Comments (4)
There are a few solutions I want to implement:
- Embed Microsoft CA we can append
- Scan for the default vendor certificates in
db
and append. - Parse the TPM2 eventlog for checksums of OpROM binaries we should append.
This has mostly been improving the APIs for dealing with signature lists and databases in go-uefi
.
from sbctl.
This. Right now my options are
- disable secure boot completely
- avoiding sbctl and going the complicated route with one other app
- using sbctl but are in need to have CSM active, because the graphics firmware is Microsoft signed and will of course fail with only my own keys in place.
from sbctl.
I have implemented support in the master branch for enrolling Microsoft signing certs. This needs to be explicitly done, but it's a nice start. This also sports a reset
option so you can reenroll keys with secure boot enabled.
This is partially based on work by @zaolin :)<3
λ sbctl master» sudo ./sbctl enroll-keys ‼ File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c ‼ File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f You need to chattr -i files in efivarfs λ sbctl master» sudo chattr -i /sys/firmware/efi/efivars/{db,KEK}* λ sbctl master» sudo ./sbctl enroll-keys Enrolling keys to EFI variables...✓ Enrolled keys to the EFI variables! λ sbctl master» sudo ./sbctl status Installed: ✓ sbctl is installed Owner GUID: a7b893cc-949d-408c-b5cc-6e7d0370fdb6 Setup Mode: ✓ Disabled Secure Boot: ✗ Disabled λ sbctl master» sudo ./sbctl reset ✓ Removed Platform Key! Use `sbctl enroll-keys` to enroll the Platform Key again. λ sbctl master» sudo ./sbctl enroll-keys --microsoft Enrolling keys to EFI variables... With vendor keys from Microsoft...✓ Enrolled keys to the EFI variables! λ sbctl master» sudo ./sbctl status Installed: ✓ sbctl is installed Owner GUID: a7b893cc-949d-408c-b5cc-6e7d0370fdb6 Setup Mode: ✓ Disabled Secure Boot: ✗ Disabled Vendor Keys: microsoft
from sbctl.
Implemented with 4713d98
from sbctl.
Related Issues (20)
- Include Target= for linux-firmware HOT 1
- Allow export also in user mode HOT 2
- sbctl skips signing remaining items if one is not found HOT 1
- create-keys fails with "mkdir : no such file or directory" HOT 7
- Pacman hook doesn't work while installing wireless-regdb HOT 1
- Mkinitcpio post hook not included in Arch package HOT 3
- Move code to GitLab or Codeberg HOT 1
- Why does sbctl return "‼ /boot/efi/EFI/systemd/systemd-bootx64.efi does not exist" HOT 1
- Current minimum required go version is at least 1.20 HOT 4
- The point of the create-keys -e and -d options? HOT 2
- `sbctl verify` different output everytime HOT 2
- Enabling Secure Boot with enroll-keys HOT 3
- Automatic signing mkinitcpio post hook not working in latest archlinux package HOT 1
- Mkinitcpio post hook error HOT 4
- In the README the Ubuntu package link is not available, it takes the reader to the OpenSUSE package HOT 3
- Implement sbctl debug HOT 1
- Multiple displays and resolution doesn't work HOT 9
- Cannot re-enroll keys after upgrading system HOT 4
- Kernel removal fails if image file is already removed, resulting in multiple installed kernels on fedora HOT 2
- Unable to make secure boot to work on Surface Go 1st Gen and Arch Linux
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbctl.