq>"
>
> B<\\*(Aqs\\*(Aq>"
>
> "B<\\*(Aqy\\*(Aq>"
This is autogenerated from files… We use slightly different markup in different files, and it's just too hard to make it consistent. We gave up on this.
> Man page: systemd.exec.5
> Issue 1: B<at>(1p) → B<at>(1)
> Issue 2: B<crontab>(1p) → B<crontab>(1)
Fixed.
> Man page: systemd.exec.5
> Issue: B<select()> → B<select>(2)
Fixed.
> Man page: systemd.exec.5
> Issue: qemu → B<qemu>(1)
The man page doesn't seem to be in any of the canonical places on the web.
I added a link to online docs.
> Man page: systemd.exec.5
> Issue: variable → variables
Seems to be fixed already.
> Man page: systemd-integritysetup-generator.8
> Issue: systemd-integritysetup-generator → B<systemd-integritysetup-generator>
I changed <filename> to <command>.
> Man page: systemd-integritysetup-generator.8
> Issue: superfluous comma at the end
Already fixed.
> Man page: systemd-measure.1
> Issue: (see B<--pcr-bank=>) below → (see B<--pcr-bank=> below)
Reworded.
> Man page: systemd-measure.1
> Issue: =PATH> → =>I<PATH>
Fixed.
> Man page: systemd-measure.1.po
> Issue: B<--bank=DIGEST> → B<--bank=>I<DIGEST>
Fixed.
> Man page: systemd.netdev.5
> Issue: os the → on the
Appears to have been fixed already.
> Man page: systemd.netdev.5
> Issue: Onboard → On-board (as in previous string)
Updated.
> Man page: systemd.network.5
> Issue: B<systemd-networkd> -> B<systemd-networkd>(8)
First reference does this, subsequent do not.
> Man page: systemd.network.5
> Issue: B<netlabelctl> → B<netlabelctl>(8)
First reference does this, subsequent do not.
> Man page: systemd.network.5
> Issue: Missing verb (aquired? configured?) in the half sentence starting with "or by a "
I dropped the comma.
> Man page: systemd-nspawn.1
> Issue: All host users outside of that range → All other host users
Reworded.
> # FIXME no effect → no effect\\&.
> #. type: Plain text
> #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed
> msgid ""
> "Whichever ID mapping option is used, the same mapping will be used for users "
> "and groups IDs\\&. If B<rootidmap> is used, the group owning the bind "
> "mounted directory will have no effect"
A period is added. Not sure if there's some other issue.
> Man page: systemd-oomd.service.8
> Issue: B<systemd> → B<systemd>(1)
Done.
> Man page: systemd.path.5
> Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5)
> Issue 2: This section does not (yet?) exist
Fixed.
> Man page: systemd-pcrphase.service.8
> Issue 1: indicate phases into TPM2 PCR 11 ??
> Issue 2: Colon at the end of the paragraph?
Fixed.
> Man page: systemd-pcrphase.service.8
> Issue: final boot phase → final shutdown phase?
Updated.
> Man page: systemd-pcrphase.service.8
> Issue: for the the → for the
Fixed tree-wide.
> Man page: systemd-portabled.service.8
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: systemd-pstore.service.8
> Issue: Here and the following paragraphs: . → \\&. // Upstream: What does this comment mean? // You normally write \\&. for a full dot (full stop etc.); here you write only "." (i.e. a plain dot).
>
> "and we look up \"localhost\", nss-dns will send the following queries to "
> "systemd-resolved listening on 127.0.0.53:53: first \"localhost.foobar.com\", "
> "then \"localhost.barbar.com\", and finally \"localhost\". If (hopefully) the "
> "first two queries fail, systemd-resolved will synthesize an answer for the "
> "third query."
Looks all OK to me.
> Man page: systemd.resource-control.5
> Issue: Missing closing bracket after link to Control Groups version 1
Fixed.
> Man page: systemd-sysext.8
> Issue: In systemd-portabled.service(8): Portable Services Documentation
Updated.
> Man page: systemd.timer.5
> Issue 1: B<systemd.exec>(1) → B<systemd.exec>(5)
> Issue 2: This section does not (yet?) exist
Fixed.
> Man page: systemd.unit.5
> Issue: that is → that are
Fixed.
> Man page: systemd-veritysetup-generator.8
> Issue: systemd-veritysetup-generator → B<systemd-veritysetup-generator>
>
> "systemd-veritysetup-generator implements B<systemd.generator>(7)\\&."
>
> "systemd-veritysetup-generator understands the following kernel command line "
> "parameters:"
Updated.
> Man page: systemd-volatile-root.service.8
> Issue: initrdyes → Initrd
Fixed.
> Man page: sysupdate.d.5
> Issue: : → \\&. (As above in TRANSFER)
Updated.
> Man page: sysupdate.d.5
> Issue: some → certain
Updated.
> Man page: sysupdate.d.5
> Issue 1: i\\&.e\\& → I\\&.e\\&
Fixed.
> Issue 2: the image → the system
"image" seems correct.
> Man page: tmpfiles.d.5
> Issue: systemd-tmpfiles → B<systemd-tmpfiles>(8)
Updated.
2023-01-11 23:45:59 +08:00
|
|
|
<listitem><para>The boot manager allows for Secure Boot variables to be enrolled if the UEFI firmware is
|
This patch adds support for enrolling secure boot boot keys from sd-boot.
***DANGER*** NOTE ***DANGER***
This feature might result in your device becoming soft-brick as outlined
below, please use this feature carefully.
***DANGER*** NOTE ***DANGER***
If secure-boot-enrollment is set to no, then no action whatsoever is performed,
no matter the files on the ESP.
If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment
is set to either manual or force then sd-boot will generate enrollment entries
named after the directories they are in. The entries are shown at the very bottom
of the list and can be selected by the user from the menu. If the user selects it,
the user is shown a screen allowing for cancellation before a timeout. The enrollment
proceeds if the action is not cancelled after the timeout.
Additionally, if the secure-boot-enroll option is set to 'force' then the keys
located in the directory named 'auto' are going to be enrolled automatically. The user
is still going to be shown a screen allowing them to cancel the action if they want to,
however the enrollment will proceed automatically after a timeout without
user cancellation.
After keys are enrolled, the system reboots with secure boot enabled therefore, it is
***critical*** to ensure that everything needed for the system to boot is signed
properly (sd-boot itself, kernel, initramfs, PCI option ROMs).
This feature currently only allows loading the most simple set of variables: PK, KEK
and db.
The files need to be prepared with cert-to-efi-sig-list and then signed with
sign-efi-sig-list.
Here is a short example to generate your own keys and the right files for
auto-enrollement.
`
keys="PK KEK DB"
uuid="{$(systemd-id128 new -u)}"
for key in ${keys}; do
openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign"
done
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl
`
Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in
order to run. You can sign the binaries with the sbsign tool, for example:
`
sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage
`
Example:
Assuming the system has been put in Setup Mode:
`
$ESP/loader/keys/auto/db.esl
$ESP/loader/keys/auto/KEK.esl
$ESP/loader/keys/auto/PK.esl
$ESP/loader/keys/Linux Only/db.esl
$ESP/loader/keys/Linux Only/KEK.esl
$ESP/loader/keys/Linux Only/PK.esl
$ESP/loader/keys/Linux and Windows/db.esl
$ESP/loader/keys/Linux and Windows/KEK.esl
$ESP/loader/keys/Linux and Windows/PK.esl
`
If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto'
directory.
If not, three new boot entries are available to the user in order to enroll either the
'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-10 02:13:28 +08:00
|
|
|
in setup-mode. Additionally, variables can be automatically enrolled if configured.</para></listitem>
|
2019-07-22 20:19:33 +08:00
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
|
|
<para><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
2019-02-12 23:13:57 +08:00
|
|
|
may be used from a running system to locate the ESP and the Extended Boot Loader Partition, list
|
|
|
|
|
available entries, and install <command>systemd-boot</command> itself.</para>
|
2018-06-20 17:59:11 +08:00
|
|
|
|
2019-07-22 20:19:33 +08:00
|
|
|
<para><citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
|
may be used to copy kernel images onto the ESP or the Extended Boot Loader Partition and to generate
|
|
|
|
|
description files compliant with the Boot Loader
|
|
|
|
|
Specification.</para>
|
2021-09-21 22:52:24 +08:00
|
|
|
|
|
|
|
|
<para><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
|
|
|
may be used as UEFI boot stub for executed kernels, which is useful to show graphical boot splashes
|
|
|
|
|
before transitioning into the Linux world. It is also capable of automatically picking up auxiliary
|
|
|
|
|
credential files (for boot parameterization) and system extension images, as companion files to the
|
|
|
|
|
booted kernel images.</para>
|
2018-03-11 18:22:09 +08:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Key bindings</title>
|
|
|
|
|
<para>The following keys may be used in the boot menu:</para>
|
|
|
|
|
|
2021-08-14 20:26:12 +08:00
|
|
|
<!-- Developer commands Q/v/Ctrl+l deliberately not advertised. -->
|
|
|
|
|
|
2018-03-11 18:22:09 +08:00
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>↑</keycap> (Up)</term>
|
|
|
|
|
<term><keycap>↓</keycap> (Down)</term>
|
|
|
|
|
<term><keycap>j</keycap></term>
|
|
|
|
|
<term><keycap>k</keycap></term>
|
|
|
|
|
<term><keycap>PageUp</keycap></term>
|
|
|
|
|
<term><keycap>PageDown</keycap></term>
|
|
|
|
|
<term><keycap>Home</keycap></term>
|
|
|
|
|
<term><keycap>End</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Navigate up/down in the entry list</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>↵</keycap> (Enter)</term>
|
2020-04-15 20:18:15 +08:00
|
|
|
<term><keycap>→</keycap> (Right)</term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Boot selected entry</para>
|
|
|
|
|
|
2023-09-18 23:03:38 +08:00
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>d</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Make selected entry the default</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>e</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Edit the kernel command line for selected entry</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>+</keycap></term>
|
|
|
|
|
<term><keycap>t</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Increase the timeout before default entry is booted</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>-</keycap></term>
|
|
|
|
|
<term><keycap>T</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Decrease the timeout</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
2021-08-15 19:44:47 +08:00
|
|
|
<varlistentry>
|
|
|
|
|
<term><keycap>r</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Change screen resolution, skipping any unsupported modes.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
2021-08-15 19:44:47 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><keycap>R</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Reset screen resolution to firmware or configuration file default.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
2021-08-15 19:44:47 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-03-11 18:22:09 +08:00
|
|
|
<varlistentry>
|
2021-08-14 20:26:12 +08:00
|
|
|
<term><keycap>p</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Print status</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>h</keycap></term>
|
|
|
|
|
<term><keycap>?</keycap></term>
|
2020-07-15 01:31:21 +08:00
|
|
|
<term><keycap>F1</keycap></term>
|
2023-09-18 23:03:38 +08:00
|
|
|
<listitem><para>Show a help screen</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
2021-10-20 18:15:03 +08:00
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><keycap>f</keycap></term>
|
|
|
|
|
<listitem><para>Reboot into firmware interface.</para>
|
|
|
|
|
|
|
|
|
|
<para>For compatibility with the keybindings of several firmware implementations this operation
|
|
|
|
|
may also be reached with <keycap>F2</keycap>, <keycap>F10</keycap>, <keycap>Del</keycap> and
|
2023-08-23 00:52:36 +08:00
|
|
|
<keycap>Esc</keycap>.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
2021-10-20 18:15:03 +08:00
|
|
|
</varlistentry>
|
2023-08-22 04:59:53 +08:00
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><keycombo><keycap>Shift</keycap><keycap>o</keycap></keycombo></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Power off the system.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
2023-08-22 04:59:53 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><keycombo><keycap>Shift</keycap><keycap>b</keycap></keycombo></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Reboot the system.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
2023-08-22 04:59:53 +08:00
|
|
|
</varlistentry>
|
2018-03-11 18:22:09 +08:00
|
|
|
</variablelist>
|
|
|
|
|
|
2020-04-21 17:18:56 +08:00
|
|
|
<para>The following keys may be pressed during bootup or in the boot menu to directly boot a specific
|
|
|
|
|
entry:</para>
|
2018-03-11 18:22:09 +08:00
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>l</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Linux</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>w</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Windows</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>a</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>macOS</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>s</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>EFI shell</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>1</keycap></term>
|
|
|
|
|
<term><keycap>2</keycap></term>
|
|
|
|
|
<term><keycap>3</keycap></term>
|
|
|
|
|
<term><keycap>4</keycap></term>
|
|
|
|
|
<term><keycap>5</keycap></term>
|
|
|
|
|
<term><keycap>6</keycap></term>
|
|
|
|
|
<term><keycap>7</keycap></term>
|
|
|
|
|
<term><keycap>8</keycap></term>
|
|
|
|
|
<term><keycap>9</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Boot entry number 1 … 9</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
|
2020-04-21 17:18:56 +08:00
|
|
|
<para>The boot menu is shown when a non-zero menu timeout has been configured. If the menu timeout has
|
|
|
|
|
been set to zero, it is sufficient to press any key — before the boot loader initializes — to bring up
|
|
|
|
|
the boot menu, except for the keys listed immediately above as they directly boot into the selected boot
|
|
|
|
|
menu item. Note that depending on the firmware implementation the time window where key presses are
|
|
|
|
|
accepted before the boot loader initializes might be short. If the window is missed, reboot and try
|
|
|
|
|
again, possibly pressing a suitable key (e.g. the space bar) continuously; on most systems it should be
|
|
|
|
|
possible to hit the time window after a few attempts. To avoid this problem, consider setting a non-zero
|
|
|
|
|
timeout, thus showing the boot menu unconditionally. Some desktop environments might offer an option to
|
|
|
|
|
directly boot into the boot menu, to avoid the problem altogether. Alternatively, use the command line
|
|
|
|
|
<command>systemctl reboot --boot-loader-menu=0</command> from the shell.</para>
|
|
|
|
|
|
2018-03-11 18:22:09 +08:00
|
|
|
<para>In the editor, most keys simply insert themselves, but the following keys
|
|
|
|
|
may be used to perform additional actions:</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>←</keycap> (Left)</term>
|
|
|
|
|
<term><keycap>→</keycap> (Right)</term>
|
|
|
|
|
<term><keycap>Home</keycap></term>
|
|
|
|
|
<term><keycap>End</keycap></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Navigate left/right</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>Esc</keycap></term>
|
2022-08-29 16:39:49 +08:00
|
|
|
<term><keycombo><keycap>Ctrl</keycap><keycap>c</keycap></keycombo></term>
|
2023-09-18 23:03:38 +08:00
|
|
|
<listitem><para>Abort the edit and quit the editor</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycombo><keycap>Ctrl</keycap><keycap>k</keycap></keycombo></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Clear the command line forwards</para>
|
|
|
|
|
|
2023-09-18 23:03:38 +08:00
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycombo><keycap>Ctrl</keycap><keycap>w</keycap></keycombo></term>
|
|
|
|
|
<term><keycombo><keycap>Alt</keycap><keycap>Backspace</keycap></keycombo></term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Delete word backwards</para>
|
|
|
|
|
|
2023-09-18 23:03:38 +08:00
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2022-08-29 16:39:49 +08:00
|
|
|
<term><keycombo><keycap>Ctrl</keycap><keycap>Del</keycap></keycombo></term>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycombo><keycap>Alt</keycap><keycap>d</keycap></keycombo></term>
|
2023-09-18 23:03:38 +08:00
|
|
|
<listitem><para>Delete word forwards</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2018-06-28 02:31:34 +08:00
|
|
|
<term><keycap>↵</keycap> (Enter)</term>
|
2023-08-23 00:52:36 +08:00
|
|
|
<listitem><para>Boot entry with the edited command line</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
2018-03-11 18:22:09 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
|
2018-06-15 13:25:22 +08:00
|
|
|
<para>Note that unless configured otherwise in the UEFI firmware, systemd-boot will
|
2018-03-11 18:22:09 +08:00
|
|
|
use the US keyboard layout, so key labels might not match for keys like +/-.
|
|
|
|
|
</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
2018-06-20 17:59:11 +08:00
|
|
|
<refsect1>
|
|
|
|
|
<title>Files</title>
|
|
|
|
|
|
2019-02-12 23:13:57 +08:00
|
|
|
<para>The files <command>systemd-boot</command> processes generally reside on the UEFI ESP which is
|
|
|
|
|
usually mounted to <filename>/efi/</filename>, <filename>/boot/</filename> or
|
|
|
|
|
<filename>/boot/efi/</filename> during OS runtime. It also processes files on the Extended Boot Loader
|
|
|
|
|
partition which is typically mounted to <filename>/boot/</filename>, if it
|
2021-09-21 23:28:16 +08:00
|
|
|
exists.</para>
|
|
|
|
|
|
|
|
|
|
<para><command>systemd-boot</command> reads runtime configuration such as the boot timeout and default
|
2019-02-12 23:13:57 +08:00
|
|
|
entry from <filename>/loader/loader.conf</filename> on the ESP (in combination with data read from EFI
|
|
|
|
|
variables). See
|
2021-09-21 23:28:16 +08:00
|
|
|
<citerefentry><refentrytitle>loader.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
|
|
|
|
|
|
|
|
|
<para>Boot entry description files following the <ulink
|
2022-11-14 16:44:39 +08:00
|
|
|
url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink> are read from
|
2021-09-21 23:28:16 +08:00
|
|
|
<filename>/loader/entries/</filename> on the ESP and the Extended Boot Loader partition.</para>
|
|
|
|
|
|
|
|
|
|
<para>Unified kernel boot entries following the <ulink
|
2022-11-14 16:44:39 +08:00
|
|
|
url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink> are read from
|
2021-09-21 23:28:16 +08:00
|
|
|
<filename>/EFI/Linux/</filename> on the ESP and the Extended Boot Loader partition.</para>
|
|
|
|
|
|
|
|
|
|
<para>Optionally, a random seed for early boot entropy pool provisioning is stored in
|
|
|
|
|
<filename>/loader/random-seed</filename> in the ESP.</para>
|
|
|
|
|
|
|
|
|
|
<para>During initialization, <command>sd-boot</command> automatically loads all driver files placed in
|
|
|
|
|
the <filename>/EFI/systemd/drivers/</filename> directory of the ESP. The files placed there must have an
|
|
|
|
|
extension of the EFI architecture ID followed by <filename>.efi</filename> (e.g. for x86-64 this means a
|
|
|
|
|
suffix of <filename>x64.efi</filename>). This may be used to automatically load file system drivers and
|
|
|
|
|
similar, to extend the native firmware support.</para>
|
This patch adds support for enrolling secure boot boot keys from sd-boot.
***DANGER*** NOTE ***DANGER***
This feature might result in your device becoming soft-brick as outlined
below, please use this feature carefully.
***DANGER*** NOTE ***DANGER***
If secure-boot-enrollment is set to no, then no action whatsoever is performed,
no matter the files on the ESP.
If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment
is set to either manual or force then sd-boot will generate enrollment entries
named after the directories they are in. The entries are shown at the very bottom
of the list and can be selected by the user from the menu. If the user selects it,
the user is shown a screen allowing for cancellation before a timeout. The enrollment
proceeds if the action is not cancelled after the timeout.
Additionally, if the secure-boot-enroll option is set to 'force' then the keys
located in the directory named 'auto' are going to be enrolled automatically. The user
is still going to be shown a screen allowing them to cancel the action if they want to,
however the enrollment will proceed automatically after a timeout without
user cancellation.
After keys are enrolled, the system reboots with secure boot enabled therefore, it is
***critical*** to ensure that everything needed for the system to boot is signed
properly (sd-boot itself, kernel, initramfs, PCI option ROMs).
This feature currently only allows loading the most simple set of variables: PK, KEK
and db.
The files need to be prepared with cert-to-efi-sig-list and then signed with
sign-efi-sig-list.
Here is a short example to generate your own keys and the right files for
auto-enrollement.
`
keys="PK KEK DB"
uuid="{$(systemd-id128 new -u)}"
for key in ${keys}; do
openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign"
done
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl
`
Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in
order to run. You can sign the binaries with the sbsign tool, for example:
`
sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage
`
Example:
Assuming the system has been put in Setup Mode:
`
$ESP/loader/keys/auto/db.esl
$ESP/loader/keys/auto/KEK.esl
$ESP/loader/keys/auto/PK.esl
$ESP/loader/keys/Linux Only/db.esl
$ESP/loader/keys/Linux Only/KEK.esl
$ESP/loader/keys/Linux Only/PK.esl
$ESP/loader/keys/Linux and Windows/db.esl
$ESP/loader/keys/Linux and Windows/KEK.esl
$ESP/loader/keys/Linux and Windows/PK.esl
`
If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto'
directory.
