Releases: Foxboron/sbctl
Release: 0.14
Another bugfix release with two new commands
New commands
export-enrolled-keys
will export all enrolled keys on the system to a directorylist-enrolled-keys
will list the enrolled keys on the system
New things
The test suite has now been rewritten to use the new vmtest
library.
Bugfixes
sign-all
won't abort when it encounters a file it can't sign.
Packaging changes
- The
kernel-install
hook won't try to sign things if there are no signing keys available. - The
kernel-install
hook will now only remove things if they actually did exist on the system. - The
mkinitcpio
hook now only sign the built kernel/UKI instead of all thesbctl
files.
Generated list of changes
What's Changed
- 91-sbctl.install: don't sign without signing keys by @ajakk in #188
- Mention COPR package by @dngray in #274
- Add openSUSE to Installation in README by @photosheep in #279
- sign-all don't stop signing if one file does not exist anymore by @jvllmr in #280
- Update the mkinitcpio post hook to only sign the kernel/UKI which is currently being built instead of all the files in the sbctl database by @into-the-v0id in #285
- ci.yaml: use github container registry by @pheiduck in #288
- only remove entries if they are there by @hboetes in #294
- Add list-enrolled-keys command by @jimmykarily in #296
- Add Option ROM warning to Usage section of the manpage by @00-kat in #300
- Run integration using uroot by @jimmykarily in #302
- Add export-enrolled-keys command by @jimmykarily in #303
- Update README.md by @hboetes in #305
New Contributors
- @ajakk made their first contribution in #188
- @dngray made their first contribution in #274
- @photosheep made their first contribution in #279
- @jvllmr made their first contribution in #280
- @into-the-v0id made their first contribution in #285
- @pheiduck made their first contribution in #288
- @hboetes made their first contribution in #294
- @jimmykarily made their first contribution in #296
- @00-kat made their first contribution in #300
Full Changelog: 0.13...0.14
Release: 0.13
This is largely a bugfix release with a couple of changes.
mkinitcpio
hook
contrib/mkinitcpio/sbctl
now contains a hook for mkinitcpio
.
Similar to recent mkinitcpio
changes, sbctl
will now also sign when dkms modules change.
Fix create-keys
flags
--export,-e
and --database-path,-d
now works properly and doesn't overwrite the create-keys
variables internally.
remove erronous dbx
enrollment
Previous release implemented support for dbx
that doesn't really work as expected. It would also fail to enroll keys for previously setup clients. Implementation has been removed and will be iterated upon at a later date.
Generated list of changes:
What's Changed
- Update documentation for custom dbx by @Cornelicorn in #253
- Check and return Open errs by @quite in #254
- keys.go: drop the keyUsage bitfield by @dkwo in #255
- Update README.md by @scardracs in #256
create-keys
allows for specifying an export directory by @cosmastech in #259- tests/utils/certs.go: drop keyUsage bitfield by @dkwo in #261
- Update 91-sbctl.install by @cvlc12 in #266
- BUGFIX: f.StringVarP() was clearing the exportPath/databasePath strings by @spillner in #267
- Ignore Setup mode and immutable variables for export by @Cornelicorn in #269
- Fixed typo, removed mention enroll-keys enables Secure Boot automatic… by @tblancher in #270
- Ensure file signing hook is run when initrd is rebuilt by @Joseph-DiGiovanni in #271
New Contributors
- @quite made their first contribution in #254
- @dkwo made their first contribution in #255
- @scardracs made their first contribution in #256
- @cosmastech made their first contribution in #259
- @cvlc12 made their first contribution in #266
- @spillner made their first contribution in #267
- @tblancher made their first contribution in #270
- @Joseph-DiGiovanni made their first contribution in #271
Full Changelog: 0.12...0.13
Release: 0.12
Deprecation notice
sbctl bundle
might be deprecated in the future. This functionality is better served by ukify
from systemd or the UKI support in mkinitcpio
or dracut
. I don't have any intentions of improving this feature going forward.
If your local initramfs generation tool does not support UKI generation you should write them some patches.
Custom certificates
sbctl now allows you to enroll custom certificates into KEK and db. This can be done by placing certificates into /usr/share/secureboot/keys/custom/KEK/
and /usr/share/secureboot/keys/custom/db
then running sbctl enroll-keys -c
.
Key export
sbctl now allows keys to be exported as EFI Signature Lists (esl) or EFI Authenticated Variables (auth), which are pre-signed.
