From 80bbc7148b3ba3877fa19c1769ff03d25dd51b55 Mon Sep 17 00:00:00 2001 From: Tim Biermann Date: Sun, 14 Apr 2024 18:16:22 +0200 Subject: [PATCH] sbctl: initial commit, version 0.13 --- sbctl/.footprint | 3 +++ sbctl/.signature | 5 +++++ sbctl/Pkgfile | 28 ++++++++++++++++++++++++++++ sbctl/README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 82 insertions(+) create mode 100644 sbctl/.footprint create mode 100644 sbctl/.signature create mode 100644 sbctl/Pkgfile create mode 100644 sbctl/README.md diff --git a/sbctl/.footprint b/sbctl/.footprint new file mode 100644 index 000000000..edf9aa7f5 --- /dev/null +++ b/sbctl/.footprint @@ -0,0 +1,3 @@ +drwxr-xr-x root/root usr/ +drwxr-xr-x root/root usr/bin/ +-rwxr-xr-x root/root usr/bin/sbctl diff --git a/sbctl/.signature b/sbctl/.signature new file mode 100644 index 000000000..6af058915 --- /dev/null +++ b/sbctl/.signature @@ -0,0 +1,5 @@ +untrusted comment: verify with /etc/ports/contrib.pub +RWSagIOpLGJF3yD2LWecPRaY7ntaYGVU6i+lQrc4Zc0XGo1AIkIP2CCFaHNDdQ9dkQqUqG99WXTGCVlxVZ+eQSr+aM4xUhWRcQo= +SHA256 (Pkgfile) = 27b26f74cd8494301cb2bee0b9be7c49dffdae147cfdb95f5c7722ef27366615 +SHA256 (.footprint) = 7d397ddca2dd96e980381be94b2b110e060f778ead2dedfd1de7a05aeeb8eb8f +SHA256 (sbctl-0.13.tar.gz) = efe855ea3de3dcaf5bc8974f724983fee0320a47094f6f4fd5f9e34cfa239456 diff --git a/sbctl/Pkgfile b/sbctl/Pkgfile new file mode 100644 index 000000000..20bf255a1 --- /dev/null +++ b/sbctl/Pkgfile @@ -0,0 +1,28 @@ +# Description: Secure Boot key manager +# URL: https://github.com/Foxboron/sbctl +# Maintainer: Tim Biermann, tbier at posteo dot de +# Depends on: go +# Optional: asciidoc bash-completion dracut zsh + +name=sbctl +version=0.13 +release=1 +source=(https://github.com/Foxboron/sbctl/releases/download/$version/$name-$version.tar.gz) + +build() { + cd $name-$version + + prt-get isinst asciidoc || sed -i 's/sbctl completions man/sbctl completions/' Makefile + export GOFLAGS="-buildmode=pie -trimpath -modcacherw" + + make sbctl + make sbctl PREFIX=$PKG/usr install + + prt-get isinst asciidoc || rm -r $PKG/usr/share/man + prt-get isinst bash-completion || rm -r $PKG/usr/share/bash-completion + prt-get isinst dracut || rm -r $PKG/usr/lib/ + prt-get isinst zsh || rm -r $PKG/usr/share/zsh + + rm -r $PKG/usr/share/{fish,licenses} + rmdir $PKG/usr/share || true +} diff --git a/sbctl/README.md b/sbctl/README.md new file mode 100644 index 000000000..c2349b086 --- /dev/null +++ b/sbctl/README.md @@ -0,0 +1,46 @@ +Secure Boot with sbctl +====================== + +Oriented along [Unified Extensible Firmware Interface/Secure Boot - ArchWiki](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) + +From a system that did not yet use secure boot: + +``` +# sbctl status +Installed: ✗ sbctl is not installed +Setup Mode: ✓ Disabled +Secure Boot: ✗ Disabled +Vendor Keys: microsoft +``` + +Reboot to BIOS. Enable/execute the following steps: + +- Enable Secure Boot +- Reset Secure Boot to Setup Mode + +Reboot to OS. From a root shell, run: + +``` +# sbctl status +Installed: ✗ sbctl is not installed +Setup Mode: ✗ Enabled +Secure Boot: ✗ Disabled +Vendor Keys: microsoft +# grub-install --target=x86_64-efi --efi-directory= --bootloader-id=GRUB --modules="tpm" --disable-shim-lock +# sbctl create-keys +# sbctl enroll-keys -m ## this step might need you to run first: chattr -i /sys/firmware/efi/efivars/* +# sbctl sign -s /EFI/grub/grubx64.efi +# sbctl sign -s /boot/vmlinuz-6.9.0-rc3 +# grub-mkconfig -o /boot/grub/grub.cfg +``` + +Reboot and confirm that your system booted correctly: + +``` +# sbctl status +Installed: ✓ sbctl is installed +Owner GUID: +Setup Mode: ✓ Disabled +Secure Boot: ✓ Enabled +Vendor Keys: microsoft +```