secure-boot icon indicating copy to clipboard operation
secure-boot copied to clipboard

Published 20 hours ago verified publisher icon gdamjan

Migrate to sbkeysync

Open gdamjan opened this issue 4 years ago • 4 comments

https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_sbkeysync

sbkeysync, part of sbsigntools, is a tool to enroll the keys automatically. Alas, it assumes its own directory structure for the keys and certificates a bit different than what I did with this tool. While this tools creates all the files in /etc/secure-boot, it expects a hierarchy /etc/secureboot/keys/{db,dbx,KEK,PK}

gdamjan avatar Feb 01 '21 23:02 gdamjan

Cool idea! As a heads-up, only .auth files need to go to /etc/secureboot/keys/ folder, the tool will complain if you put anything else there... 🤦‍♂️

I just went through getting rid of efitools dependency altogether in favor of tools in sbsigntools, might be useful for you as a reference: https://github.com/maximbaz/arch-secure-boot/commit/485b6cf2d1ebd14d12377f63976f6c7c0d8d91bf

maximbaz avatar Feb 05 '21 20:02 maximbaz

did you test sbkeysync? it didn't work for me in a VM. I still haven't tried it on a real-metal machine.

gdamjan avatar Feb 09 '21 20:02 gdamjan

Yes, I tested everything end-to-end on my laptop, it works well 👍

maximbaz avatar Feb 09 '21 20:02 maximbaz

or https://github.com/systemd/systemd/pull/18716

gdamjan avatar Feb 22 '21 18:02 gdamjan