feat(dracut.sh): pass engine flag to sbsign allowing use with hardwar…

…e devices
dracutdevs · Aug 12, 2022 · 897e5ef · 897e5ef
1 parent c8f819e
commit 897e5ef
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/dracut.sh b/dracut.sh
@@ -2631,6 +2631,7 @@ if [[ $uefi == yes ]]; then
         "$uefi_stub" "${uefi_outdir}/linux.efi"; then
         if [[ -n ${uefi_secureboot_key} && -n ${uefi_secureboot_cert} ]]; then
             if sbsign \
+                ${uefi_secureboot_engine:+--engine "$uefi_secureboot_engine"} \
                 --key "${uefi_secureboot_key}" \
                 --cert "${uefi_secureboot_cert}" \
                 --output "$outfile" "${uefi_outdir}/linux.efi"; then

diff --git a/man/dracut.conf.5.asc b/man/dracut.conf.5.asc
@@ -294,6 +294,9 @@ Logging levels:
     Requires both certificate and key need to be specified and _sbsign_ to be
     installed.
 
+*uefi_secureboot_engine=*"_parameter_"::
+    Specifies an engine to use when signing the created UEFI executable. E.g. "pkcs11"
+
 *kernel_image=*"_<file>_"::
     Specifies the kernel image, which to include in the UEFI executable. The
     default is _/lib/modules/<KERNEL-VERSION>/vmlinuz_ or