If not, three new boot entries are available to the user in order to enroll either the
'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-10 02:13:28 +08:00
|
|
|
|
|
|
|
|
<para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
|
2024-03-19 21:49:51 +08:00
|
|
|
under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,dbx,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
|
This patch adds support for enrolling secure boot boot keys from sd-boot.
***DANGER*** NOTE ***DANGER***
This feature might result in your device becoming soft-brick as outlined
below, please use this feature carefully.
***DANGER*** NOTE ***DANGER***
If secure-boot-enrollment is set to no, then no action whatsoever is performed,
no matter the files on the ESP.
If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment
is set to either manual or force then sd-boot will generate enrollment entries
named after the directories they are in. The entries are shown at the very bottom
of the list and can be selected by the user from the menu. If the user selects it,
the user is shown a screen allowing for cancellation before a timeout. The enrollment
proceeds if the action is not cancelled after the timeout.
Additionally, if the secure-boot-enroll option is set to 'force' then the keys
located in the directory named 'auto' are going to be enrolled automatically. The user
is still going to be shown a screen allowing them to cancel the action if they want to,
however the enrollment will proceed automatically after a timeout without
user cancellation.
After keys are enrolled, the system reboots with secure boot enabled therefore, it is
***critical*** to ensure that everything needed for the system to boot is signed
properly (sd-boot itself, kernel, initramfs, PCI option ROMs).
This feature currently only allows loading the most simple set of variables: PK, KEK
and db.
The files need to be prepared with cert-to-efi-sig-list and then signed with
sign-efi-sig-list.
Here is a short example to generate your own keys and the right files for
auto-enrollement.
`
keys="PK KEK DB"
uuid="{$(systemd-id128 new -u)}"
for key in ${keys}; do
openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign"
done
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl
`
Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in
order to run. You can sign the binaries with the sbsign tool, for example:
`
sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage
`
Example:
Assuming the system has been put in Setup Mode:
`
$ESP/loader/keys/auto/db.esl
$ESP/loader/keys/auto/KEK.esl
$ESP/loader/keys/auto/PK.esl
$ESP/loader/keys/Linux Only/db.esl
$ESP/loader/keys/Linux Only/KEK.esl
$ESP/loader/keys/Linux Only/PK.esl
$ESP/loader/keys/Linux and Windows/db.esl
$ESP/loader/keys/Linux and Windows/KEK.esl
$ESP/loader/keys/Linux and Windows/PK.esl
`
If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto'
directory.
If not, three new boot entries are available to the user in order to enroll either the
'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-05-10 02:13:28 +08:00
|
|
|
being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
|
|
|
|
|
then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
|
|
|
|
|
to force or not.</para>
|
2018-06-20 17:59:11 +08:00
|
|
|
</refsect1>
|
|
|
|
|
|
2018-06-26 03:48:33 +08:00
|
|
|
<refsect1>
|
|
|
|
|
<title>EFI Variables</title>
|
|
|
|
|
|
2021-09-21 22:52:57 +08:00
|
|
|
<para>The following EFI variables are defined, set and read by <command>systemd-boot</command>, under the
|
|
|
|
|
vendor UUID <literal>4a67b082-0a4c-41cf-b6c7-440b29bb8c4f</literal>, for communication between the boot
|
|
|
|
|
loader and the OS:</para>
|
2018-06-26 03:48:33 +08:00
|
|
|
|
2019-02-13 18:09:02 +08:00
|
|
|
<variablelist class='efi-variables'>
|
2018-06-26 03:48:33 +08:00
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderBootCountPath</varname></term>
|
|
|
|
|
<listitem><para>If boot counting is enabled, contains the path to the file in whose name the boot counters are
|
|
|
|
|
encoded. Set by the boot
|
|
|
|
|
loader. <citerefentry><refentrytitle>systemd-bless-boot.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
|
uses this information to mark a boot as successful as determined by the successful activation of the
|
2023-08-23 00:52:36 +08:00
|
|
|
<filename>boot-complete.target</filename> target unit.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderConfigTimeout</varname></term>
|
2018-10-22 19:40:51 +08:00
|
|
|
<term><varname>LoaderConfigTimeoutOneShot</varname></term>
|
2018-12-14 15:26:46 +08:00
|
|
|
<listitem><para>The menu timeout in seconds. Read by the boot loader. <varname>LoaderConfigTimeout</varname>
|
2018-10-22 19:40:51 +08:00
|
|
|
is maintained persistently, while <varname>LoaderConfigTimeoutOneShot</varname> is a one-time override which is
|
|
|
|
|
read once (in which case it takes precedence over <varname>LoaderConfigTimeout</varname>) and then
|
|
|
|
|
removed. <varname>LoaderConfigTimeout</varname> may be manipulated with the
|
2023-08-23 00:52:36 +08:00
|
|
|
<keycap>t</keycap>/<keycap>T</keycap> keys, see above.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
2023-10-03 00:31:36 +08:00
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderConfigConsoleMode</varname></term>
|
|
|
|
|
<listitem><para>The numerical menu console mode. Read by the boot loader. <varname>LoaderConfigConsoleMode</varname>
|
|
|
|
|
is maintained persistently. <varname>LoaderConfigConsoleMode</varname> may be manipulated with the
|
|
|
|
|
<keycap>r</keycap>/<keycap>R</keycap> keys, see above.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-06-26 03:48:33 +08:00
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderDevicePartUUID</varname></term>
|
|
|
|
|
|
man: fix LoaderDevicePathUUID + LoaderImageIdentifier descriptions
First of all, these were always set, i.e. since sd-boot was merged into
our tree, i.e. v220. Let's say so explicitly.
