Implement sbctl.conf about sbctl HOT 7 CLOSED

@beroal the keys can be chmod'd to be readable only by root (as sbctl does).

This change (ea325ca) is not in the latest tag! So only people running from Git master have this.

But this can be be fixed easily like this:

# find /usr/share/secureboot/keys -type f -exec "chmod" "400" "{}" \;

from sbctl.

Hello. Shouldn't only .key files be set to chmod 400?
PEM certs are used for verifying files signatures and it should be allowed to be performed by user?

from sbctl.

Currently I have toyed with the idea of utilizing toml for this. I have also mocked up an example config.

[keys]
keysize = 4096

[keys.PK]
backend = "hw"

[keys.KEK]
backend = "files"

[keys.db]
backend = "files"

[backend.files]
type = "directory"
path = "/usr/share/secureboot"

[backend.hw]
type = "yubikey"
cardid = "fasdfasd"

from sbctl.

Hi. Is this configuration file already used? If yes, where it resides in the file system?

/usr/share/secureboot is readable by all users of the computer and isn't encrypted. I believe that keys should be secret. I want to change this path to a more secure place.

from sbctl.

@beroal It's not been implemented yet. Using current secure boot tooling without full disk encryption is a bit useless until HSM or TPM support is implemented.

from sbctl.

Even with full disk encryption, /usr/share/secureboot is readable by all users.

from sbctl.

@beroal the keys can be chmod'd to be readable only by root (as sbctl does).

from sbctl.