Thanks! I did below: ukify build --secureboot-private-key=../../db.key --secureboot-certificate=../../db.crt --cmdline='yockgenxxxx' --sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' --output= linux-9-9.addon.efi
And, my UI and addon stored on below: root@TiberOS [ /boot/efi/EFI/Linux ]# ls linux-9-9.addon.efi linux-9-9.efi However, when I booted it, and check the cmdline, doesn't seems like the new "yockgenxxxx" has been added? Log as below: root@TiberOS [ /boot/efi/EFI/Linux ]# cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-6.6.43-1.cm2 rd.auto=1 root=PARTUUID=xxxxxx-fed745cacc87 init=/lib/systemd/systemd ro loglevel=3 no-vmw-sta crashkernel=256M lockdown=integrity lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 net.ifnames=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0 Am I doing it right? I'm first timer on this, really appreciate your guidance on it. Thanks! -----Original Message----- From: Lennart Poettering <lenn...@poettering.net> Sent: Tuesday, October 8, 2024 9:39 PM To: Mah, Yock Gen <yock.gen....@intel.com> Cc: systemd-devel@lists.freedesktop.org Subject: Re: [systemd-devel] Passing Kernel Params from systemd-boot for Secure Boot UKI On Di, 08.10.24 12:37, Mah, Yock Gen (yock.gen....@intel.com) wrote: > Really appreciate! I tried to create an PE "addon" using below: > > echo "yockgen=b" > cmdline.txt > > objcopy --input binary --output efi-app-x86_64 cmdline.txt > bootdm_b.addon.efi This doesn't look right. You must insert the cmdline in the ".cmdline" PE section, of course. As mentioned, addons follow the same structure as UKIs after all. We generally recommend using ukify for generating UKIs and PE addons. The man page even has an example doing exactly what you need to do: https://github.com/systemd/systemd/blob/main/man/ukify.xml#L674 Lennart -- Lennart Poettering, Berlin