Also, let's be more accurate, regarding which partition this referes to:
it's usually "the" ESP, but given that you can make firmware boot from
arbitrary disks, it could be any other partition too. Hence, be
explicit on this.
Also, clarify tha sd-stub will set this too, if sd-boot never set it.
2024-07-15 21:48:42 +08:00
|
|
|
<listitem><para>Contains the partition UUID of the partition the boot loader has been started from on
|
|
|
|
|
the current boot (usually a EFI System Partition). Set by the boot loader. (Note that
|
|
|
|
|
<command>systemd-stub</command> will set this too, if not set yet, to support systems that directly
|
|
|
|
|
boot into a unified kernel image, bypassing any boot loader.)
|
|
|
|
|
<citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
|
uses this information to automatically find the disk booted from, in order to discover various other
|
|
|
|
|
partitions on the same disk automatically.</para>
|
2023-08-23 00:52:36 +08:00
|
|
|
|
man: fix LoaderDevicePathUUID + LoaderImageIdentifier descriptions
First of all, these were always set, i.e. since sd-boot was merged into
our tree, i.e. v220. Let's say so explicitly.
Also, let's be more accurate, regarding which partition this referes to:
it's usually "the" ESP, but given that you can make firmware boot from
arbitrary disks, it could be any other partition too. Hence, be
explicit on this.
Also, clarify tha sd-stub will set this too, if sd-boot never set it.
2024-07-15 21:48:42 +08:00
|
|
|
<xi:include href="version-info.xml" xpointer="v220"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderEntries</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>A list of the identifiers of all discovered boot loader entries. Set by the boot
|
2023-08-23 00:52:36 +08:00
|
|
|
loader.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderEntryDefault</varname></term>
|
|
|
|
|
<term><varname>LoaderEntryOneShot</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The identifier of the default boot loader entry. Set primarily by the OS and read by the boot
|
|
|
|
|
loader. <varname>LoaderEntryOneShot</varname> sets the default entry for the next boot only, while
|
|
|
|
|
<varname>LoaderEntryDefault</varname> sets it persistently for all future
|
|
|
|
|
boots. <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
|
|
|
|
<option>set-default</option> and <option>set-oneshot</option> commands make use of these variables. The boot
|
|
|
|
|
loader modifies <varname>LoaderEntryDefault</varname> on request, when the <keycap>d</keycap> key is used, see
|
2023-08-23 00:52:36 +08:00
|
|
|
above.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
2023-10-03 00:56:42 +08:00
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderEntryLastBooted</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The identifier of the boot loader entry last attempted. Set and read by the boot loader,
|
|
|
|
|
only when <filename>/loader/loader.conf</filename> has default set to <literal>@saved</literal>. See
|
|
|
|
|
<citerefentry><refentrytitle>loader.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
|
|
|
|
|
|
|
|
|
<para> The boot loader will ensure <varname>LoaderEntryLastBooted</varname> is up-to date for every boot,
|
|
|
|
|
updating it as needed and will omit changing it all together when <varname>LoaderEntryOneShot</varname>
|
|
|
|
|
is set.</para>
|
|
|
|
|
|
|
|
|
|
<para>The boot loader reads the variable, which takes higher priority than
|
|
|
|
|
<varname>LoaderEntryDefault</varname>. The variable is ignored when <varname>LoaderEntryOneShot</varname>
|
|
|
|
|
is set.</para>
|
|
|
|
|
|
|
|
|
|
<para><varname>LoaderEntryLastBooted</varname> cannot be used as indication that the last boot was
|
|
|
|
|
successful or not.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-06-26 03:48:33 +08:00
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderEntrySelected</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The identifier of the boot loader entry currently being booted. Set by the boot
|
2023-08-23 00:52:36 +08:00
|
|
|
loader.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-10-22 22:51:46 +08:00
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderFeatures</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>A set of flags indicating the features the boot loader supports. Set by the boot loader. Use
|
|
|
|
|
<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view this
|
2023-08-23 00:52:36 +08:00
|
|
|
data.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2018-10-22 22:51:46 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-06-26 03:48:33 +08:00
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderFirmwareInfo</varname></term>
|
|
|
|
|
<term><varname>LoaderFirmwareType</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Brief firmware information. Set by the boot loader. Use
|
|
|
|
|
<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view this
|
2023-08-23 00:52:36 +08:00
|
|
|
data.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderImageIdentifier</varname></term>
|
|
|
|
|
|
man: fix LoaderDevicePathUUID + LoaderImageIdentifier descriptions
First of all, these were always set, i.e. since sd-boot was merged into
our tree, i.e. v220. Let's say so explicitly.
Also, let's be more accurate, regarding which partition this referes to:
it's usually "the" ESP, but given that you can make firmware boot from
arbitrary disks, it could be any other partition too. Hence, be
explicit on this.
Also, clarify tha sd-stub will set this too, if sd-boot never set it.
2024-07-15 21:48:42 +08:00
|
|
|
<listitem><para>The file system path to the EFI executable of the boot loader for the current boot,
|
|
|
|
|
relative to the partition's root directory (i.e. relative to the partition indicated by
|
|
|
|
|
<varname>LoaderDevicePartUUID</varname>, see above). Set by the boot loader. (Note that
|
|
|
|
|
<command>systemd-stub</command> will set this too, if not set yet, to support systems that directly
|
|
|
|
|
boot into a unified kernel image, bypassing any boot loader.) Use
|
|
|
|
|
<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view
|
|
|
|
|
this data.</para>
|
2023-08-23 00:52:36 +08:00
|
|
|
|
man: fix LoaderDevicePathUUID + LoaderImageIdentifier descriptions
First of all, these were always set, i.e. since sd-boot was merged into
our tree, i.e. v220. Let's say so explicitly.
Also, let's be more accurate, regarding which partition this referes to:
it's usually "the" ESP, but given that you can make firmware boot from
arbitrary disks, it could be any other partition too. Hence, be
explicit on this.
Also, clarify tha sd-stub will set this too, if sd-boot never set it.
2024-07-15 21:48:42 +08:00
|
|
|
<xi:include href="version-info.xml" xpointer="v220"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderInfo</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Brief information about the boot loader. Set by the boot loader. Use
|
|
|
|
|
<citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> to view this
|
2023-08-23 00:52:36 +08:00
|
|
|
data.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderTimeExecUSec</varname></term>
|
|
|
|
|
<term><varname>LoaderTimeInitUSec</varname></term>
|
|
|
|
|
<term><varname>LoaderTimeMenuUsec</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Information about the time spent in various parts of the boot loader. Set by the boot
|
|
|
|
|
loader. Use <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
2023-08-23 00:52:36 +08:00
|
|
|
to view this data. </para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
2019-07-22 20:19:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LoaderSystemToken</varname></term>
|
|
|
|
|
|
2020-07-06 16:49:59 +08:00
|
|
|
<listitem><para>A binary random data field, that is used for generating the random seed to pass to
|
|
|
|
|
the OS (see above). Note that this random data is generally only generated once, during OS
|
2023-08-23 00:52:36 +08:00
|
|
|
installation, and is then never updated again.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v243"/></listitem>
|
2018-06-26 03:48:33 +08:00
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
2019-07-22 20:19:33 +08:00
|
|
|
|
|
|
|
|
<para>Many of these variables are defined by the <ulink
|
|
|
|
|
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>.</para>
|
2018-06-26 03:48:33 +08:00
|
|
|
</refsect1>
|
|
|
|
|
|
2024-03-10 23:24:37 +08:00
|
|
|
<refsect1>
|
|
|
|
|
<title>SMBIOS Type 11 Strings</title>
|
|
|
|
|
|
|
|
|
|
<para><command>systemd-boot</command> can be configured using SMBIOS Type 11 strings. Applicable strings
|
2024-03-11 04:24:52 +08:00
|
|
|
consist of a name, followed by <literal>=</literal>, followed by the value. Unless
|
|
|
|
|
<command>systemd-boot</command> detects it is running inside a confidential computing environment,
|
2024-03-10 23:24:37 +08:00
|
|
|
<command>systemd-boot</command> will search the table for a string with a specific name, and if found,
|
|
|
|
|
use its value. The following strings are read:</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>io.systemd.boot.kernel-cmdline-extra</varname></term>
|
|
|
|
|
<listitem><para>If set, the value of this string is added to the list of kernel command line
|
|
|
|
|
arguments for Boot Loader Specification Type 1 entries that are measured in PCR12 and passed to the
|
|
|
|
|
kernel.</para>
|
|
|
|
|
|
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
2018-06-27 04:11:35 +08:00
|
|
|
<refsect1>
|
|
|
|
|
<title>Boot Counting</title>
|
|
|
|
|
|
|
|
|
|
<para><command>systemd-boot</command> implements a simple boot counting mechanism on top of the <ulink
|
2022-11-14 16:44:39 +08:00
|
|
|
url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink>, for automatic and unattended
|
2019-04-27 08:22:40 +08:00
|
|
|
fallback to older kernel versions/boot loader entries when a specific entry continuously fails. Any boot loader
|
2018-06-27 04:11:35 +08:00
|
|
|
entry file and unified kernel image file that contains a <literal>+</literal> followed by one or two numbers (if
|
|
|
|
|
two they need to be separated by a <literal>-</literal>), before the <filename>.conf</filename> or
|
|
|
|
|
<filename>.efi</filename> suffix is subject to boot counting: the first of the two numbers ('tries left') is
|
|
|
|
|
decreased by one on every boot attempt, the second of the two numbers ('tries done') is increased by one (if 'tries
|
|
|
|
|
done' is absent it is considered equivalent to 0). Depending on the current value of these two counters the boot
|
|
|
|
|
entry is considered to be in one of three states:</para>
|
|
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
|
<listitem><para>If the 'tries left' counter of an entry is greater than zero the entry is considered to be in
|
|
|
|
|
'indeterminate' state. This means the entry has not completed booting successfully yet, but also hasn't been
|
|
|
|
|
