mirror of https://github.com/ericonr/sbctl.git
Updated readme
Signed-off-by: Morten Linderud <morten@linderud.pw>
This commit is contained in:
parent
4ba10b9393
commit
0a0dc36030
174
README.md
174
README.md
|
@ -1,31 +1,48 @@
|
||||||
# sbctl - Secure Boot Manager
|
# sbctl - Secure Boot Manager
|
||||||
[![Build Status](https://github.com/Foxboron/sbctl/workflows/CI/badge.svg)](https://github.com/Foxboron/sbctl/actions)
|
[![Build Status](https://github.com/Foxboron/sbctl/workflows/CI/badge.svg)](https://github.com/Foxboron/sbctl/actions)
|
||||||
|
|
||||||
The goal of the project is to have one consistent UI to manage secure boot keys.
|
sbctl intends to be a user-friendly secure boot key manager capable of setting
|
||||||
|
up secure boot, offer key management capabilities, and keep track of files that
|
||||||
|
needs to be signed in the boot chain.
|
||||||
|
|
||||||
# Features
|
It is written top-to-bottom in [Golang](https://golang.org/) using
|
||||||
|
[go-uefi](https://github.com/Foxboron/go-uefi) for the API layer and doesn't
|
||||||
|
rely on existing secure boot tooling. It also tries to sport some integration
|
||||||
|
testing towards towards [tianocore](https://www.tianocore.org/) utilizing
|
||||||
|
[vmtest](https://github.com/anatol/vmtest).
|
||||||
|
|
||||||
|
![](https://pkgbuild.com/~foxboron/sbctl_demo.gif)
|
||||||
|
|
||||||
|
## Features
|
||||||
|
* User-friendly
|
||||||
* Manages secure boot keys
|
* Manages secure boot keys
|
||||||
* Live enrollment of secure boot keys
|
* Live enrollment of keys
|
||||||
* Signing database to help keep track of files to sign
|
* Signing database to help keep track of files to sign
|
||||||
* Verify ESP of files missing signatures
|
* Verify ESP of files missing signatures
|
||||||
* EFI stub generation
|
* EFI stub generation
|
||||||
|
* JSON Output
|
||||||
|
|
||||||
# Roadmap
|
## Roadmap to 1.0
|
||||||
|
|
||||||
* Convert to use [go-uefi](https://github.com/Foxboron/go-uefi) instead of relying on `sbsigntools`
|
|
||||||
* Key rotation
|
* Key rotation
|
||||||
* Customize keys
|
* TPM Support
|
||||||
* Secure the keys
|
* Hardware Token support
|
||||||
|
* Configuration Files
|
||||||
|
* Automatic boot chain signing using the [Boot Loader Interface](https://systemd.io/BOOT_LOADER_INTERFACE/)
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
* util-linux (using `lsblk`)
|
||||||
|
* binutils (using `objcopy`)
|
||||||
|
* Go >= 1.16
|
||||||
|
|
||||||
# Support and development channel
|
# Support and development channel
|
||||||
|
|
||||||
`#sbctl` on the [libera](https://kiwiirc.com/nextclient/irc.libera.chat/#sbctl) IRC network.
|
Development discussions and support happens in `#sbctl` on the [libera.chat](https://kiwiirc.com/nextclient/irc.libera.chat/#sbctl) IRC network.
|
||||||
|
|
||||||
# Usage
|
# Usage
|
||||||
|
|
||||||
```
|
```
|
||||||
$ sbctl
|
$ sbctl
|
||||||
Secure Boot key manager
|
Secure Boot Key Manager
|
||||||
|
|
||||||
Usage:
|
Usage:
|
||||||
sbctl [command]
|
sbctl [command]
|
||||||
|
@ -47,6 +64,7 @@ Available Commands:
|
||||||
|
|
||||||
Flags:
|
Flags:
|
||||||
-h, --help help for sbctl
|
-h, --help help for sbctl
|
||||||
|
--json Output as json
|
||||||
|
|
||||||
Use "sbctl [command] --help" for more information about a command.
|
Use "sbctl [command] --help" for more information about a command.
|
||||||
```
|
```
|
||||||
|
@ -55,71 +73,89 @@ Use "sbctl [command] --help" for more information about a command.
|
||||||
|
|
||||||
```
|
```
|
||||||
# sbctl status
|
# sbctl status
|
||||||
==> WARNING: Setup Mode: Enabled
|
Installed: ✘ Sbctl is not installed
|
||||||
==> WARNING: Secure Boot: Disabled
|
Setup Mode: ✘ Enabled
|
||||||
|
Secure Boot: ✘ Disabled
|
||||||
|
|
||||||
# sbctl create-keys
|
# sbctl create-keys
|
||||||
==> Creating secure boot keys...
|
Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
|
||||||
-> Using UUID d6e9af79-c6b5-4b43-b893-dbb7e6570142...
|
Creating secure boot keys...✔
|
||||||
==> Signing /usr/share/secureboot/keys/PK/PK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
|
Secure boot keys created!
