Skip to content

0.15

Compare
Choose a tag to compare
@Foxboron Foxboron released this 31 Jul 11:02
· 70 commits to master since this release
0.15
37c0ce9

Deprecation Notice

Caution

The bundle/UKI support in sbctl will be removed next release. Please move to dracut/mkinitcpio/ukify.

Important Changes

Landlock support

sbctl will try to sandbox all commands with landlock.
Landlock is a unpriviledged sandbox, similar to OpenBSD pledge, that allows
sbctl to declare the directories and files we are reading/writing a head. This
feature is enabled by default and can be disabled by setting landlock: false
in the new config file, or by passing --disable-landlock flag.

The landlock feature is run with "best effort" and will degrade it's feature set
on unsupported kernels before turning it off completely.

Please note that any file permission issues might be because of landlock.

Warning

Please try --disable-landlock before reporting bugs.

Major changes

Move from /usr/share/secureboot to /var/lib/sbctl and sbctl migrate

Important

Please run sbctl setup --migrate --disable-landlock. See #333

sbctl has moved from using /usr/share/secureboot to /var/lib/sbctl. The
useage of /usr was mostly for legacy reasons but there wasn't any motivation
to fix this until now.

To help with the migration sbctl migrate has been implemented. It will move
all the files from the old location to /var/lib/sbctl and rename files
accordingly.

Existing sbctl installations should continue to work with a warning message
that they should run sbctl migrate.

Important

For packagers:

The sbctl.DatabasePath variable is used by sbctl internally to denote the "old path" when using sbctl migrate. If you override this from the default /usr location during building do not remove it when building the new release.

Configuration file and sbctl setup

A new way to setup sbctl has been introduced, along with a declarative
configuration file . The default config file location is /etc/sbctl/sbctl.conf
and will be read on startup if available. If the file is not present sbctl
will use default settings.

The new sbctl setup --setup commnd will do a complete sbctl installation
based off on the new configuration file. If the file is not passed through
--config or read from /etc/sbctl/sbctl.conf it will use the default settings
to create and enroll Secure Boot certificates.

If a configuration file is provided then sbctl will attempt to sign the
default files and save them to the database for future signing.

In the future sbctl setup will provide an interactive setup that will sign the
default boot chain and produce a configuration file.

Example configuration file:

---
landlock: true
keydir: /var/lib/sbctl/keys
guid: /var/lib/sbctl/GUID
files_db: /var/lib/sbctl/files.json
bundles_db: /var/lib/sbctl/bundles.json
files:
- path: /efi/EFI/BOOT/BOOTX64.EFI
  output: /efi/EFI/BOOT/BOOTX64.EFI
- path: /efi/EFI/Linux/arch-linux.efi
  output: /efi/EFI/Linux/arch-linux.efi
- path: /usr/lib/fwupd/efi/fwupdx64.efi
  output: /usr/lib/fwupd/efi/fwupdx64.efi.signed
- path: /usr/lib/systemd/boot/efi/systemd-bootx64.efi
  output: /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
keys:
  pk:
    privkey: /var/lib/sbctl/keys/PK/PK.key
    pubkey: /var/lib/sbctl/keys/PK/PK.pem
    type: file
  kek:
    privkey: /var/lib/sbctl/keys/KEK/KEK.key
    pubkey: /var/lib/sbctl/keys/KEK/KEK.pem
    type: file
  db:
    privkey: /var/lib/sbctl/keys/db/db.key
    pubkey: /var/lib/sbctl/keys/db/db.pem
    type: file

TPM key files

sbctl now support creation of TPM key files using
go-tpm-keyfiles. These keys are
mostly compatible with how other TPM2 TSS keyfiles are created. This key type
can be used by passing on of several keytype flags to create-keys or
rotate-keys, or by specifying the type in the new configuration file.

The flags for create-keys and rotate-keys are

  • --keytype - Set keytype for all keys
  • --pk-keytype - Set PK key type
  • --kek-keytype - Set KEK key type
  • --db-keytype - Set db key type

The current x509 and RSA key type used by sbctl is now called file, and the
new TPM key file is called tpm.

Note that only RSA 2048 is supported by most TPMs while the default file type
defaults to RSA 4096. The default key type for sbctl will continue to be
file.

If you wish to rotate to a key hierarchy where PK and KEK are stored as tpm
key file, and db as a file keytype you can issue the following commands:

λ » sudo sbctl reset
✓ Removed Platform Key!
Use `sbctl enroll-keys` to enroll the Platform Key again.

λ » sudo sbctl rotate-keys --pk-keytype tpm --kek-keytype kek --db-keytype file
Backed up keys to /var/tmp/sbctl/sbctl_backup_keys_1722423218
Creating secure boot keys...✓
Secure boot keys created!
✓ Enrolled new keys into UEFI!
✓ Signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
✓ Signed /efi/EFI/BOOT/BOOTX64.EFI
✓ Signed /efi/EFI/Linux/arch-linux.efi
✓ Signed /usr/lib/fwupd/efi/fwupdx64.efi.signed

Other changes

sbctl debug

To help with debugging efforts sbctl debug has been implemented. It will dump
most of the efivarfs, the configuration, state information and version
information into a tarball which can be uploaded.

Major refactoring

Almost all of the core key handling and key hierarchy code in sbctl has been
reworked to better support different key types. This has lead to a great deal of
internal changes and refactoring. Some stuff might be subtly broken because of
limited ability to test everything.

However in the future it will be easier to create unit-tests for sbctl that
will make it more stable in the long run.

Generated list of changes

What's Changed

New Contributors

Full Changelog: 0.14...0.15