mirror of
https://github.com/systemd/systemd.git
synced 2024-12-04 15:53:41 +08:00
a1d46e3078
This allows loading the X.509 certificate from an OpenSSL provider instead of a file system path. This allows loading certficates directly from hardware tokens instead of having to export them to a file on disk first.
117 lines
4.7 KiB
XML
117 lines
4.7 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="systemd-sbsign"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<refentryinfo>
|
|
<title>systemd-sbsign</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>systemd-sbsign</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>systemd-sbsign</refname>
|
|
<refpurpose>Sign PE binaries for EFI Secure Boot</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>systemd-sbsign</command>
|
|
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
|
<arg choice="req">COMMAND</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para><command>systemd-sbsign</command> can be used to sign PE binaries for EFI Secure Boot.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Commands</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>sign</option></term>
|
|
|
|
<listitem><para>Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its
|
|
argument. If the PE binary already has a certificate table, the new signature will be added to it.
|
|
Otherwise a new certificate table will be created. The signed PE binary will be written to the path
|
|
specified with <option>--output=</option>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>validate-key</option></term>
|
|
|
|
<listitem><para>Checks that we can load the private key specified with
|
|
<option>--private-key=</option>. </para>
|
|
|
|
<para>As a side effect, if the private key is loaded from a PIN-protected hardware token, this
|
|
command can be used to cache the PIN in the kernel keyring. The
|
|
<varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC</varname> and
|
|
<varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE</varname> environment variables can be used to control
|
|
how long and in which kernel keyring the PIN is cached.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<para>The following options are understood:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>--output=<replaceable>PATH</replaceable></option></term>
|
|
|
|
<listitem><para>Specifies the path where to write the signed PE binary.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
|
|
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
|
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
|
|
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
|
|
|
<listitem><para>Set the Secure Boot private key and certificate for use with the
|
|
<command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded
|
|
X.509 certificate or a URI that's passed to the OpenSSL provider configured with
|
|
<option>--certificate-source</option>. The <option>--certificate-source</option> takes one of
|
|
<literal>file</literal> or <literal>provider</literal>, with the latter being followed by a specific
|
|
provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. The
|
|
<option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
|
|
engine or provider, as specified by <option>--private-key-source=</option> as a
|
|
<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
|
|
signing engine or provider will be used to sign the PE binary.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
|
</varlistentry>
|
|
|
|
<xi:include href="standard-options.xml" xpointer="no-pager"/>
|
|
<xi:include href="standard-options.xml" xpointer="help"/>
|
|
<xi:include href="standard-options.xml" xpointer="version"/>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><simplelist type="inline">
|
|
<member><citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
</simplelist></para>
|
|
</refsect1>
|
|
</refentry>
|