|
||||||
==> Signing /usr/share/secureboot/keys/KEK/KEK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
|
|
||||||
==> Signing /usr/share/secureboot/keys/db/db.der.esl with /usr/share/secureboot/keys/KEK/KEK.key...
|
|
||||||
|
|
||||||
# sbctl enroll-keys
|
# sbctl enroll-keys
|
||||||
==> Syncing /usr/share/secureboot/keys to EFI variables...
|
Enrolling keys to EFI variables...✔
|
||||||
==> Synced keys!
|
Enrolled keys to the EFI variables!
|
||||||
|
|
||||||
# sbctl status
|
# sbctl status
|
||||||
==> Setup Mode: Disabled
|
Installed: ✔ Sbctl is installed
|
||||||
==> WARNING: Secure Boot: Disabled
|
Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
|
||||||
|
Setup Mode: ✔ Disabled
|
||||||
|
Secure Boot: ✘ Disabled
|
||||||
|
|
||||||
// Reboot!
|
// Reboot!
|
||||||
# sbctl status
|
# sbctl status
|
||||||
==> Setup Mode: Disabled
|
Installed: ✔ Sbctl is installed
|
||||||
==> Secure Boot: Enabled
|
Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
|
||||||
|
Setup Mode: ✔ Disabled
|
||||||
|
Secure Boot: ✔ Enabled
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Signatures
|
## Signatures
|
||||||
```
|
```
|
||||||
# sbctl verify
|
# sbctl verify
|
||||||
==> Verifying file database and EFI images in /efi...
|
Verifying file database and EFI images in /efi...
|
||||||
-> WARNING: /boot/vmlinuz-linux is not signed
|
✘ /boot/vmlinuz-linux is not signed
|
||||||
-> WARNING: /efi/EFI/BOOT/BOOTX64.EFI is not signed
|
✘ /efi/EFI/BOOT/BOOTX64.EFI is not signed
|
||||||
-> WARNING: /efi/EFI/BOOT/KeyTool-signed.efi is not signed
|
✘ /efi/EFI/BOOT/KeyTool-signed.efi is not signed
|
||||||
-> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed
|
✘ /efi/EFI/Linux/linux-linux.efi is not signed
|
||||||
-> WARNING: /efi/EFI/arch/fwupdx64.efi is not signed
|
✘ /efi/EFI/arch/fwupdx64.efi is not signed
|
||||||
-> WARNING: /efi/EFI/systemd/systemd-bootx64.efi is not signed
|
✘ /efi/EFI/systemd/systemd-bootx64.efi is not signed
|
||||||
|
|
||||||
# sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI
|
# sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI
|
||||||
==> Signing /efi/EFI/BOOT/BOOTX64.EFI...
|
✔ Signed /efi/EFI/BOOT/BOOTX64.EFI...
|
||||||
|
|
||||||
# sbctl sign -s /efi/EFI/arch/fwupdx64.efi
|
# sbctl sign -s /efi/EFI/arch/fwupdx64.efi
|
||||||
==> Signing /efi/EFI/arch/fwupdx64.efi...
|
✔ Signed /efi/EFI/arch/fwupdx64.efi...
|
||||||
|
|
||||||
# sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
|
# sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
|
||||||
==> Signing /efi/EFI/systemd/systemd-bootx64.efi...
|
✔ Signed /efi/EFI/systemd/systemd-bootx64.efi...
|
||||||
|
|
||||||
# sbctl sign -s /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed
|
# sbctl sign -s /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed
|
||||||
==> Signing /usr/lib/fwupd/efi/fwupdx64.efi...
|
✔ Signed /usr/lib/fwupd/efi/fwupdx64.efi...
|
||||||
|
|
||||||
# sbctl verify
|
# sbctl verify
|
||||||
==> Verifying file database and EFI images in /efi...
|
Verifying file database and EFI images in /efi...
