Comments (1)
It should be possible to enroll a signed empty file, signed by PK
and get us into setup mode. I have tried writing code for this with goefi
but haven't been able to reproduce this functionality inside qemu with tianocore.
Some export functionality makes sense, as the actual files would probably disappear, and created on-demand, when we move from sbsigntools
to goefi
.
Finally, what do you think of moving keys across devices? Should it be a supported thing, or should users just manually copy the /usr/share/secureboot folder?
Not sure. If we want better secured keys, say we add yubikey support, I wonder if it's better to have sbctl.conf
and allow people to point at keystores at will. Then sbctl
can just do it's due diligence and ensure we know we have the enrolled keys in the keystore.
from sbctl.
Related Issues (20)
- Multiple displays and resolution doesn't work HOT 9
- Cannot re-enroll keys after upgrading system HOT 4
- Kernel removal fails if image file is already removed, resulting in multiple installed kernels on fedora HOT 2
- Unable to make secure boot to work on Surface Go 1st Gen and Arch Linux
- sbctl sign-all does not sign all efi binaries HOT 8
- `sbctl reset` when in setup mode results in PC hang
- Suggestion: Only sign generated file in initcpio hook, use sign-all in a separate pacman hook HOT 4
- sbctl won't work on Fujtsu Lifebook A574/M, BIOS would just reset ANY USER intervention of the secure boot changes HOT 6
- [archlinux] failed signing ***: *** does not exist HOT 3
- my Bios gone black HOT 4
- pacstrap fails due to mkinitcpio post hook HOT 2
- initcpio hook adds temporary files to list HOT 1
- kernel-install plugin fails with uki layout when removing HOT 1
- [Good News] Lenovo Thinkpad Yoga L13 AMD Gen 2 does not brick when removing vendor+ms keys. HOT 6
- sbctl sign failing with "binary has no valid signatures" HOT 4
- mkdir /usr/share/secureboot/keys: read-only file system HOT 1
- sbctl verify "does not exist" - entries are not scriptable (in an easy way) HOT 2
- Setup mode always disabled HOT 1
- Implement landlock HOT 1
- Dell Precision 7560 -- OptionROM in the bootchain -- possible workarounds
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbctl.