uki: describe .efifw section#216
Closed
katexochen wants to merge 1 commit into
Closed
Conversation
Add description for the firmware section (`.efifw`) in the specs. Co-authored-by: Ani Sinha <anisinha@redhat.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Foxboron
reviewed
Jun 7, 2026
| * Optionally, a CSV file encoding the SBAT metadata for the image, in the `.sbat` section. The [SBAT format is defined by the Shim project](https://github.com/rhboot/shim/blob/main/SBAT.md), and used for UEFI revocation purposes. | ||
| * Optionally, a JSON file encoding expected PCR 11 hash values seen from userspace once the UKI has booted up, along with signatures of these expected PCR 11 hash values, in the `.pcrsig` section. The signatures must also match the key pair described below. | ||
| * Optionally, the public part of a public-private key pair in PEM format used to sign the expected PCR 11 value of the image, in the `.pcrpkey` section. | ||
| * Optionally, one or more firmware images, each in a separate `.efifw` section. Each is an opaque binary blob that can be used as UEFI firmware on the next reset. If multiple `.efifw` sections exist then one of them is selected according to the matching hardware. |
Member
There was a problem hiding this comment.
Suggested change
| * Optionally, one or more firmware images, each in a separate `.efifw` section. Each is an opaque binary blob that can be used as UEFI firmware on the next reset. If multiple `.efifw` sections exist then one of them is selected according to the matching hardware. | |
| * Optionally one, or more, firmware images each in a separate `.efifw` section. Each is an opaque binary blob that can be used as UEFI firmware on the next reset. If multiple `.efifw` sections exist then one of them is selected according to the matching hardware. |
Author
There was a problem hiding this comment.
Not sure about this comma placement. I tried to stick with the style of the other points.
Foxboron
reviewed
Jun 7, 2026
| Note that all of the sections defined above are singletons: | ||
| they may appear at most once, | ||
| except for the `.dtbauto` section which may appear multiple times. | ||
| except for the `.dtbauto` and `.efifw` sections which may each appear multiple times. |
Member
There was a problem hiding this comment.
"each" sounds redundant here, but I'll defer to someone with more grammar skills.
Contributor
|
I think there is a gap in implementation as chid_match() is only called for device tree type device entries. |
Member
|
I merged the earlier PR. If there's anything left, please rebase. Or close this. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add description for the firmware section (
.efifw) in the specs.Supersedes #131
#131 is stale for over a year now, and this has been implemented in systemd quite some time ago, so I took the freedom to pick the changes from that PR, reworked it a bit to match what got implemented (multiple .efifw sections allowed), moved it to the end of the list (measured last) and fixed some other places where we mention sections that are allowed multiple times.