mirror of https://github.com/ericonr/sbctl.git
195 lines
5.5 KiB
Plaintext
195 lines
5.5 KiB
Plaintext
sbctl(8)
|
|
========
|
|
|
|
Name
|
|
----
|
|
sbctl - Secure Boot manager
|
|
|
|
|
|
Synopsis
|
|
--------
|
|
'sbctl' <command>
|
|
|
|
|
|
Description
|
|
-----------
|
|
'sbctl' aims to provide a full integrated secure boot experience.
|
|
|
|
|
|
EFI signing commands
|
|
--------------------
|
|
|
|
**status**::
|
|
Shows the current secure boot status of the system. It checks if you are
|
|
currently booted in UEFI with Secure Boot, and whether or not Setup Mode
|
|
has been enabled.
|
|
|
|
**create-keys**::
|
|
Creates a set of signing keys used to sign EFI binaries. Currently it
|
|
will create the following keys:
|
|
* Platform Key
|
|
* Key Exchange key
|
|
* Signature Database Key
|
|
|
|
**enroll-keys**::
|
|
It will first attempt to use `sbkeysync` to live enroll the
|
|
required keys. This requires Setup Mode to be active.
|
|
|
|
**sign** <FILE>...::
|
|
Signs a EFI binary with the created key. The file will be checked for
|
|
valid signatures to avoid duplicates.
|
|
|
|
*-o* 'PATH', *--output* 'PATH';;
|
|
Output filename. Default replaces the file.
|
|
|
|
*-s*, *--save*;;
|
|
Save file to the database.
|
|
|
|
**sign-all**::
|
|
Signs all enrolled EFI binaries.
|
|
|
|
*-g*, *--generate*;;
|
|
Generate all bundles before signing.
|
|
|
|
**list-files**::
|
|
Lists all enrolled EFI binaries.
|
|
|
|
**remove-file** <FILE>::
|
|
Removes the file from the signing database.
|
|
|
|
**verify**::
|
|
Looks for EFI binaries with the mime type application/x-dosexec in the
|
|
ESP partition, and looks at the file database. Checks if they have been
|
|
signed with the Signature Database Key.
|
|
|
|
**help** <FILE>...::
|
|
Displays a help message.
|
|
|
|
|
|
EFI binary commands
|
|
------------------
|
|
|
|
**bundle** [FLAGS] <NAME>::
|
|
Creates a bundle that should produce EFI binaries. See **BUNDLES**
|
|
below for more details.
|
|
|
|
*-a* 'PATH', *--amducode* 'PATH';;
|
|
AMD microcode location.
|
|
|
|
*-c* 'PATH', *--cmdline* 'PATH';;
|
|
Cmdline location. (default "/etc/kernel/cmdline")
|
|
|
|
*-e* 'PATH', *--efi-stub* 'PATH';;
|
|
EFI Stub location. (default "/usr/lib/systemd/boot/efi/linuxx64.efi.stub")
|
|
|
|
*-p* 'PATH', *--esp* 'PATH';;
|
|
ESP location. (default "/efi")
|
|
|
|
*-h*, *--help*;;
|
|
Help for bundle.
|
|
|
|
*-f* 'PATH', *--initramfs* 'PATH';;
|
|
Initramfs location. (default "/efi/initramfs-linux.img")
|
|
|
|
*-i* 'PATH', *--intelucode* 'PATH';;
|
|
Intel microcode location.
|
|
|
|
*-k* 'PATH', *--kernel-img* 'PATH';;
|
|
Kernel image location. (default "/efi/vmlinuz-linux")
|
|
|
|
*-o* 'PATH', *--os-release* 'PATH';;
|
|
OS Release file location. (default "/usr/lib/os-release")
|
|
|
|
*-s*, *--save*;;
|
|
Save bundle to the database.
|
|
|
|
*-l* 'PATH', *--splash-img* 'PATH';;
|
|
Boot splash image location.
|
|
|
|
**generate-bundles**::
|
|
This command generates all bundles.
|
|
|
|
*-s*, *--sign*;;
|
|
Sign all the generated bundles.
|
|
|
|
**remove-bundle** <NAME>::
|
|
Removes a bundle from the list. This does not delete the bundle itself.
|
|
|
|
**list-bundles**::
|
|
List all registered bundles to generate.
|
|
|
|
|
|
Bundles
|
|
-------
|
|
|
|
Normally, only the kernel is signed with your secure boot keys. This means the
|
|
kernel command line and initramfs can be changed without possibility of verification.
|
|
|
|
Bundles are EFI executables which pack all three (initramfs, kernel and
|
|
cmdline) into a single file which is easy to sign. Avoiding any unsigned
|
|
files during boot makes the whole process more tamper-proof.
|
|
|
|
When a bundle is generated, its configuration is stored into the bundle
|
|
database (see **FILES**). Subsequent executions of *sbctl generate-bundles*
|
|
will rebuild these bundles, so you don't need to re-specify all parameters
|
|
after each system update.
|
|
|
|
Hint: systemd-boot will automatically show entries for any bundles found in
|
|
*esp/EFI/Linux/+++*+++.efi*.
|
|
|
|
|
|
Notes
|
|
-----
|
|
All commands that take path arguments convert them into absolute paths when
|
|
saving them to the database.
|
|
|
|
|
|
Environment variables
|
|
---------------------
|
|
|
|
**SYSTEMD_ESP_PATH**, **ESP_PATH**::
|
|
Defines the EFI system partition (ESP) location. This overrides the
|
|
behaviour from **sbctl** where we query for the correct partition with
|
|
**lsblk**. No checks are performed on this path and can be usefull for testing
|
|
purposes.
|
|
|
|
**SBCTL_UNICODE**::
|
|
If this value is "0" sbctl will replace the unicode symbols to equivalent
|
|
ascii ones. The default value is assumed to be 1.
|
|
|
|
|
|
Files
|
|
----
|
|
**/usr/share/secureboot**::
|
|
Default storage directory.
|
|
|
|
**/usr/share/secureboot/GUID**::
|
|
Owner identification. This is a randomly generated UUID.
|
|
|
|
**/usr/share/secureboot/files.db**::
|
|
Contains a list of EFI binaries to be signed by the generated key.
|
|
|
|
**/usr/share/secureboot/bundles.db**::
|
|
Contains a list of EFI bundles to be generated.
|
|
|
|
**/usr/share/secureboot/keys/db/db.{auth,der,pem,der.esl,key}**::
|
|
Contains the Signature Database key used for signing EFI binaries.
|
|
|
|
**/usr/share/secureboot/keys/KEK/KEK.{auth,der,pem,der.esl,key}**::
|
|
Contains the Key Exchange Key.
|
|
|
|
**/usr/share/secureboot/keys/PK/PK.{auth,der,pem,der.esl,key}**::
|
|
Contains the Platform Key.
|
|
|
|
|
|
See Also
|
|
--------
|
|
linkman:sbsign[1]
|
|
linkman:bootctl[1]
|
|
|
|
|
|
Authors
|
|
-------
|
|
|
|
* Morten Linderud <morten@linderud.pw>
|