ericonr
/
sbctl
mirror of https://github.com/ericonr/sbctl.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Updated readme 

Signed-off-by: Morten Linderud <morten@linderud.pw>
This commit is contained in:
Morten Linderud 2021-06-13 19:01:08 +02:00
parent 4ba10b9393
commit 0a0dc36030
No known key found for this signature in database
GPG Key ID: E742683BA08CB2FF
1 changed files with 102 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
README.md
View File

@ -1,31 +1,48 @@
# sbctl - Secure Boot Manager # sbctl - Secure Boot Manager
[![Build Status](https://github.com/Foxboron/sbctl/workflows/CI/badge.svg)](https://github.com/Foxboron/sbctl/actions) [![Build Status](https://github.com/Foxboron/sbctl/workflows/CI/badge.svg)](https://github.com/Foxboron/sbctl/actions)
The goal of the project is to have one consistent UI to manage secure boot keys. sbctl intends to be a user-friendly secure boot key manager capable of setting
up secure boot, offer key management capabilities, and keep track of files that
needs to be signed in the boot chain.
# Features It is written top-to-bottom in [Golang](https://golang.org/) using
[go-uefi](https://github.com/Foxboron/go-uefi) for the API layer and doesn't
rely on existing secure boot tooling. It also tries to sport some integration
testing towards towards [tianocore](https://www.tianocore.org/) utilizing
[vmtest](https://github.com/anatol/vmtest).
![](https://pkgbuild.com/~foxboron/sbctl_demo.gif)
## Features
* User-friendly
* Manages secure boot keys * Manages secure boot keys
* Live enrollment of secure boot keys * Live enrollment of keys
* Signing database to help keep track of files to sign * Signing database to help keep track of files to sign
* Verify ESP of files missing signatures * Verify ESP of files missing signatures
* EFI stub generation * EFI stub generation
* JSON Output
# Roadmap ## Roadmap to 1.0
* Convert to use [go-uefi](https://github.com/Foxboron/go-uefi) instead of relying on `sbsigntools`
* Key rotation * Key rotation
* Customize keys * TPM Support
* Secure the keys * Hardware Token support
* Configuration Files
* Automatic boot chain signing using the [Boot Loader Interface](https://systemd.io/BOOT_LOADER_INTERFACE/)
## Dependencies
* util-linux (using `lsblk`)
* binutils (using `objcopy`)
* Go >= 1.16
# Support and development channel # Support and development channel
`#sbctl` on the [libera](https://kiwiirc.com/nextclient/irc.libera.chat/#sbctl) IRC network. Development discussions and support happens in `#sbctl` on the [libera.chat](https://kiwiirc.com/nextclient/irc.libera.chat/#sbctl) IRC network.
# Usage # Usage
``` ```
$ sbctl $ sbctl
Secure Boot key manager Secure Boot Key Manager
Usage: Usage:
sbctl [command] sbctl [command]
@ -47,6 +64,7 @@ Available Commands:
Flags: Flags:
-h, --help help for sbctl -h, --help help for sbctl
--json Output as json
Use "sbctl [command] --help" for more information about a command. Use "sbctl [command] --help" for more information about a command.
``` ```
@ -55,71 +73,89 @@ Use "sbctl [command] --help" for more information about a command.
``` ```
# sbctl status # sbctl status
==> WARNING: Setup Mode: Enabled Installed: ✘ Sbctl is not installed
==> WARNING: Secure Boot: Disabled Setup Mode: ✘ Enabled
Secure Boot: ✘ Disabled
# sbctl create-keys # sbctl create-keys
==> Creating secure boot keys... Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
-> Using UUID d6e9af79-c6b5-4b43-b893-dbb7e6570142... Creating secure boot keys...✔
==> Signing /usr/share/secureboot/keys/PK/PK.der.esl with /usr/share/secureboot/keys/PK/PK.key... Secure boot keys created!
==> Signing /usr/share/secureboot/keys/KEK/KEK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
==> Signing /usr/share/secureboot/keys/db/db.der.esl with /usr/share/secureboot/keys/KEK/KEK.key...
# sbctl enroll-keys # sbctl enroll-keys
==> Syncing /usr/share/secureboot/keys to EFI variables... Enrolling keys to EFI variables...✔
==> Synced keys! Enrolled keys to the EFI variables!
# sbctl status # sbctl status
==> Setup Mode: Disabled Installed: ✔ Sbctl is installed
==> WARNING: Secure Boot: Disabled Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode: ✔ Disabled
Secure Boot: ✘ Disabled
// Reboot! // Reboot!
# sbctl status # sbctl status
==> Setup Mode: Disabled Installed: ✔ Sbctl is installed
==> Secure Boot: Enabled Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode: ✔ Disabled
Secure Boot: ✔ Enabled
``` ```
## Signatures ## Signatures
``` ```
# sbctl verify # sbctl verify
==> Verifying file database and EFI images in /efi... Verifying file database and EFI images in /efi...
-> WARNING: /boot/vmlinuz-linux is not signed /boot/vmlinuz-linux is not signed
-> WARNING: /efi/EFI/BOOT/BOOTX64.EFI is not signed /efi/EFI/BOOT/BOOTX64.EFI is not signed
-> WARNING: /efi/EFI/BOOT/KeyTool-signed.efi is not signed /efi/EFI/BOOT/KeyTool-signed.efi is not signed
-> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed /efi/EFI/Linux/linux-linux.efi is not signed
-> WARNING: /efi/EFI/arch/fwupdx64.efi is not signed /efi/EFI/arch/fwupdx64.efi is not signed
-> WARNING: /efi/EFI/systemd/systemd-bootx64.efi is not signed /efi/EFI/systemd/systemd-bootx64.efi is not signed
# sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI # sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI
==> Signing /efi/EFI/BOOT/BOOTX64.EFI... ✔ Signed /efi/EFI/BOOT/BOOTX64.EFI...