determined not to work.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>If the 'tries left' counter of an entry is zero it is considered to be in 'bad' state. This means
|
|
|
|
|
no further attempts to boot this item will be made (that is, unless all other boot entries are also in 'bad'
|
|
|
|
|
state), as all attempts to boot this entry have not completed successfully.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>If the 'tries left' and 'tries done' counters of an entry are absent it is considered to be in
|
|
|
|
|
'good' state. This means further boot counting for the entry is turned off, as it successfully booted at least
|
|
|
|
|
once. The
|
|
|
|
|
<citerefentry><refentrytitle>systemd-bless-boot.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
|
|
service moves the currently booted entry from 'indeterminate' into 'good' state when a boot attempt completed
|
|
|
|
|
successfully.</para></listitem>
|
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
|
|
<para>Generally, when new entries are added to the boot loader, they first start out in 'indeterminate' state,
|
|
|
|
|
i.e. with a 'tries left' counter greater than zero. The boot entry remains in this state until either it managed to
|
|
|
|
|
complete a full boot successfully at least once (in which case it will be in 'good' state) — or the 'tries left'
|
|
|
|
|
counter reaches zero (in which case it will be in 'bad' state).</para>
|
|
|
|
|
|
|
|
|
|
<para>Example: let's say a boot loader entry file <filename>foo.conf</filename> is set up for 3 boot tries. The
|
|
|
|
|
installer will hence create it under the name <filename>foo+3.conf</filename>. On first boot, the boot loader will
|
|
|
|
|
rename it to <filename>foo+2-1.conf</filename>. If that boot does not complete successfully, the boot loader will
|
|
|
|
|
rename it to <filename>foo+1-2.conf</filename> on the following boot. If that fails too, it will finally be renamed
|
|
|
|
|
<filename>foo+0-3.conf</filename> by the boot loader on next boot, after which it will be considered 'bad'. If the
|
|
|
|
|
boot succeeds however the entry file will be renamed to <filename>foo.conf</filename> by the OS, so that it is
|
|
|
|
|
considered 'good' from then on.</para>
|
|
|
|
|
|
|
|
|
|
<para>The boot menu takes the 'tries left' counter into account when sorting the menu entries: entries in 'bad'
|
2022-02-15 17:25:37 +08:00
|
|
|
state are ordered at the beginning of the list, and entries in 'good' or 'indeterminate' at the end. The user can
|
|
|
|
|
freely choose to boot any entry of the menu, including those already marked 'bad'. If the menu entry to boot is
|
|
|
|
|
automatically determined, this means that 'good' or 'indeterminate' entries are generally preferred (as the bottom
|
|
|
|
|
item of the menu is the one booted by default), and 'bad' entries will only be considered if there are no 'good' or
|
2018-06-27 04:11:35 +08:00
|
|
|
'indeterminate' entries left.</para>
|
|
|
|
|
|
|
|
|
|
<para>The <citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry> kernel
|
|
|
|
|
install framework optionally sets the initial 'tries left' counter to the value specified in
|
|
|
|
|
<filename>/etc/kernel/tries</filename> when a boot loader entry is first created.</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
2022-10-04 21:01:39 +08:00
|
|
|
<refsect1>
|
2023-05-17 18:24:04 +08:00
|
|
|
<title>Using <command>systemd-boot</command> in virtual machines</title>
|
2022-10-04 21:01:39 +08:00
|
|
|
|
|
|
|
|
<para>When using qemu with OVMF (UEFI Firmware for virtual machines) the <option>-kernel</option> switch
|
|
|
|
|
works not only for linux kernels, but for any EFI binary, including sd-boot and unified linux
|
2023-05-17 18:24:04 +08:00
|
|
|
kernels. Example command line for loading <command>systemd-boot</command> on x64:</para>
|
2022-10-04 21:01:39 +08:00
|
|
|
|
|
|
|
|
<para>
|
|
|
|
|
<command>qemu-system-x86_64 <replaceable>[ ... ]</replaceable>
|
|
|
|
|
-kernel /usr/lib/systemd/boot/efi/systemd-bootx64.efi</command>
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>systemd-boot will detect that it was started directly instead of being loaded from ESP and will
|
|
|
|
|
search for the ESP in that case, taking into account boot order information from the hypervisor (if
|
|
|
|
|
available).</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
2018-03-11 18:22:09 +08:00
|
|
|
<refsect1>
|
|
|
|
|
<title>See Also</title>
|
2023-12-23 02:09:32 +08:00
|
|
|
<para><simplelist type="inline">
|
|
|
|
|
<member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
|
|
|
<member><citerefentry><refentrytitle>loader.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
|
|
|
|
|
<member><citerefentry><refentrytitle>systemd-bless-boot.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
|
|
|
<member><citerefentry><refentrytitle>systemd-boot-random-seed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
|
|
|
<member><citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
|
|
|
<member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
|
|
|
|
<member><ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink></member>
|
|
|
|
|
<member><ulink url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink></member>
|
|
|
|
|
<member><ulink url="https://systemd.io/TPM2_PCR_MEASUREMENTS">TPM2 PCR Measurements Made by systemd</ulink></member>
|
|
|
|
|
</simplelist></para>
|
2018-03-11 18:22:09 +08:00
|
|
|
</refsect1>
|
|
|
|
|
</refentry>
|