|
||||||
-> /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed
|
✔ /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed
|
||||||
-> /efi/EFI/BOOT/BOOTX64.EFI is signed
|
✔ /efi/EFI/BOOT/BOOTX64.EFI is signed
|
||||||
-> /efi/EFI/arch/fwupdx64.efi is signed
|
✔ /efi/EFI/arch/fwupdx64.efi is signed
|
||||||
-> /efi/EFI/systemd/systemd-bootx64.efi is signed
|
✔ /efi/EFI/systemd/systemd-bootx64.efi is signed
|
||||||
-> WARNING: /boot/vmlinuz-linux is not signed
|
✘ /boot/vmlinuz-linux is not signed
|
||||||
-> WARNING: /efi/EFI/BOOT/KeyTool-signed.efi is not signed
|
✘ /efi/EFI/BOOT/KeyTool-signed.efi is not signed
|
||||||
-> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed
|
✘ /efi/EFI/Linux/linux-linux.efi is not signed
|
||||||
|
|
||||||
# sbctl list-files
|
# sbctl list-files
|
||||||
==> File: /efi/EFI/BOOT/BOOTX64.EFI
|
/boot/vmlinuz-linux
|
||||||
==> File: /efi/EFI/arch/fwupdx64.efi
|
Signed: ✘ Not Signed
|
||||||
==> File: /efi/EFI/systemd/systemd-bootx64.efi
|
|
||||||
==> File: /efi/vmlinuz-linux
|
/efi/EFI/BOOT/KeyTool-signed.efi
|
||||||
==> File: /usr/lib/fwupd/efi/fwupdx64.efi
|
Signed: ✘ Not Signed
|
||||||
-> Output: /usr/lib/fwupd/efi/fwupdx64.efi.signed
|
|
||||||
|
/efi/EFI/Linux/linux-linux.efi
|
||||||
|
Signed: ✘ Not Signed
|
||||||
|
|
||||||
|
/efi/EFI/arch/fwupdx64.efi
|
||||||
|
Signed: ✔ Signed
|
||||||
|
|
||||||
|
/efi/EFI/BOOT/BOOTX64.EFI
|
||||||
|
Signed: ✔ Signed
|
||||||
|
|
||||||
|
/usr/lib/fwupd/efi/fwupdx64.efi
|
||||||
|
Signed: ✔ Signed
|
||||||
|
Output File: /usr/lib/fwupd/efi/fwupdx64.efi.signed
|
||||||
|
|
||||||
|
/efi/EFI/systemd/systemd-bootx64.efi
|
||||||
|
Signed: ✔ Signed
|
||||||
```
|
```
|
||||||
|
|
||||||
## Generate EFI Stub
|
## Generate EFI Stub
|
||||||
|
@ -128,32 +164,26 @@ Use "sbctl [command] --help" for more information about a command.
|
||||||
-l /usr/share/systemd/bootctl/splash-arch.bmp \
|
-l /usr/share/systemd/bootctl/splash-arch.bmp \
|
||||||
-k /boot/vmlinuz-linux \
|
-k /boot/vmlinuz-linux \
|
||||||
-f /boot/initramfs-linux.img \
|
-f /boot/initramfs-linux.img \
|
||||||
/boot/EFI/Linux/linux-linux.efi
|
/efi/EFI/Linux/linux-linux.efi
|
||||||
==> Wrote EFI bundle /boot/EFI/Linux/linux-linux.efi
|
Wrote EFI bundle /efi/EFI/Linux/linux-linux.efi
|
||||||
==> Bundle: /boot/EFI/Linux/linux-linux.efi
|
|
||||||
-> Intel Microcode: /boot/intel-ucode.img
|
|
||||||
-> Kernel Image: /boot/vmlinuz-linux
|
|
||||||
-> Initramfs Image: /boot/initramfs-linux.img
|
|
||||||
-> Cmdline: /proc/cmdline
|
|
||||||
-> OS Release: /usr/lib/os-release
|
|
||||||
-> EFI Stub Image: /usr/lib/systemd/boot/efi/linuxx64.efi.stub
|
|
||||||
-> ESP Location: /efi
|
|
||||||
-> Splash Image: /usr/share/systemd/bootctl/splash-arch.bmp
|
|
||||||
-> Output: /boot/EFI/Linux/linux-linux.efi
|
|
||||||
|
|
||||||
# sbctl list-bundles
|
# sbctl list-bundles
|
||||||
==> Bundle: /boot/EFI/Linux/linux-linux.efi
|
Enrolled bundles:
|
||||||
-> Intel Microcode: /boot/intel-ucode.img
|
|
||||||
-> Kernel Image: /boot/vmlinuz-linux
|
/efi/EFI/Linux/linux-linux.efi
|
||||||
-> Initramfs Image: /boot/initramfs-linux.img
|
Signed: ✔ Signed
|
||||||
-> Cmdline: /proc/cmdline
|
ESP Location: /efi
|
||||||
-> OS Release: /usr/lib/os-release
|
Output: └─/EFI/Linux/linux-linux.efi
|
||||||
-> EFI Stub Image: /usr/lib/systemd/boot/efi/linuxx64.efi.stub
|
EFI Stub Image: └─/usr/lib/systemd/boot/efi/linuxx64.efi.stub
|
||||||
-> ESP Location: /efi
|
Splash Image: ├─/usr/share/systemd/bootctl/splash-arch.bmp
|
||||||
-> Splash Image: /usr/share/systemd/bootctl/splash-arch.bmp
|
Cmdline: ├─/etc/kernel/cmdline
|
||||||
-> Output: /boot/EFI/Linux/linux-linux.efi
|
OS Release: ├─/usr/lib/os-release
|
||||||
|
Kernel Image: ├─/boot/vmlinuz-linux
|
||||||
|
Initramfs Image: └─/boot/initramfs-linux.img
|
||||||
|
Intel Microcode: └─/boot/intel-ucode.img
|
||||||
|
|
||||||
|
|
||||||
# sbctl generate-bundles
|
# sbctl generate-bundles
|
||||||
==> Generating EFI bundles....
|
Generating EFI bundles....
|
||||||
==> Wrote EFI bundle /boot/EFI/Linux/linux-linux.efi
|
Wrote EFI bundle /efi/EFI/Linux/linux-linux.efi
|
||||||
```
|
```
|
||||||
|
|
Loading…
Reference in New Issue