void-packages sbctl: update

I tested the changes in this PR: yes
I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102 cc maintainer @ericonr

Sep 20 '23 20:09 dkwo

I don't think the hook should run by default.

Sep 20 '23 22:09 Duncaen

Kernels are not necessarily named vmlinuz, it could be vmlinux depending on the architecture.

Sep 20 '23 22:09 Duncaen

I could add a check for the existence of vmlinuz. (Note that efibootmgr also uses vmlinuz, and secure boot is a uefi feature, afaik.) If one installs sbctl, don't they want to sign new kernels? or what is your concern?

Sep 21 '23 15:09 dkwo

You have to first create keys and enroll, some users might want to sign kernel with sbctl and move/rename them instead of modifying the tracked binary.

aarch64 supports efi and the kernel binaries are uncompressed and named vmlinux, the efibootmgr hook is not very good for multiple reasons.

Sep 21 '23 16:09 Duncaen

how about now? it's disabled by default, and it checks existence of vmlinuz

Sep 21 '23 18:09 dkwo

We generally don't test for values of those environment variables and instead check if they are set or not, that makes the code easier and avoids having to define what yes/no/true/false/0/1 is the correct choice.

Not sure why you would only sign vmlinuz kernels and ignore vmlinux.

Sep 21 '23 18:09 Duncaen

[ -z "$SBCTL_SIGN_KERNEL" ] && exit 0
[ -e "boot/vmlinuz-${VERSION}" ] && sign "boot/vmlinuz-${VERSION}"
[ -e "boot/vmlinux-${VERSION}" ] && sign "boot/vmlinux-${VERSION}"

/etc/default/sbctl-kernel-hook:

# SBCTL_SIGN_KERNEL=yes

I guess the set vs yes/no/1/0 is arguable, seems like other hooks tend to check for 1/0, other things like xbps-src and such use the -n/-z style.

Sep 21 '23 18:09 Duncaen

Done, thanks.

Sep 21 '23 20:09 dkwo

added a post-removal hook as well.

Sep 23 '23 21:09 dkwo

can this be merged?

Oct 11 '23 18:10 dkwo

update to 0.12, enable pie, enable checks

Oct 26 '23 22:10 dkwo

ready to merge, imo

Oct 27 '23 20:10 dkwo

patch is merged upstream

Nov 02 '23 14:11 dkwo

updated to 0.13, which includes my patch.

Dec 27 '23 18:12 dkwo

should i just drop the kernel hooks for now, and just do the update?

Jan 16 '24 17:01 dkwo

remove the postrm hook, which does not work
we currently install (and also in my prior pr) /usr/lib/kernel/install.d/91-sbctl.install, but this is arch/systemd specific, so remove it

Jan 16 '24 22:01 dkwo

i realised the program by default writes key material to /usr/share. make it use /etc/secureboot instead, via a go_ldlfag

Jan 25 '24 19:01 dkwo

@Duncaen , anyone: this has several improvements, has been running fine for some time. any chance it can be merged?

Jan 25 '24 19:01 dkwo

i realised the program by default writes key material to /usr/share. make it use /etc/secureboot instead, via a go_ldlfag

Sucks that its in /usr/share, but breaking already existing installs and diverting from the documentation doesn't seem right.

Upstream issue https://github.com/Foxboron/sbctl/issues/57.

Feb 01 '24 00:02 Duncaen

i see your point, and i saw the issue (been there for years). the help function in the sbctl program gets built correctly though, see e.g.

$ sbctl help create-keys
Create a set of secure boot signing keys

Usage:
  sbctl create-keys [flags]

Flags:
  -d, --database-path string   location to create GUID file. defaults to /etc/secureboot (default "/etc/secureboot")
  -e, --export string          export file path. defaults to /etc/secureboot/keys (default "/etc/secureboot/keys")
  -h, --help                   help for create-keys

i got this idea from nix pkgs. would an install/update message be enough to warn the user? otherwise i'll just remove this change for now.

Feb 01 '24 16:02 dkwo

I would probably prefer to not change it now that it has been like this in the repos for 3 years and we don't know what upstream is going to do.

There are 3 scenarios:

Upstream changes it to what we "patched" in, everythink good.
Upstream changes it to something else, users have to manually change again.
Upstream changes it and adds a fallback mechanism, we don't have to do anything.

Feb 01 '24 17:02 Duncaen

Done. I commented out the option and left a comment for future.

Feb 02 '24 22:02 dkwo

I removed the kernel hook, as I prefer to sign the unified kernel image. Also simpler in view of moving kerneks out of /boot. This is now just an update, which i've been using for months with no issues.

Apr 17 '24 19:04 dkwo

0.14 is out, seems to work fine.

May 11 '24 21:05 dkwo

version 15 is out: https://github.com/Foxboron/sbctl/releases/tag/0.15

Jul 31 '24 11:07 Calandracas606

Thanks. I've tested the new version, and it works for me, as well as the migrate subcommand. I'm open to suggestions as for the sbctl.conf file, which I've taken from upstream. I do not create /var/lib/sbctl using make_dirs, as currently the program would complain otherwise and refuse to proceed if that folder is already present.

@Duncaen This version solves the issue with /usr/share, as it finally moves it to /var/lib/sbctl. Let me know if an install message is needed to warn the user.

In general, it may be better to wait a few days until things are more stable, and more people have tested this, so marking as draft.

Jul 31 '24 15:07 dkwo

@dkwo fwiw, the config file is the internal defaults sbctl will use if there is no config file.

It will also merge the internal state with the /etc/sbctl/sbctl.conf file if there is a change. So you don't need to include this in the package.

Jul 31 '24 17:07 Foxboron

@Foxboron Thanks a lot! I removed the conf file, and now the package also creates /var/lib/sbctl as expected.

Aug 01 '24 09:08 dkwo

This has been working fine for me.

Aug 05 '24 08:08 dkwo

0.15.4 is out

Aug 07 '24 03:08 classabbyamp