Use efivarfs to store sbctl settings/configurations

[Foxboron]

A neat trick would be to use efivarfs to store sbctl configuration/information and make it persistent across installations or operating systems.

Probably future goal, but an issue to track potential useages.

[ericonr]

Would have to be careful with backwards compat between versions, since each distro might have a different version of the tool.

[Foxboron]

Yes, but we could reserve our own vendor GUID and have a Version file that can explain the versioning format :)

It's something I just realized in passing. I don't have any good ideas how to use this yet. It would be neat to maybe store the files we sign on the ESP in a variable, and have something that says "keys are in TPM handle XYZ, or Yubikey with cardid 11223344".

[beroal]

The amount of EFI NVRAM is small. For example, I ran into an issue that I can't create a variable because my NVRAM was filled with kernel dumps. Configuration may create a similar problem.

As far as I understand, sbctl configuration isn't standalone but refers to files (kernel, keys) which aren't in NVRAM. If a user, for example, cleans their SSD,

• if the configuration is in NVRAM, it won't work;
• if the configuration was on the SSD, it won't work.

I don't see what is achieved by storing the configuration in NVRAM.

Traditionally, configuration files are stored in /etc, not in NVRAM. So it will be harder for users to clean or copy the configuration files.

[orangecms]

Using an EFI var, fwupd is doing something similar, for reference: https://github.com/fwupd/fwupd/blob/204da7a7750d1fa126f3cb913372446821eb6d0b/libfwupdplugin/fu-efivar.h#L13

It's a log for debugging, IIUC: https://github.com/fwupd/fwupd/blob/f86c6add5f154aeea85bf0524eb55d74761d128c/plugins/uefi-capsule/fu-uefi-tool.c#L368