diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index abba8834fb..dd709c2949 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -36,6 +36,8 @@
ESP/.../foo.efi.extra.d/*.confext.raw
ESP/loader/addons/*.addon.efi
ESP/loader/credentials/*.cred
+ ESP/loader/extensions/*.sysext.raw
+ ESP/loader/extensions/*.confext.raw
@@ -202,8 +204,8 @@
Similarly, files
foo.efi.extra.d/*.sysext.raw are packed up in a
cpio archive and placed in the /.extra/sysext/ directory in the
- initrd file hierarchy. This is supposed to be used to pass additional system extension images to the
- initrd. See
+ initrd file hierarchy. This is supposed to be used to pass additional UKI-specific system extension
+ images to the initrd. See
systemd-sysext8 for
details on system extension images. The generated cpio archive containing these
system extension images is measured into TPM PCR 13 (if a TPM is present).
@@ -212,11 +214,27 @@
compatibility reasons with old versions. But we want people to name their system extensions
properly, hence we document the *.sysext.raw suffix only. -->
+ Similarly, files /loader/extensions/*.sysext.raw
+ are packed up in a cpio archive and placed in the /.extra/global_sysext/
+ directory in the initrd file hierarchy. This is supposed to be used to pass additional global system
+ extension images to the initrd. See
+ systemd-sysext8 for
+ details on system extension images. The generated cpio archive containing these
+ system extension images is measured into TPM PCR 13 (if a TPM is present).
+
Similarly, files
foo.efi.extra.d/*.confext.raw are packed up in a
cpio archive and placed in the /.extra/confext/ directory in
- the initrd file hierarchy. This is supposed to be used to pass additional configuration extension
- images to the initrd. See
+ the initrd file hierarchy. This is supposed to be used to pass additional UKI-specific configuration
+ extension images to the initrd. See
+ systemd-confext8 for
+ details on configuration extension images. The generated cpio archive containing
+ these configuration extension images is measured into TPM PCR 12 (if a TPM is present).
+
+ Similarly, files /loader/extensions/*.confext.raw
+ are packed up in a cpio archive and placed in the /.extra/global_confext/
+ directory in the initrd file hierarchy. This is supposed to be used to pass additional global configuration
+ extension images to the initrd. See
systemd-confext8 for
details on configuration extension images. The generated cpio archive containing
these configuration extension images is measured into TPM PCR 12 (if a TPM is present).
@@ -676,6 +694,16 @@
+
+ /.extra/global_sysext/*.sysext.raw
+ Similarly, system extension image files (suffix .sysext.raw) that
+ are placed in the /loader/extensions/ directory in the file system the unified
+ kernel image is placed in are copied into the /.extra/global_sysext/
+ directory in the initrd execution environment.
+
+
+
+
/.extra/confext/*.confext.raw
Configuration extension image files (suffix .confext.raw) that are
@@ -685,6 +713,16 @@
+
+ /.extra/global_confext/*.confext.raw
+ Similarly, configuration extension image files (suffix .confext.raw)
+ that are placed in the /loader/extensions/ directory in the file system the unified
+ kernel image is placed in are copied into the /.extra/global_confext/
+ directory in the initrd execution environment.
+
+
+
+
/.extra/tpm2-pcr-signature.json
The TPM2 PCR signature JSON object included in the .pcrsig PE
diff --git a/src/boot/stub.c b/src/boot/stub.c
index 301d7a1cc9..8354be3583 100644
--- a/src/boot/stub.c
+++ b/src/boot/stub.c
@@ -38,7 +38,9 @@ enum {
INITRD_CREDENTIAL = _INITRD_DYNAMIC_FIRST,
INITRD_GLOBAL_CREDENTIAL,
INITRD_SYSEXT,
+ INITRD_GLOBAL_SYSEXT,
INITRD_CONFEXT,
+ INITRD_GLOBAL_CONFEXT,
INITRD_PCRSIG,
INITRD_PCRPKEY,
INITRD_OSREL,
@@ -869,6 +871,19 @@ static void generate_sidecar_initrds(
&m) == EFI_SUCCESS)
combine_measured_flag(sysext_measured, m);
+ if (pack_cpio(loaded_image,
+ u"\\loader\\extensions",
+ u".sysext.raw",
+ /* exclude_suffix= */ NULL,
+ ".extra/global_sysext",
+ /* dir_mode= */ 0555,
+ /* access_mode= */ 0444,
+ /* tpm_pcr= */ TPM2_PCR_SYSEXTS,
+ u"Global system extension initrd",
+ initrds + INITRD_GLOBAL_SYSEXT,
+ &m) == EFI_SUCCESS)
+ combine_measured_flag(sysext_measured, m);
+
if (pack_cpio(loaded_image,