# sbctl sign -s /efi/EFI/arch/fwupdx64.efi # sbctl sign -s /efi/EFI/arch/fwupdx64.efi
==> Signing /efi/EFI/arch/fwupdx64.efi... ✔ Signed /efi/EFI/arch/fwupdx64.efi...
# sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi # sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
==> Signing /efi/EFI/systemd/systemd-bootx64.efi... ✔ Signed /efi/EFI/systemd/systemd-bootx64.efi...
# sbctl sign -s /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed # sbctl sign -s /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed
==> Signing /usr/lib/fwupd/efi/fwupdx64.efi... ✔ Signed /usr/lib/fwupd/efi/fwupdx64.efi...
# sbctl verify # sbctl verify
==> Verifying file database and EFI images in /efi... Verifying file database and EFI images in /efi...
-> /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed
-> /efi/EFI/BOOT/BOOTX64.EFI is signed /efi/EFI/BOOT/BOOTX64.EFI is signed
-> /efi/EFI/arch/fwupdx64.efi is signed /efi/EFI/arch/fwupdx64.efi is signed
-> /efi/EFI/systemd/systemd-bootx64.efi is signed /efi/EFI/systemd/systemd-bootx64.efi is signed
-> WARNING: /boot/vmlinuz-linux is not signed /boot/vmlinuz-linux is not signed
-> WARNING: /efi/EFI/BOOT/KeyTool-signed.efi is not signed /efi/EFI/BOOT/KeyTool-signed.efi is not signed
-> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed /efi/EFI/Linux/linux-linux.efi is not signed
# sbctl list-files # sbctl list-files
==> File: /efi/EFI/BOOT/BOOTX64.EFI /boot/vmlinuz-linux
==> File: /efi/EFI/arch/fwupdx64.efi Signed: ✘ Not Signed
==> File: /efi/EFI/systemd/systemd-bootx64.efi
==> File: /efi/vmlinuz-linux /efi/EFI/BOOT/KeyTool-signed.efi
==> File: /usr/lib/fwupd/efi/fwupdx64.efi Signed: ✘ Not Signed
-> Output: /usr/lib/fwupd/efi/fwupdx64.efi.signed
/efi/EFI/Linux/linux-linux.efi
Signed: ✘ Not Signed
/efi/EFI/arch/fwupdx64.efi
Signed: ✔ Signed
/efi/EFI/BOOT/BOOTX64.EFI
Signed: ✔ Signed
/usr/lib/fwupd/efi/fwupdx64.efi
Signed: ✔ Signed
Output File: /usr/lib/fwupd/efi/fwupdx64.efi.signed
/efi/EFI/systemd/systemd-bootx64.efi
Signed: ✔ Signed
``` ```
## Generate EFI Stub ## Generate EFI Stub
@ -128,32 +164,26 @@ Use "sbctl [command] --help" for more information about a command.
-l /usr/share/systemd/bootctl/splash-arch.bmp \ -l /usr/share/systemd/bootctl/splash-arch.bmp \
-k /boot/vmlinuz-linux \ -k /boot/vmlinuz-linux \
-f /boot/initramfs-linux.img \ -f /boot/initramfs-linux.img \
/boot/EFI/Linux/linux-linux.efi /efi/EFI/Linux/linux-linux.efi
==> Wrote EFI bundle /boot/EFI/Linux/linux-linux.efi Wrote EFI bundle /efi/EFI/Linux/linux-linux.efi
==> Bundle: /boot/EFI/Linux/linux-linux.efi
-> Intel Microcode: /boot/intel-ucode.img
-> Kernel Image: /boot/vmlinuz-linux
-> Initramfs Image: /boot/initramfs-linux.img
-> Cmdline: /proc/cmdline
-> OS Release: /usr/lib/os-release
-> EFI Stub Image: /usr/lib/systemd/boot/efi/linuxx64.efi.stub
-> ESP Location: /efi
-> Splash Image: /usr/share/systemd/bootctl/splash-arch.bmp
-> Output: /boot/EFI/Linux/linux-linux.efi
# sbctl list-bundles # sbctl list-bundles
==> Bundle: /boot/EFI/Linux/linux-linux.efi Enrolled bundles:
-> Intel Microcode: /boot/intel-ucode.img
-> Kernel Image: /boot/vmlinuz-linux /efi/EFI/Linux/linux-linux.efi
-> Initramfs Image: /boot/initramfs-linux.img Signed: ✔ Signed
-> Cmdline: /proc/cmdline ESP Location: /efi
-> OS Release: /usr/lib/os-release Output: └─/EFI/Linux/linux-linux.efi
-> EFI Stub Image: /usr/lib/systemd/boot/efi/linuxx64.efi.stub EFI Stub Image: └─/usr/lib/systemd/boot/efi/linuxx64.efi.stub
-> ESP Location: /efi Splash Image: ├─/usr/share/systemd/bootctl/splash-arch.bmp
-> Splash Image: /usr/share/systemd/bootctl/splash-arch.bmp Cmdline: ├─/etc/kernel/cmdline
-> Output: /boot/EFI/Linux/linux-linux.efi OS Release: ├─/usr/lib/os-release
Kernel Image: ├─/boot/vmlinuz-linux
Initramfs Image: └─/boot/initramfs-linux.img
Intel Microcode: └─/boot/intel-ucode.img
# sbctl generate-bundles # sbctl generate-bundles
==> Generating EFI bundles.... Generating EFI bundles....
==> Wrote EFI bundle /boot/EFI/Linux/linux-linux.efi Wrote EFI bundle /efi/EFI/Linux/linux-linux.efi
``` ```