2020-11-08 04:20:56 -06:00
|
|
|
# sbctl - Secure Boot Manager
|
2020-11-08 12:09:12 -06:00
|
|
|
[![Build Status](https://github.com/Foxboron/sbctl/workflows/CI/badge.svg)](https://github.com/Foxboron/sbctl/actions)
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2021-06-13 12:01:08 -05:00
|
|
|
sbctl intends to be a user-friendly secure boot key manager capable of setting
|
|
|
|
up secure boot, offer key management capabilities, and keep track of files that
|
|
|
|
needs to be signed in the boot chain.
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2021-06-13 12:01:08 -05:00
|
|
|
It is written top-to-bottom in [Golang](https://golang.org/) using
|
|
|
|
[go-uefi](https://github.com/Foxboron/go-uefi) for the API layer and doesn't
|
|
|
|
rely on existing secure boot tooling. It also tries to sport some integration
|
|
|
|
testing towards towards [tianocore](https://www.tianocore.org/) utilizing
|
|
|
|
[vmtest](https://github.com/anatol/vmtest).
|
|
|
|
|
|
|
|
![](https://pkgbuild.com/~foxboron/sbctl_demo.gif)
|
|
|
|
|
|
|
|
## Features
|
|
|
|
* User-friendly
|
2020-05-03 12:41:09 -05:00
|
|
|
* Manages secure boot keys
|
2021-06-13 12:01:08 -05:00
|
|
|
* Live enrollment of keys
|
2020-05-03 12:41:09 -05:00
|
|
|
* Signing database to help keep track of files to sign
|
|
|
|
* Verify ESP of files missing signatures
|
|
|
|
* EFI stub generation
|
2021-06-13 12:01:08 -05:00
|
|
|
* JSON Output
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2021-06-13 12:01:08 -05:00
|
|
|
## Roadmap to 1.0
|
2020-05-03 12:41:09 -05:00
|
|
|
* Key rotation
|
2021-06-13 12:01:08 -05:00
|
|
|
* TPM Support
|
|
|
|
* Hardware Token support
|
|
|
|
* Configuration Files
|
|
|
|
* Automatic boot chain signing using the [Boot Loader Interface](https://systemd.io/BOOT_LOADER_INTERFACE/)
|
|
|
|
|
|
|
|
## Dependencies
|
|
|
|
* util-linux (using `lsblk`)
|
|
|
|
* binutils (using `objcopy`)
|
|
|
|
* Go >= 1.16
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-12-30 05:19:17 -06:00
|
|
|
# Support and development channel
|
|
|
|
|
2021-06-13 12:01:08 -05:00
|
|
|
Development discussions and support happens in `#sbctl` on the [libera.chat](https://kiwiirc.com/nextclient/irc.libera.chat/#sbctl) IRC network.
|
2020-12-30 05:19:17 -06:00
|
|
|
|
2020-05-03 12:41:09 -05:00
|
|
|
# Usage
|
|
|
|
|
|
|
|
```
|
|
|
|
$ sbctl
|
2021-06-13 12:01:08 -05:00
|
|
|
Secure Boot Key Manager
|
2020-05-03 12:41:09 -05:00
|
|
|
|
|
|
|
Usage:
|
|
|
|
sbctl [command]
|
|
|
|
|
|
|
|
Available Commands:
|
|
|
|
bundle Bundle the needed files for an EFI stub image
|
|
|
|
create-keys Create a set of secure boot signing keys
|
|
|
|
enroll-keys Enroll the current keys to EFI
|
|
|
|
generate-bundles Generate all EFI stub bundles
|
|
|
|
help Help about any command
|
|
|
|
list-bundles List stored bundles
|
|
|
|
list-files List enrolled files
|
|
|
|
remove-bundle Remove bundle from database
|
2020-06-24 01:10:29 -05:00
|
|
|
remove-file Remove file from database
|
2020-05-03 12:41:09 -05:00
|
|
|
sign Sign a file with secure boot keys
|
|
|
|
sign-all Sign all enrolled files with secure boot keys
|
|
|
|
status Show current boot status
|
2020-06-24 01:10:29 -05:00
|
|
|
verify Find and check if files in the ESP are signed or not
|
2020-05-03 12:41:09 -05:00
|
|
|
|
|
|
|
Flags:
|
|
|
|
-h, --help help for sbctl
|
2021-06-13 12:01:08 -05:00
|
|
|
--json Output as json
|
2020-05-03 12:41:09 -05:00
|
|
|
|
|
|
|
Use "sbctl [command] --help" for more information about a command.
|
|
|
|
```
|
|
|
|
|
|
|
|
## Key creation and enrollment
|
|
|
|
|
|
|
|
```
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl status
|
2021-06-13 12:01:08 -05:00
|
|
|
Installed: ✘ Sbctl is not installed
|
|
|
|
Setup Mode: ✘ Enabled
|
|
|
|
Secure Boot: ✘ Disabled
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl create-keys
|
2021-06-13 12:01:08 -05:00
|
|
|
Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
|
|
|
|
Creating secure boot keys...✔
|
|
|
|
Secure boot keys created!
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl enroll-keys
|
2021-06-13 12:01:08 -05:00
|
|
|
Enrolling keys to EFI variables...✔
|
|
|
|
Enrolled keys to the EFI variables!
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl status
|
2021-06-13 12:01:08 -05:00
|
|
|
Installed: ✔ Sbctl is installed
|
|
|
|
Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
|
|
|
|
Setup Mode: ✔ Disabled
|
|
|
|
Secure Boot: ✘ Disabled
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:33:46 -05:00
|
|
|
// Reboot!
