ERROR: Couldn't sync keys about sbctl HOT 12 CLOSED

Can you clear the current secure boot keys in the firmware and try again?

from sbctl.

from sbctl.

Okay, so what I did was - boot the livecd, bootctl --esp-path=/boot install, disable secure boot, finally boot into arch (not livecd), then do the rest of the instructions in the readme (signatures, generate efi stub), enable secure boot again, and then it won't let me boot, says /EFI/Linux/linux-linux.efi not trusted or something

from sbctl.

Okay, I've figured it out. I had to sign /boot/EFI/Linux/linux-linux.efi too, I did not at first because it was created after the Signatures step. Now it works!

from sbctl.

Awesome :) Is there any instructions that should be made clearer? I have contemplated making a webpage with better documentation for sbctl and goefi.

from sbctl.

Dunno, tbh. But one thing for certain is that all $'s should be substituted with #'s, because It doesn't work without root

from sbctl.

Oh, btw, I assume it's not safe to store the keys in /usr/share/secureboot on an unencrypted partition? I use systemd-homed, and only my home folder is encrypted. Where do I put the keys?

from sbctl.

Dunno, tbh. But one thing for certain is that all $'s should be substituted with #'s, because It doesn't work without root

Good point.

Oh, btw, I assume it's not safe to store the keys in /usr/share/secureboot on an unencrypted partition? I use systemd-homed, and only my home folder is encrypted. Where do I put the keys?

You are correct. There isn't support for secure storage for the keys yet. I want to try have some support for yubikeys, and potentially some key encryption.

I want to write support for a config file, but haven't gotten that far yet. It would allow you to have other storage locations.

from sbctl.

hey Morten! i know i'm supposed to create a new issue, but i'm sorry i just don't know where to begin
please take a look at https://www.reddit.com/r/archlinux/comments/hx7tar/failed_to_boot_after_upgrading_to_5710/

tldr: kernel can't find modules after upgrade to 5.7.10, it's still looking at the modules/5.7.9 directory, and even when i downgraded to 5.7.8, it still looked at modules/5.7.9.

i think this has to do with sbctl

from sbctl.

Reboot your computer. Look at the output from uname -r and pacman -Q linux.

from sbctl.

this is very weird

p.s. uname -r shows 5.7.9 in both cases (before and after upgrade). pacman -Q linux not sure, before upgrade it's 5.7.9

from sbctl.

Did you reboot?

from sbctl.