ericonr
/
sbctl
mirror of https://github.com/ericonr/sbctl.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
99 Commits 6 Branches 0 Tags 418 KiB
Go 91.6%
Shell 5.1%
Makefile 3.3%
Go to file
Érico Nogueira 63876f01d5 Use x/sys/unix for ioctl instead of rolling our own. 
Keep FS_* constants which aren't listed in the package, and leave
SetAttr there, even though it's currently not used.

Leave a comment about this implementation not working on 64-bit big
endian systems. Chances of this software being run on such a platform
are very low, since at the moment, to my knowledge, Secure Boot on
64-bit big endian can only happen with aarch64_be, which is quite rare.
 		2021-04-18 00:38:49 -03:00
.github/workflows Fix lint step in CI. 2020-11-08 15:06:55 -03:00
cmd/sbctl sbctl/bundle: Change default cmdline to /etc/kernel/cmdline 2021-04-05 16:24:19 +02:00
contrib sbctl.hook: Renamed to be ordered last, added more paths 2021-04-14 21:38:08 +02:00
docs Document the generate option of sign-all 2020-11-10 15:32:18 +00:00
.gitignore Create cmd/sbctl, move main.go there. 2020-06-21 16:21:56 -03:00
LICENSE Init 2020-05-03 19:41:09 +02:00
Makefile Makefile: Fixup make before release 2021-02-28 14:08:36 +01:00
README.md Add support channel 2020-12-30 12:19:17 +01:00
bundles.go sbctl/bundle: Change default cmdline to /etc/kernel/cmdline 2021-04-05 16:24:19 +02:00
chattr.go Use x/sys/unix for ioctl instead of rolling our own. 2021-04-18 00:38:49 -03:00
cmds.go Init 2020-05-03 19:41:09 +02:00
database.go Add ReadOrCreateFile utility function. 2021-01-11 00:49:45 -03:00
go.mod Improve error propagation and permission checking. 2021-01-11 00:49:45 -03:00
go.sum sbctl: Fixed up some missing error handling 2021-02-28 14:06:58 +01:00
keys.go keys: sbkeysync can have "Permissiond denide" errors 2021-04-03 12:30:52 +02:00
log.go Improve error propagation and permission checking. 2021-01-11 00:49:45 -03:00
sbctl.go Merge branch 'morten/fix-permission' 2021-04-14 21:51:23 +02:00
util.go sbctl: Check for immutable files before sbkeysync 2021-04-03 12:27:44 +02:00

README.md

sbctl - Secure Boot Manager

Build Status

The goal of the project is to have one consistent UI to manage secure boot keys.

Features

  • Manages secure boot keys
  • Live enrollment of secure boot keys
  • Signing database to help keep track of files to sign
  • Verify ESP of files missing signatures
  • EFI stub generation

Roadmap

  • Convert to use goefi instead of relying on sbsigntools
  • Key rotation
  • Customize keys
  • Secure the keys

Support and development channel

#sbctl on the freenode IRC network.

Usage

$ sbctl
Secure Boot key manager

Usage:
  sbctl [command]

Available Commands:
  bundle           Bundle the needed files for an EFI stub image
  create-keys      Create a set of secure boot signing keys
  enroll-keys      Enroll the current keys to EFI
  generate-bundles Generate all EFI stub bundles
  help             Help about any command
  list-bundles     List stored bundles
  list-files       List enrolled files
  remove-bundle    Remove bundle from database
  remove-file      Remove file from database
  sign             Sign a file with secure boot keys
  sign-all         Sign all enrolled files with secure boot keys
  status           Show current boot status
  verify           Find and check if files in the ESP are signed or not

Flags:
  -h, --help   help for sbctl

Use "sbctl [command] --help" for more information about a command.

Key creation and enrollment

# sbctl status
==> WARNING: Setup Mode: Enabled
==> WARNING: Secure Boot: Disabled

# sbctl create-keys
==> Creating secure boot keys...
  -> Using UUID d6e9af79-c6b5-4b43-b893-dbb7e6570142...
==> Signing /usr/share/secureboot/keys/PK/PK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
==> Signing /usr/share/secureboot/keys/KEK/KEK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
==> Signing /usr/share/secureboot/keys/db/db.der.esl with /usr/share/secureboot/keys/KEK/KEK.key...