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl status
|
2021-06-13 12:01:08 -05:00
|
|
|
Installed: ✔ Sbctl is installed
|
|
|
|
Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
|
|
|
|
Setup Mode: ✔ Disabled
|
|
|
|
Secure Boot: ✔ Enabled
|
2020-05-03 12:41:09 -05:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## Signatures
|
|
|
|
```
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl verify
|
2021-06-13 12:01:08 -05:00
|
|
|
Verifying file database and EFI images in /efi...
|
|
|
|
✘ /boot/vmlinuz-linux is not signed
|
|
|
|
✘ /efi/EFI/BOOT/BOOTX64.EFI is not signed
|
|
|
|
✘ /efi/EFI/BOOT/KeyTool-signed.efi is not signed
|
|
|
|
✘ /efi/EFI/Linux/linux-linux.efi is not signed
|
|
|
|
✘ /efi/EFI/arch/fwupdx64.efi is not signed
|
|
|
|
✘ /efi/EFI/systemd/systemd-bootx64.efi is not signed
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI
|
2021-06-13 12:01:08 -05:00
|
|
|
✔ Signed /efi/EFI/BOOT/BOOTX64.EFI...
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl sign -s /efi/EFI/arch/fwupdx64.efi
|
2021-06-13 12:01:08 -05:00
|
|
|
✔ Signed /efi/EFI/arch/fwupdx64.efi...
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
|
2021-06-13 12:01:08 -05:00
|
|
|
✔ Signed /efi/EFI/systemd/systemd-bootx64.efi...
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl sign -s /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed
|
2021-06-13 12:01:08 -05:00
|
|
|
✔ Signed /usr/lib/fwupd/efi/fwupdx64.efi...
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl verify
|
2021-06-13 12:01:08 -05:00
|
|
|
Verifying file database and EFI images in /efi...
|
|
|
|
✔ /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed
|
|
|
|
✔ /efi/EFI/BOOT/BOOTX64.EFI is signed
|
|
|
|
✔ /efi/EFI/arch/fwupdx64.efi is signed
|
|
|
|
✔ /efi/EFI/systemd/systemd-bootx64.efi is signed
|
|
|
|
✘ /boot/vmlinuz-linux is not signed
|
|
|
|
✘ /efi/EFI/BOOT/KeyTool-signed.efi is not signed
|
|
|
|
✘ /efi/EFI/Linux/linux-linux.efi is not signed
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl list-files
|
2021-06-13 12:01:08 -05:00
|
|
|
/boot/vmlinuz-linux
|
|
|
|
Signed: ✘ Not Signed
|
|
|
|
|
|
|
|
/efi/EFI/BOOT/KeyTool-signed.efi
|
|
|
|
Signed: ✘ Not Signed
|
|
|
|
|
|
|
|
/efi/EFI/Linux/linux-linux.efi
|
|
|
|
Signed: ✘ Not Signed
|
|
|
|
|
|
|
|
/efi/EFI/arch/fwupdx64.efi
|
|
|
|
Signed: ✔ Signed
|
|
|
|
|
|
|
|
/efi/EFI/BOOT/BOOTX64.EFI
|
|
|
|
Signed: ✔ Signed
|
|
|
|
|
|
|
|
/usr/lib/fwupd/efi/fwupdx64.efi
|
|
|
|
Signed: ✔ Signed
|
|
|
|
Output File: /usr/lib/fwupd/efi/fwupdx64.efi.signed
|
|
|
|
|
|
|
|
/efi/EFI/systemd/systemd-bootx64.efi
|
|
|
|
Signed: ✔ Signed
|
2020-05-03 12:41:09 -05:00
|
|
|
```
|
|
|
|
|
|
|
|
## Generate EFI Stub
|
|
|
|
```
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl bundle -s -i /boot/intel-ucode.img \
|
2020-05-03 12:41:09 -05:00
|
|
|
-l /usr/share/systemd/bootctl/splash-arch.bmp \
|
|
|
|
-k /boot/vmlinuz-linux \
|
|
|
|
-f /boot/initramfs-linux.img \
|
2021-06-13 12:01:08 -05:00
|
|
|
/efi/EFI/Linux/linux-linux.efi
|
|
|
|
Wrote EFI bundle /efi/EFI/Linux/linux-linux.efi
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl list-bundles
|
2021-06-13 12:01:08 -05:00
|
|
|
Enrolled bundles:
|
|
|
|
|
|
|
|
/efi/EFI/Linux/linux-linux.efi
|
|
|
|
Signed: ✔ Signed
|
|
|
|
ESP Location: /efi
|
|
|
|
Output: └─/EFI/Linux/linux-linux.efi
|
|
|
|
EFI Stub Image: └─/usr/lib/systemd/boot/efi/linuxx64.efi.stub
|
|
|
|
Splash Image: ├─/usr/share/systemd/bootctl/splash-arch.bmp
|
|
|
|
Cmdline: ├─/etc/kernel/cmdline
|
|
|
|
OS Release: ├─/usr/lib/os-release
|
|
|
|
Kernel Image: ├─/boot/vmlinuz-linux
|
|
|
|
Initramfs Image: └─/boot/initramfs-linux.img
|
|
|
|
Intel Microcode: └─/boot/intel-ucode.img
|
|
|
|
|
2020-05-03 12:41:09 -05:00
|
|
|
|
2020-09-19 05:32:59 -05:00
|
|
|
# sbctl generate-bundles
|
2021-06-13 12:01:08 -05:00
|
|
|
Generating EFI bundles....
|
|
|
|
Wrote EFI bundle /efi/EFI/Linux/linux-linux.efi
|
2020-05-03 12:41:09 -05:00
|
|
|
```
|