Release: 0.14

Another bugfix release with two new commands

New commands

• export-enrolled-keys will export all enrolled keys on the system to a directory
• list-enrolled-keys will list the enrolled keys on the system

New things

The test suite has now been rewritten to use the new vmtest library.

Bugfixes

• sign-all won't abort when it encounters a file it can't sign.

Packaging changes

• The kernel-install hook won't try to sign things if there are no signing keys available.
• The kernel-install hook will now only remove things if they actually did exist on the system.
• The mkinitcpio hook now only sign the built kernel/UKI instead of all the sbctl files.

Generated list of changes

What's Changed

• 91-sbctl.install: don't sign without signing keys by @ajakk in #188
• Mention COPR package by @dngray in #274
• Add openSUSE to Installation in README by @photosheep in #279
• sign-all don't stop signing if one file does not exist anymore by @jvllmr in #280
• Update the mkinitcpio post hook to only sign the kernel/UKI which is currently being built instead of all the files in the sbctl database by @into-the-v0id in #285
• ci.yaml: use github container registry by @pheiduck in #288
• only remove entries if they are there by @hboetes in #294
• Add list-enrolled-keys command by @jimmykarily in #296
• Add Option ROM warning to Usage section of the manpage by @00-kat in #300
• Run integration using uroot by @jimmykarily in #302
• Add export-enrolled-keys command by @jimmykarily in #303
• Update README.md by @hboetes in #305

New Contributors

• @ajakk made their first contribution in #188
• @dngray made their first contribution in #274
• @photosheep made their first contribution in #279
• @jvllmr made their first contribution in #280
• @into-the-v0id made their first contribution in #285
• @pheiduck made their first contribution in #288
• @hboetes made their first contribution in #294
• @jimmykarily made their first contribution in #296
• @00-kat made their first contribution in #300

Full Changelog: 0.13...0.14

Release: 0.13

This is largely a bugfix release with a couple of changes.

mkinitcpio hook

contrib/mkinitcpio/sbctl now contains a hook for mkinitcpio.

Similar to recent mkinitcpio changes, sbctl will now also sign when dkms modules change.

Fix create-keys flags

--export,-e and --database-path,-d now works properly and doesn't overwrite the create-keys variables internally.

remove erronous dbx enrollment

Previous release implemented support for dbx that doesn't really work as expected. It would also fail to enroll keys for previously setup clients. Implementation has been removed and will be iterated upon at a later date.

Generated list of changes:

What's Changed

• Update documentation for custom dbx by @Cornelicorn in #253
• Check and return Open errs by @quite in #254
• keys.go: drop the keyUsage bitfield by @dkwo in #255
• Update README.md by @scardracs in #256
• create-keys allows for specifying an export directory by @cosmastech in #259
• tests/utils/certs.go: drop keyUsage bitfield by @dkwo in #261
• Update 91-sbctl.install by @cvlc12 in #266
• BUGFIX: f.StringVarP() was clearing the exportPath/databasePath strings by @spillner in #267
• Ignore Setup mode and immutable variables for export by @Cornelicorn in #269
• Fixed typo, removed mention enroll-keys enables Secure Boot automatic… by @tblancher in #270
• Ensure file signing hook is run when initrd is rebuilt by @Joseph-DiGiovanni in #271

New Contributors

• @quite made their first contribution in #254
• @dkwo made their first contribution in #255
• @scardracs made their first contribution in #256
• @cosmastech made their first contribution in #259
• @cvlc12 made their first contribution in #266
• @spillner made their first contribution in #267
• @tblancher made their first contribution in #270
• @Joseph-DiGiovanni made their first contribution in #271

Full Changelog: 0.12...0.13

Release: 0.12

Deprecation notice

sbctl bundle might be deprecated in the future. This functionality is better served by ukify from systemd or the UKI support in mkinitcpio or dracut. I don't have any intentions of improving this feature going forward.

If your local initramfs generation tool does not support UKI generation you should write them some patches.

Custom certificates

sbctl now allows you to enroll custom certificates into KEK and db. This can be done by placing certificates into /usr/share/secureboot/keys/custom/KEK/ and /usr/share/secureboot/keys/custom/db then running sbctl enroll-keys -c.

Key export

sbctl now allows keys to be exported as EFI Signature Lists (esl) or EFI Authenticated Variables (auth), which are pre-signed.

Enrolling default certificates

sbctl can now enroll certificates found in dbxDefault, dbDefault, KEKDefault and PKDefault. These variables contains the default configuration for the machine and might have certificates that might be missing when only enrolling the microsoft certificates.