Enrolling default certificates
sbctl can now enroll certificates found in dbxDefault
, dbDefault
, KEKDefault
and PKDefault
. These variables contains the default configuration for the machine and might have certificates that might be missing when only enrolling the microsoft certificates.
Usage:
// Defaults to "db,KEK"
sbctl enroll-keys --firmware-builtin
// Enroll everything from the vendor
sbctl enroll-keys --firmware-builtin "dbx,db,KEK,PK"
Support for partial key hierarchies
Before this release sbctl
would enroll, reset and rotate the entire key hierarchy when requested. With this release several improvements have been made to have the ability to support partial key hierarchies. This can be used through the --partial
flag in their respective commands.
Generated list of changes:
What's Changed
- dmi: Test all used DMI fields by @dawidpotocki in #208
- Add packages section to README by @jloeser in #209
- Allow enrolling custom db and KEK certs by @Cornelicorn in #217
- enroll-keys: implement --export by @Foxboron in #223
- Add support for loading certificates from dbDefault by @Foxboron in #222
- Add asciidoc dependency to README by @flanfly in #227
- feat(enroll-keys): add partial enrollment of keys by @RiSKeD in #231
- Fix typo by @swsnr in #230
- Partial Reset of a hierarchy by @RiSKeD in #232
- Dbx Key Management by @RiSKeD in #236
- Add support for OEM dbx enrollment by @Cornelicorn in #237
- feat(custom-keys): roll out any bytes to the specificed hierarchy by @RiSKeD in #239
- Add append option by @RiSKeD in #244
- fix: Create dest directory when importing keys by @svenschwermer in #246
- fix: don't immediately fail if we can't find default EFI stub by @K900 in #247
New Contributors
- @jloeser made their first contribution in #209
- @Cornelicorn made their first contribution in #217
- @flanfly made their first contribution in #227
- @RiSKeD made their first contribution in #231
- @svenschwermer made their first contribution in #246
- @K900 made their first contribution in #247
Full Changelog: 0.11...0.12
Release: 0.11
sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.
Firmware Quirks
sbctl
now supports a system to detect firmware quirks that might affect the security or functionality of Secure Boot.
The initial revision supports detecting the widely reported MSI Secure Boot quirk.
Please see "MSI has very insecure Secure Boot defaults" for details, and #189 for the feature.
Big thanks to @dawidpotocki for solving the initial issue, the implementation of this new feature in sbctl and the
efforts he has put into this :)
Wiki pages
One wiki page for the new firmware quirk system has been added.
Other changes
-
UKIs generated by sbctl now has correct section alignment.
-
enroll-keys
with--microsoft
will now also enroll the KEK. -
sbctl
now has a filesystem abstraction layer which allows writing proper end-to-end tests of allefivarfs
interactions and filesystem interaction.
Full Changelog: 0.10...0.11
Generated list of changes:
What's Changed
- pacman: Add 'extramodules' target to hook by @memchr in #191
- Fix POSIX sh comparison by @swsnr in #183
- Update README.md by @vanillajonathan in #193
- Fix arbitrary sizes in UKI generation by @eNV25 in #194
- enroll-keys: Enroll Microsoft KEK along with their other keys by @alois31 in #192
- Always include vendor keys in status output by @swsnr in #205
- status: Warn about firmware quirks by @dawidpotocki in #189
- Add trailing newline to JSON output by @dawidpotocki in #206
New Contributors
- @memchr made their first contribution in #191
- @swsnr made their first contribution in #183
- @vanillajonathan made their first contribution in #193
- @alois31 made their first contribution in #192
- @dawidpotocki made their first contribution in #189
Full Changelog: 0.10...0.11
Release: 0.10
sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.
Support for key rotation
sbctl
now allows for key rotation through sbctl rotate-keys
. This can be used to renew certificates. It is also capable of resigning all signed files.
Wiki pages
A few wiki pages has been added to the project.
Other changes
Language and grammer changes to the manpages, and the Usage
section in the man-page has become more precise.
There is also now some WIP documentation on how to reset keys in the BIOS menu.
There has also been several crashes and improvements to the error handling.
