Comments (14)
Can you rm
the bundles and type sbctl sign-all -g
? Also what version is this?
from sbctl.
root@soji ~# pacman -Qi sbctl-git
Name : sbctl-git
Version : r60.g2b09a8e-1
Description : Secure Boot key manager
Architecture : x86_64
URL : https://github.com/Foxboron/sbctl
Licenses : MIT
Groups : None
Provides : None
Depends On : sbsigntools
Optional Deps : None
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 5,84 MiB
Packager : Unknown Packager
Build Date : Fr 31 Jul 2020 14:42:54 CEST
Install Date : Di 04 Aug 2020 08:25:57 CEST
Install Reason : Explicitly installed
Install Script : No
Validated By : SHA-256 Sum
root@soji ~# rm /efi/EFI/Linux/linux-linux.efi
root@soji ~# rm /efi/EFI/Linux/linux-arch-zen.efi
root@soji ~# sbctl sign-all -g
==> Generating EFI bundles....
==> Wrote EFI bundle /efi/EFI/Linux/linux-arch-zen.efi
==> Wrote EFI bundle /efi/EFI/Linux/linux-linux.efi
==> /efi/EFI/BOOT/BOOTX64.EFI has been signed...
==> /efi/EFI/systemd/systemd-bootx64.efi has been signed...
==> /usr/lib/fwupd/efi/fwupdx64.efi has been signed...
root@soji ~# sbctl verify
==> Verifying file database and EFI images in /efi...
-> /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed
-> /efi/EFI/BOOT/BOOTX64.EFI is signed
-> /efi/EFI/systemd/systemd-bootx64.efi is signed
-> WARNING: /efi/EFI/Linux/linux-arch-zen.efi is not signed
-> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed
-> /efi/vmlinuz-linux-lts is signed
from sbctl.
Managed to reproduce the issue now :) Thanks!
from sbctl.
Glad that i could help! I must admit i was a little bit afraid of configuring and using Secure Boot but this tool makes it really easy 👍
I also had to chattr -i
some files similar to #25
from sbctl.
Evidently, I forgot that bundles does not get added to the files database, this probably isn't super intuitive? We generate the bundles with -g
, but they need to be added to the files database before sign-all
finds them.
I wonder if it's a better logic to always sign stored bundles, or add them implicitly to the files database.
from sbctl.
Is there any reason to not simply iterate over files.db
and bundles.db
on sign-all
? Since it's not called sign-all-files
or similar.
from sbctl.
I guess I thought it would be better if they are logically separate systems, instead of intertwined. It's interesting when you forget the behaviour you implemented yourself :) I'll write some code to try figure out a better approach on this.
from sbctl.
@ericonr need an opinion.
Should we implicitly have the bundles
database signed, or should we keep this separate and rather document this? What if we add a switch to auto-add the bundle to the files database?
I don't really feel like duplicating the logic, even if it doesn't seem like much. Can add a switch to ensure remove-bundle
to ensure it gets removed from the files database as well.
from sbctl.
Just stumbled over this nice little piece of software today, but this issue confused me as well.
I spotted a lonely, unused flag called sign
in generateBundlesCmd()
and took the liberty to give it some purpose and make it actually sign the bundles after creation. ;)
This presents us with an easy solution:
Thanks to the sign
flag, the bundles are only signed optionally on creation, which is good. We could of course introduce another flag, however in the situation where someone calls sign-all --generate
, I think it's fair to assume that he/she also wants the generated bundles to be signed, considering the very name of that command. So whenever we call GenerateAllBundles
from signAllCmd
, we just pass true
along with it, and that does the trick.
I'll create a PR for this in a moment.
from sbctl.
@Foxboron it seems I had missed your mention, for which I am very sorry!
It appears this has been solved :)
from sbctl.
No problem :) But if you had any opinion do share them. We can still change stuff
from sbctl.
Having taken a look at it, I think it would make sense to add an option for sbctl bundle ...
to sign files, perhaps? And if the option to sign the file and save it is selected, the file should be added to the database - I don't think generate-bundles
should save anything to the files database.
It would make the -s
flag rather messy, since it'd have different meanings in bundle
and generate-bundle
. I think I would remove the short option from generate-bundle
as well. It might be more consistent to only have sign be a long option with --sign
.
Haven't looked into how the impl would work.
from sbctl.
generate-bundles
doesn't save anything to the files database currently. It just assumes you want to sign everything when -s
is present.
But you are being a bit unclear which databases you are referring to :D There are two of them!
from sbctl.
I meant the files (not bundles) database in all instances.
from sbctl.
Related Issues (20)
- sbctl skips signing remaining items if one is not found HOT 1
- create-keys fails with "mkdir : no such file or directory" HOT 7
- Pacman hook doesn't work while installing wireless-regdb HOT 1
- Mkinitcpio post hook not included in Arch package HOT 3
- Move code to GitLab or Codeberg HOT 1
- Why does sbctl return "‼ /boot/efi/EFI/systemd/systemd-bootx64.efi does not exist" HOT 1
- Current minimum required go version is at least 1.20 HOT 4
- The point of the create-keys -e and -d options? HOT 2
- `sbctl verify` different output everytime HOT 2
- Enabling Secure Boot with enroll-keys HOT 3
- Automatic signing mkinitcpio post hook not working in latest archlinux package HOT 1
- Mkinitcpio post hook error HOT 4
- In the README the Ubuntu package link is not available, it takes the reader to the OpenSUSE package HOT 3
- Implement sbctl debug HOT 1
- Multiple displays and resolution doesn't work HOT 9
- Cannot re-enroll keys after upgrading system HOT 4
- Kernel removal fails if image file is already removed, resulting in multiple installed kernels on fedora HOT 2
- Unable to make secure boot to work on Surface Go 1st Gen and Arch Linux
- sbctl sign-all does not sign all efi binaries HOT 8
- `sbctl reset` when in setup mode results in PC hang
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbctl.