sbctl: initial commit, version 0.13

sbctl/.footprint

@@ -0,0 +1,3 @@
+drwxr-xr-x	root/root	usr/
+drwxr-xr-x	root/root	usr/bin/
+-rwxr-xr-x	root/root	usr/bin/sbctl

sbctl/.signature

@@ -0,0 +1,5 @@
+untrusted comment: verify with /etc/ports/contrib.pub
+RWSagIOpLGJF3yD2LWecPRaY7ntaYGVU6i+lQrc4Zc0XGo1AIkIP2CCFaHNDdQ9dkQqUqG99WXTGCVlxVZ+eQSr+aM4xUhWRcQo=
+SHA256 (Pkgfile) = 27b26f74cd8494301cb2bee0b9be7c49dffdae147cfdb95f5c7722ef27366615
+SHA256 (.footprint) = 7d397ddca2dd96e980381be94b2b110e060f778ead2dedfd1de7a05aeeb8eb8f
+SHA256 (sbctl-0.13.tar.gz) = efe855ea3de3dcaf5bc8974f724983fee0320a47094f6f4fd5f9e34cfa239456

sbctl/Pkgfile

@@ -0,0 +1,28 @@
+# Description: Secure Boot key manager
+# URL: https://github.com/Foxboron/sbctl
+# Maintainer: Tim Biermann, tbier at posteo dot de
+# Depends on: go
+# Optional: asciidoc bash-completion dracut zsh
+
+name=sbctl
+version=0.13
+release=1
+source=(https://github.com/Foxboron/sbctl/releases/download/$version/$name-$version.tar.gz)
+
+build() {
+  cd $name-$version
+
+  prt-get isinst asciidoc || sed -i 's/sbctl completions man/sbctl completions/' Makefile
+  export GOFLAGS="-buildmode=pie -trimpath -modcacherw"
+
+  make sbctl
+  make sbctl PREFIX=$PKG/usr install
+
+  prt-get isinst asciidoc || rm -r $PKG/usr/share/man
+  prt-get isinst bash-completion || rm -r $PKG/usr/share/bash-completion
+  prt-get isinst dracut || rm -r $PKG/usr/lib/
+  prt-get isinst zsh || rm -r $PKG/usr/share/zsh
+
+  rm -r $PKG/usr/share/{fish,licenses}
+  rmdir $PKG/usr/share || true
+}

sbctl/README.md

@@ -0,0 +1,46 @@
+Secure Boot with sbctl
+======================
+
+Oriented along [Unified Extensible Firmware Interface/Secure Boot - ArchWiki](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot)
+
+From a system that did not yet use secure boot:
+
+```
+# sbctl status
+Installed:      ✗ sbctl is not installed
+Setup Mode:     ✓ Disabled
+Secure Boot:    ✗ Disabled
+Vendor Keys:    microsoft
+```
+
+Reboot to BIOS. Enable/execute the following steps:
+
+- Enable Secure Boot
+- Reset Secure Boot to Setup Mode
+
+Reboot to OS. From a root shell, run:
+
+```
+# sbctl status
+Installed:      ✗ sbctl is not installed
+Setup Mode:     ✗ Enabled
+Secure Boot:    ✗ Disabled
+Vendor Keys:    microsoft
+# grub-install --target=x86_64-efi --efi-directory=<your-efi-location> --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
+# sbctl create-keys
+# sbctl enroll-keys -m ## this step might need you to run first: chattr -i /sys/firmware/efi/efivars/*
+# sbctl sign -s <your-efi-location>/EFI/grub/grubx64.efi
+# sbctl sign -s /boot/vmlinuz-6.9.0-rc3
+# grub-mkconfig -o /boot/grub/grub.cfg
+```
+
+Reboot and confirm that your system booted correctly:
+
+```
+# sbctl status
+Installed:      ✓ sbctl is installed
+Owner GUID:     <some-owner-guid>
+Setup Mode:     ✓ Disabled
+Secure Boot:    ✓ Enabled
+Vendor Keys:    microsoft
+```