Full Changelog: 0.9...0.10
Release: 0.9
What's Changed
- Minor typo fix by @pschichtel in #113
- Fix typo in eventlog warning by @mattiabiondi in #120
- Fix minor typo by @cosandr in #124
- read key from private key file by @tpeacock19 in #126
- Fix typo by @potatoattack in #130
- Remove hardcoded architecture in filename by @WhyNotHugo in #133
- Fail
enroll-keys
if any key file does not exist by @WhyNotHugo in #134 - Go needs
git
installed by @WhyNotHugo in #140 - Add convenient aliases for some sub-commands by @eNV25 in #106
- Drop panics by @WhyNotHugo in #141
- Drop unused dependency from test image by @WhyNotHugo in #142
New Contributors
- @pschichtel made their first contribution in #113
- @mattiabiondi made their first contribution in #120
- @cosandr made their first contribution in #124
- @tpeacock19 made their first contribution in #126
- @potatoattack made their first contribution in #130
Full Changelog: 0.8...0.9
Release: 0.8
sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.
Support for vendor certificates
sbctl
now allows one to enroll vendor certificates during enroll-keys
. Currently only Microsoft keys are supported, but the foundation for adding other OEM keys have been written. One can enroll the Microsoft CA with enroll-keys --microsoft
. This also works on machines with an already bootstrapped Platform Key and one does not need to reset their keys to enroll the new vendor keys.
Experimental support for the TPM Eventlog
Similarly, sbctl
also supports reading the TPM Eventlog for any Option ROM entries and we add these checksums to the signature database to allowlist the ROM files. This should help people that does not want to enroll the Microsoft certificate authority on the machines. However this should be considered experimental.
One can enroll the TPM Eventlog checksums with enroll-keys --tpm-eventlog
, and one does not need to reset their secure boot keys to do so.
Option ROM warning
Because sbctl
can now read the TPM Eventlog, a warning has been added when people attempt to enroll keys where we spot Option ROM. This help prevent people from accidentally soft bricking their devices and offers guidance on what to do. Hopefully this gives people more confidence in the tooling.
Example output:
$ sbctl enroll-keys
Found OptionROM in the bootchain. This means we should not enroll keys into UEFI without some precautions.
There are three flags that can be used:
--microsoft: Enrolls the Microsoft OEM certificates into the sinature database.
--tpm-eventlog: Enroll OpRom checksums into the signature database (experimental!).
--yes-this-might-brick-my-machine: Ignore this warning and continue regardless.
Please read the FAQ for more information: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom
Man pages Usage section
A usage section explaining how to properly setup sbctl
on new devices have also been added. Previously people have tried using sbctl
reading the example README, but it is not really a guide on how to properly enroll keys. It works more as a feature showcase.
Release: 0.7
Release 0.7
Release: 0.6
This release features a few major changes for sbctl!
sbsigntools removal
Since this project started a year ago the goal was also to have the reliance on sbsigntools
be a temporary affairs while go-uefi
was shaping up to replace it. This has taken quite a bit of time due to lack of time and ensuring proper integration testing to ensure the library is working as intended.
Over the pat month go-uefi
got some integration testing done, along with some duplicated work over to sbctl
to have key enrollment and signature validation tested through OVMF and tianocore. This ensures that we can hopefully guarantee signing is not bugged and any regressions caught.
Because of this sbctl
now implements all secure boot operations through go-uefi
and no longer relies on sbsigntools
, hopefully this removes some classes of bugs due to key enrollment.
cmd/sbctl
refactor and json output
The other larger change is an overhaul of the command line structure in sbctl
which makes it easier to extend and adapt future sub command. A lot of these changes won't be visible for end-users, but it does allow for some neat usage of --json
output along with better error feedback through the program.
sbctl list-files --json
should be a lot easier to parse with jq
then going through normal string parsing.
Please do note that the json structure might change and not all commands have been covered yet.
User Interface changes
sbctl
now sports a new look. The original command line design dates back to the original efi-roller
tool which had output format copy-pasted from other bash-based Arch tooling. Arguably it's not really pretty. It also made it hard to properly format and kill off the color at the appropriate place. The new output should be more in line with existing *ctl tooling and feel modern.
Release: 0.5
Release 0.5 This release contains a few changes to the documentation of sbctl. The most notable change is to the `GetESP` functionality which should behave better on systems with more then one EFI partition. This can also be overridden with `SYSTEMD_ESP_PATH` or `ESP_PATH`. Hugo Barrera (3): Update man entry for default cmdline Update docs/sbctl.8.txt Typo Hugo Osvaldo Barrera (4): Extend the documentation a bit Refine docs based on feedback Typos Tweak unconvincing working Morten Linderud (5): bundles: Handle command not found errors util: Expand array in print generator Updated readme for libera sbctl/bundle: Do not default to ESP for fetching kernel and initramfs man: Mention environment variables for ESP location igo95862 (3): Remove ioutil Improved GetEsp function. Add SYSTEMD_ESP_PATH and ESP_PATH environment variables support