Implement sbctl.conf

[Foxboron]

There are a few lines which should probably be refactored into config.go. Mainly the files in keys.go.

I think we should leave room to specify which protocol one want, files vs yubikey and so on. Along with desired RSA key sizes.

Can probably use yaml or toml for the file itself. Not super keen on having json.

[Foxboron]

Currently I have toyed with the idea of utilizing toml for this. I have also mocked up an example config.

[keys]
keysize = 4096

[keys.PK]
backend = "hw"

[keys.KEK]
backend = "files"

[keys.db]
backend = "files"

[backend.files]
type = "directory"
path = "/usr/share/secureboot"

[backend.hw]
type = "yubikey"
cardid = "fasdfasd"

[beroal]

Hi. Is this configuration file already used? If yes, where it resides in the file system?

/usr/share/secureboot is readable by all users of the computer and isn't encrypted. I believe that keys should be secret. I want to change this path to a more secure place.

[Foxboron]

@beroal It's not been implemented yet. Using current secure boot tooling without full disk encryption is a bit useless until HSM or TPM support is implemented.

[beroal]

Even with full disk encryption, /usr/share/secureboot is readable by all users.

[ericonr]

@beroal the keys can be chmod'd to be readable only by root (as sbctl does).

[Scrumplex]

@beroal the keys can be chmod'd to be readable only by root (as sbctl does).

This change (ea325ca46fec8b75ac6dd89742d2ea714593d38f) is not in the latest tag! So only people running from Git master have this.

But this can be be fixed easily like this:

# find /usr/share/secureboot/keys -type f -exec "chmod" "400" "{}" \;

[Shished]

Hello. Shouldn't only .key files be set to chmod 400? PEM certs are used for verifying files signatures and it should be allowed to be performed by user?