Skip to content

Commit

Permalink
UKI: document the case of multiple Device Trees
Browse files Browse the repository at this point in the history 
Specify how the case of multiple Device Trees is to be handled.
  • Loading branch information
@diogoivo @keszybz
diogoivo authored and keszybz committed Oct 4, 2023
1 parent 9cad9ea commit 5fab44a
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion specs/unified_kernel_image.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,13 @@ UKIs consist of the following resources:
* Optionally, information describing the OS this kernel is intended for, in the `.osrel` section. The contents of this section are derived from `/etc/os-release` of the target OS. They can be useful for presentation of the UKI in the boot loader menu, and ordering it against other entries using the included version information.
* Optionally, information describing kernel release information (i.e. `uname -r` output) in the `.uname` section. This is also useful for presentation of the UKI in the boot loader menu, and ordering it against other entries.
* Optionally, a splash image to bring to screen before transitioning into the Linux kernel, in the `.splash` section.
* Optionally, a compiled Devicetree database file, for systems which need it, in the `.dtb` section.
* Optionally, one or more compiled Device Trees, for systems which need it, each in its separate `.dtb` section. If multiple `.dtb` sections exist then one of them is selected according to an implementation-specific algorithm.
* Optionally, the public part of a public-private key pair in PEM format used to sign the image, in the `.pcrpkey` section.
* Optionally, a JSON file encoding expected PCR 11 hash values seen from userspace once the UKI has booted up, along with signatures of these expected PCR 11 hash values, in the `.pcrsig` section. The signatures must also match the abovementioned key pair.
* Optionally, a CSV file encoding the SBAT metadata for the image, in the `.sbat` section. The [SBAT format is defined by the Shim project](https://github.com/rhboot/shim/blob/main/SBAT.md), and used for UEFI revocation purposes.

Note that all of the sections defined above are singletons: they may appear once at most – except for the `.dtb` section which may be appear more than once.

### JSON Format for `.pcrsig`
The format is a single JSON object, encoded as a zero-terminated `UTF-8` string. Each name in the object
shall be unique as per recommendations of
Expand Down

0 comments on commit 5fab44a

Please sign in to comment.