Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clarify use of secure boot key for PCR signature #2464

Merged
merged 1 commit into from Mar 6, 2024
Merged

clarify use of secure boot key for PCR signature #2464

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 5 additions & 3 deletions mkosi/resources/mkosi.md
View file
Open in desktop
Expand Up @@ -1336,8 +1336,9 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
`SecureBootKey=`, `--secure-boot-key=`

: Path to the PEM file containing the secret key for signing the
UEFI kernel image, if `SecureBoot=` is used. When `SecureBootKeySource=` is specified, the input
type depends on the source.
UEFI kernel image if `SecureBoot=` is used and PCR signatures when
`SignExpectedPcr=` is also used. When `SecureBootKeySource=` is specified,
the input type depends on the source.

`SecureBootKeySource=`, `--secure-boot-key-source=`

Expand Down Expand Up @@ -1377,7 +1378,8 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
`systemd-measure` and embed the PCR signature into the unified kernel
image. This option takes a boolean value or the special value `auto`,
which is the default, which is equal to a true value if the
`systemd-measure` binary is in `PATH`.
`systemd-measure` binary is in `PATH`. Depends on `SecureBoot=`
being enabled and key from `SecureBootKey=`.

`Passphrase=`, `--passphrase`

Expand Down