# sbctl enroll-keys
==> Syncing /usr/share/secureboot/keys to EFI variables...
==> Synced keys!

# sbctl status
==> Setup Mode: Disabled
==> WARNING: Secure Boot: Disabled

// Reboot!
# sbctl status
==> Setup Mode: Disabled
==> Secure Boot: Enabled

Signatures

# sbctl verify
==> Verifying file database and EFI images in /efi...
  -> WARNING: /boot/vmlinuz-linux is not signed
  -> WARNING: /efi/EFI/BOOT/BOOTX64.EFI is not signed
  -> WARNING: /efi/EFI/BOOT/KeyTool-signed.efi is not signed
  -> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed
  -> WARNING: /efi/EFI/arch/fwupdx64.efi is not signed
  -> WARNING: /efi/EFI/systemd/systemd-bootx64.efi is not signed

# sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI
==> Signing /efi/EFI/BOOT/BOOTX64.EFI...

# sbctl sign -s /efi/EFI/arch/fwupdx64.efi
==> Signing /efi/EFI/arch/fwupdx64.efi...

# sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
==> Signing /efi/EFI/systemd/systemd-bootx64.efi...

# sbctl sign -s /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed
==> Signing /usr/lib/fwupd/efi/fwupdx64.efi...

# sbctl verify
==> Verifying file database and EFI images in /efi...
  -> /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed
  -> /efi/EFI/BOOT/BOOTX64.EFI is signed
  -> /efi/EFI/arch/fwupdx64.efi is signed
  -> /efi/EFI/systemd/systemd-bootx64.efi is signed
  -> WARNING: /boot/vmlinuz-linux is not signed
  -> WARNING: /efi/EFI/BOOT/KeyTool-signed.efi is not signed
  -> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed

# sbctl list-files
==> File: /efi/EFI/BOOT/BOOTX64.EFI
==> File: /efi/EFI/arch/fwupdx64.efi
==> File: /efi/EFI/systemd/systemd-bootx64.efi
==> File: /efi/vmlinuz-linux
==> File: /usr/lib/fwupd/efi/fwupdx64.efi
  -> Output: /usr/lib/fwupd/efi/fwupdx64.efi.signed

Generate EFI Stub

# sbctl bundle -s -i /boot/intel-ucode.img \
      -l /usr/share/systemd/bootctl/splash-arch.bmp \
      -k /boot/vmlinuz-linux \
      -f /boot/initramfs-linux.img \
      /boot/EFI/Linux/linux-linux.efi
==> Wrote EFI bundle /boot/EFI/Linux/linux-linux.efi
==> Bundle: /boot/EFI/Linux/linux-linux.efi
  -> Intel Microcode: /boot/intel-ucode.img
  -> Kernel Image: /boot/vmlinuz-linux
  -> Initramfs Image: /boot/initramfs-linux.img
  -> Cmdline: /proc/cmdline
  -> OS Release: /usr/lib/os-release
  -> EFI Stub Image: /usr/lib/systemd/boot/efi/linuxx64.efi.stub
  -> ESP Location: /efi
  -> Splash Image: /usr/share/systemd/bootctl/splash-arch.bmp
  -> Output: /boot/EFI/Linux/linux-linux.efi

# sbctl list-bundles
==> Bundle: /boot/EFI/Linux/linux-linux.efi
  -> Intel Microcode: /boot/intel-ucode.img
  -> Kernel Image: /boot/vmlinuz-linux
  -> Initramfs Image: /boot/initramfs-linux.img
  -> Cmdline: /proc/cmdline
  -> OS Release: /usr/lib/os-release
  -> EFI Stub Image: /usr/lib/systemd/boot/efi/linuxx64.efi.stub
  -> ESP Location: /efi
  -> Splash Image: /usr/share/systemd/bootctl/splash-arch.bmp
  -> Output: /boot/EFI/Linux/linux-linux.efi

# sbctl generate-bundles
==> Generating EFI bundles....
==> Wrote EFI bundle /boot/EFI/Linux/linux-linux.efi