Usage:

// Defaults to "db,KEK"
sbctl enroll-keys --firmware-builtin

// Enroll everything from the vendor
sbctl enroll-keys --firmware-builtin "dbx,db,KEK,PK"

Support for partial key hierarchies

Before this release sbctl would enroll, reset and rotate the entire key hierarchy when requested. With this release several improvements have been made to have the ability to support partial key hierarchies. This can be used through the --partial flag in their respective commands.

Generated list of changes:

What's Changed

• dmi: Test all used DMI fields by @dawidpotocki in #208
• Add packages section to README by @jloeser in #209
• Allow enrolling custom db and KEK certs by @Cornelicorn in #217
• enroll-keys: implement --export by @Foxboron in #223
• Add support for loading certificates from dbDefault by @Foxboron in #222
• Add asciidoc dependency to README by @flanfly in #227
• feat(enroll-keys): add partial enrollment of keys by @RiSKeD in #231
• Fix typo by @swsnr in #230
• Partial Reset of a hierarchy by @RiSKeD in #232
• Dbx Key Management by @RiSKeD in #236
• Add support for OEM dbx enrollment by @Cornelicorn in #237
• feat(custom-keys): roll out any bytes to the specificed hierarchy by @RiSKeD in #239
• Add append option by @RiSKeD in #244
• fix: Create dest directory when importing keys by @svenschwermer in #246
• fix: don't immediately fail if we can't find default EFI stub by @K900 in #247

New Contributors

• @jloeser made their first contribution in #209
• @Cornelicorn made their first contribution in #217
• @flanfly made their first contribution in #227
• @RiSKeD made their first contribution in #231
• @svenschwermer made their first contribution in #246
• @K900 made their first contribution in #247

Full Changelog: 0.11...0.12

Release: 0.11

sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.

Firmware Quirks

sbctl now supports a system to detect firmware quirks that might affect the security or functionality of Secure Boot.

The initial revision supports detecting the widely reported MSI Secure Boot quirk.

Please see "MSI has very insecure Secure Boot defaults" for details, and #189 for the feature.

Big thanks to @dawidpotocki for solving the initial issue, the implementation of this new feature in sbctl and the
efforts he has put into this :)

Wiki pages

One wiki page for the new firmware quirk system has been added.

• F0001

Other changes

• UKIs generated by sbctl now has correct section alignment.

• enroll-keys with --microsoft will now also enroll the KEK.

• sbctl now has a filesystem abstraction layer which allows writing proper end-to-end tests of all efivarfs interactions and filesystem interaction.

Full Changelog: 0.10...0.11

Generated list of changes:

What's Changed

• pacman: Add 'extramodules' target to hook by @memchr in #191
• Fix POSIX sh comparison by @swsnr in #183
• Update README.md by @vanillajonathan in #193
• Fix arbitrary sizes in UKI generation by @eNV25 in #194
• enroll-keys: Enroll Microsoft KEK along with their other keys by @alois31 in #192
• Always include vendor keys in status output by @swsnr in #205
• status: Warn about firmware quirks by @dawidpotocki in #189
• Add trailing newline to JSON output by @dawidpotocki in #206

New Contributors

• @memchr made their first contribution in #191
• @swsnr made their first contribution in #183
• @vanillajonathan made their first contribution in #193
• @alois31 made their first contribution in #192
• @dawidpotocki made their first contribution in #189

Full Changelog: 0.10...0.11

Release: 0.10

sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.

Support for key rotation

sbctl now allows for key rotation through sbctl rotate-keys. This can be used to renew certificates. It is also capable of resigning all signed files.

Wiki pages

A few wiki pages has been added to the project.

• Linux Windows Dual Boot with Windows Bitlocker
• HPE Server include factory db key

Other changes

Language and grammer changes to the manpages, and the Usage section in the man-page has become more precise.

There is also now some WIP documentation on how to reset keys in the BIOS menu.

There has also been several crashes and improvements to the error handling.

Full Changelog: 0.9...0.10

Release: 0.9

What's Changed

• Minor typo fix by @pschichtel in #113
• Fix typo in eventlog warning by @mattiabiondi in #120
• Fix minor typo by @cosandr in #124
• read key from private key file by @tpeacock19 in #126
• Fix typo by @potatoattack in #130
• Remove hardcoded architecture in filename by @WhyNotHugo in #133
• Fail enroll-keys if any key file does not exist by @WhyNotHugo in #134
• Go needs git installed by @WhyNotHugo in #140
• Add convenient aliases for some sub-commands by @eNV25 in #106
• Drop panics by @WhyNotHugo in #141
• Drop unused dependency from test image by @WhyNotHugo in #142

New Contributors

• @pschichtel made their first contribution in #113
• @mattiabiondi made their first contribution in #120
• @cosandr made their first contribution in #124
• @tpeacock19 made their first contribution in #126
• @potatoattack made their first contribution in #130

Full Changelog: 0.8...0.9

Release: 0.8

sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.