/* dropin_dir= */ NULL,
u".confext.raw",
@@ -881,6 +896,19 @@ static void generate_sidecar_initrds(
initrds + INITRD_CONFEXT,
&m) == EFI_SUCCESS)
combine_measured_flag(confext_measured, m);
+
+ if (pack_cpio(loaded_image,
+ u"\\loader\\extensions",
+ u".confext.raw",
+ /* exclude_suffix= */ NULL,
+ ".extra/global_confext",
+ /* dir_mode= */ 0555,
+ /* access_mode= */ 0444,
+ /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
+ u"Global configuration extension initrd",
+ initrds + INITRD_GLOBAL_CONFEXT,
+ &m) == EFI_SUCCESS)
+ combine_measured_flag(confext_measured, m);
}
static void generate_embedded_initrds(
diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 089d656f40..d39c3a1356 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -76,20 +76,22 @@ const char* const image_search_path[_IMAGE_CLASS_MAX] = {
"/usr/lib/confexts\0",
};
-/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/ and
- * .extra/confext/ in extension search dir) */
+/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/,
+ * /.extra/global_sysext, .extra/confext/, and /.extra/global_confext in extension search dir) */
static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
/* (entries that aren't listed here will get the same search path as for the non initrd-case) */
[IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */
"/run/extensions\0" /* and here too */
"/var/lib/extensions\0" /* the main place for images */
- "/.extra/sysext\0", /* put sysext picked up by systemd-stub last, since not trusted */
+ "/.extra/sysext\0" /* put sysext (per-UKI and global) picked up by systemd-stub */
+ "/.extra/global_sysext\0", /* last, since not trusted */
[IMAGE_CONFEXT] = "/run/confexts\0" /* only place symlinks here */
"/var/lib/confexts\0" /* the main place for images */
"/usr/local/lib/confexts\0"
- "/.extra/confext\0", /* put confext picked up by systemd-stub last, since not trusted */
+ "/.extra/confext\0" /* put confext (per-UKI and global) picked up by systemd-stub */
+ "/.extra/global_confext\0", /* last, since not trusted. */
};
static const char* image_class_suffix_table[_IMAGE_CLASS_MAX] = {
diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index b232ee4fc1..97a835b8c8 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -1660,15 +1660,19 @@ static const ImagePolicy *pick_image_policy(const Image *img) {
if (arg_image_policy)
return arg_image_policy;
- /* If located in /.extra/sysext/ in the initrd, then it was placed there by systemd-stub, and was
+ /* If located in /.extra/ in the initrd, then it was placed there by systemd-stub, and was
* picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the
* other directories we assume the appropriate level of trust was already established already. */
if (in_initrd()) {
if (path_startswith(img->path, "/.extra/sysext/"))
return &image_policy_sysext_strict;
+ if (path_startswith(img->path, "/.extra/global_sysext/"))
+ return &image_policy_sysext_strict;
if (path_startswith(img->path, "/.extra/confext/"))
return &image_policy_confext_strict;
+ if (path_startswith(img->path, "/.extra/global_confext/"))
+ return &image_policy_confext_strict;
/* Better safe than sorry, refuse everything else passed in via the untrusted /.extra/ dir */
if (path_startswith(img->path, "/.extra/"))
diff --git a/units/systemd-confext-initrd.service b/units/systemd-confext-initrd.service
index 22461fa712..073307edcc 100644
--- a/units/systemd-confext-initrd.service
+++ b/units/systemd-confext-initrd.service
@@ -17,6 +17,7 @@ ConditionDirectoryNotEmpty=|/var/lib/confexts
ConditionDirectoryNotEmpty=|/usr/local/lib/confexts
ConditionDirectoryNotEmpty=|/usr/lib/confexts
ConditionDirectoryNotEmpty=|/.extra/confext
+ConditionDirectoryNotEmpty=|/.extra/global_confext
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no
diff --git a/units/systemd-sysext-initrd.service b/units/systemd-sysext-initrd.service
index f21990aad0..4a411bb65e 100644
--- a/units/systemd-sysext-initrd.service
+++ b/units/systemd-sysext-initrd.service
@@ -16,6 +16,7 @@ ConditionDirectoryNotEmpty=|/etc/extensions
ConditionDirectoryNotEmpty=|/run/extensions
ConditionDirectoryNotEmpty=|/var/lib/extensions
ConditionDirectoryNotEmpty=|/.extra/sysext
+ConditionDirectoryNotEmpty=|/.extra/global_sysext
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no