sbctl
sbctl copied to clipboard
Foxboron
:computer: :lock: :key: Secure Boot key manager
A neat trick would be to use `efivarfs` to store sbctl configuration/information and make it persistent across installations or operating systems. Probably future goal, but an issue to track potential...
systemd v250 will automatically update the bootloader (https://github.com/systemd/systemd/commit/71c8bf28378958a5ab2348e9ec586fbe78c71dfd) which could break booting (as the updated bootloader isn't signed). Another change in v250 (https://github.com/systemd/systemd/commit/12caf7271655e16030e34279b1fb0b29a592f6ad), is that `/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed` will be used over...
On some machines enabling UEFI secure boot setup mode is a no-can-do due to company policies or horrible UEFI UIs. Support for using a Microsoft CA signed Shim with a...
Moved ESP from `/boot` to `/efi` and thought I'd quickly reinstall **linux** and **intel-ucode** to recreate the files at `/boot`. The `sbctl generate-bundles -s`, which is executed via pacman hook...
Since the `bundle` command writes the bundle to the file system, why not allow a user to sign the bundle in the same command?
I ran `sbctl create-keys`, which succeeded without errors, but neither .der nor .auth files were generated: ``` archlinux% ls /usr/share/secureboot/keys/* /usr/share/secureboot/keys/db: db.key db.pem /usr/share/secureboot/keys/KEK: KEK.key KEK.pem /usr/share/secureboot/keys/PK: PK.key PK.pem ```...
A configurable key storage backend (plain files, OpenPGP smartcard, PKCS#11 token/HSM, etc.) would greatly benefit the underlying security model of `sbctl` and would enable integration into larger PKI infrastructures. Relying...
Currently when enrolling-keys we dont check if there is no keys on the system. We just blindly `sbkeysync` and assume it's fine. We should preferably do a check on the...
Right now they have `.db` extension but they are just JSON files. Can be done in backward compatible way. (check for `.db` but default to `.json`)