Support for vendor certificates

sbctl now allows one to enroll vendor certificates during enroll-keys. Currently only Microsoft keys are supported, but the foundation for adding other OEM keys have been written. One can enroll the Microsoft CA with enroll-keys --microsoft. This also works on machines with an already bootstrapped Platform Key and one does not need to reset their keys to enroll the new vendor keys.

Experimental support for the TPM Eventlog

Similarly, sbctl also supports reading the TPM Eventlog for any Option ROM entries and we add these checksums to the signature database to allowlist the ROM files. This should help people that does not want to enroll the Microsoft certificate authority on the machines. However this should be considered experimental.

One can enroll the TPM Eventlog checksums with enroll-keys --tpm-eventlog, and one does not need to reset their secure boot keys to do so.

Option ROM warning

Because sbctl can now read the TPM Eventlog, a warning has been added when people attempt to enroll keys where we spot Option ROM. This help prevent people from accidentally soft bricking their devices and offers guidance on what to do. Hopefully this gives people more confidence in the tooling.

Example output:

$ sbctl enroll-keys
Found OptionROM in the bootchain. This means we should not enroll keys into UEFI without some precautions.

There are three flags that can be used:
    --microsoft: Enrolls the Microsoft OEM certificates into the sinature database.
    --tpm-eventlog: Enroll OpRom checksums into the signature database (experimental!).
    --yes-this-might-brick-my-machine: Ignore this warning and continue regardless.

Please read the FAQ for more information: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom

Man pages Usage section

A usage section explaining how to properly setup sbctl on new devices have also been added. Previously people have tried using sbctl reading the example README, but it is not really a guide on how to properly enroll keys. It works more as a feature showcase.

Release: 0.7

Release 0.7

Release: 0.6

This release features a few major changes for sbctl!

sbsigntools removal

Since this project started a year ago the goal was also to have the reliance on sbsigntools be a temporary affairs while go-uefi was shaping up to replace it. This has taken quite a bit of time due to lack of time and ensuring proper integration testing to ensure the library is working as intended.

Over the pat month go-uefi got some integration testing done, along with some duplicated work over to sbctl to have key enrollment and signature validation tested through OVMF and tianocore. This ensures that we can hopefully guarantee signing is not bugged and any regressions caught.

Because of this sbctl now implements all secure boot operations through go-uefi and no longer relies on sbsigntools, hopefully this removes some classes of bugs due to key enrollment.

cmd/sbctl refactor and json output

The other larger change is an overhaul of the command line structure in sbctl which makes it easier to extend and adapt future sub command. A lot of these changes won't be visible for end-users, but it does allow for some neat usage of --json output along with better error feedback through the program.

sbctl list-files --json should be a lot easier to parse with jq then going through normal string parsing.

Please do note that the json structure might change and not all commands have been covered yet.

User Interface changes

sbctl now sports a new look. The original command line design dates back to the original efi-roller tool which had output format copy-pasted from other bash-based Arch tooling. Arguably it's not really pretty. It also made it hard to properly format and kill off the color at the appropriate place. The new output should be more in line with existing *ctl tooling and feel modern.

Release: 0.5

Release 0.5

This release contains a few changes to the documentation of sbctl. The most
notable change is to the `GetESP` functionality which should behave better on
systems with more then one EFI partition. This can also be overridden with
`SYSTEMD_ESP_PATH` or `ESP_PATH`.

Hugo Barrera (3):
      Update man entry for default cmdline
      Update docs/sbctl.8.txt
      Typo

Hugo Osvaldo Barrera (4):
      Extend the documentation a bit
      Refine docs based on feedback
      Typos
      Tweak unconvincing working

Morten Linderud (5):
      bundles: Handle command not found errors
      util: Expand array in print generator
      Updated readme for libera
      sbctl/bundle: Do not default to ESP for fetching kernel and initramfs
      man: Mention environment variables for ESP location

igo95862 (3):
      Remove ioutil
      Improved GetEsp function.
      Add SYSTEMD_ESP_PATH and ESP_PATH environment variables support