Foxboron
How to enroll just the signed auth variables, without also supplying private key?
- sbctl can export signed auth variables:
sbctl enroll-keys --microsoft --export auth - sbctl can import cert/key pairs
- apparently sbctl cannot import signed auth variables
- but putting the private key on the target machine may not be possible for security reasons
Do we have to use efitools for enrolling here? (like for example, efi-updatevar -f db.auth db)
It would be nice if sbctl alone could enroll signed auth variables too.
You can also use sd-boot for this. But generally having sbctl support enrolling .auth might be useful yes.
but putting the private key on the target machine may not be possible for security reasons
sbctl expects all key material to be present currently. I have some ideas that having an "offline" or "client-mode" to sbctl would be useful, or allow key material to be missing for hardware keys. But currently haven't made any progress towards this.
Good idea. Unfortunately sd-boot may not work in our situation (efi + pxe + ipxe). sd-boot seems to require an esp (for loader.conf), but this is a network boot, so there is none.
Turns out we can also avoid efitools by splitting the enrolling of an auth file into two steps:
- convert the
authfile to "vardata" format (doesn't have to happen on the target machine) - copy the "vardata" file onto the target machine, and into its efivars filesystem
For the first step, I have created mkefivardata. It is recycled c-code from efitools.