Comments (7)
@beroal the keys can be chmod'd to be readable only by root (as sbctl does).
This change (ea325ca) is not in the latest tag! So only people running from Git master have this.
But this can be be fixed easily like this:
# find /usr/share/secureboot/keys -type f -exec "chmod" "400" "{}" \;
from sbctl.
Hello. Shouldn't only .key files be set to chmod 400?
PEM certs are used for verifying files signatures and it should be allowed to be performed by user?
from sbctl.
Currently I have toyed with the idea of utilizing toml for this. I have also mocked up an example config.
[keys]
keysize = 4096
[keys.PK]
backend = "hw"
[keys.KEK]
backend = "files"
[keys.db]
backend = "files"
[backend.files]
type = "directory"
path = "/usr/share/secureboot"
[backend.hw]
type = "yubikey"
cardid = "fasdfasd"
from sbctl.
Hi. Is this configuration file already used? If yes, where it resides in the file system?
/usr/share/secureboot
is readable by all users of the computer and isn't encrypted. I believe that keys should be secret. I want to change this path to a more secure place.
from sbctl.
@beroal It's not been implemented yet. Using current secure boot tooling without full disk encryption is a bit useless until HSM or TPM support is implemented.
from sbctl.
Even with full disk encryption, /usr/share/secureboot
is readable by all users.
from sbctl.
@beroal the keys can be chmod'd to be readable only by root (as sbctl does).
from sbctl.
Related Issues (20)
- Why does sbctl return "‼ /boot/efi/EFI/systemd/systemd-bootx64.efi does not exist" HOT 1
- Current minimum required go version is at least 1.20 HOT 4
- The point of the create-keys -e and -d options? HOT 2
- `sbctl verify` different output everytime HOT 2
- Enabling Secure Boot with enroll-keys HOT 3
- Automatic signing mkinitcpio post hook not working in latest archlinux package HOT 1
- Mkinitcpio post hook error HOT 4
- In the README the Ubuntu package link is not available, it takes the reader to the OpenSUSE package HOT 3
- Implement sbctl debug HOT 1
- Multiple displays and resolution doesn't work HOT 9
- Cannot re-enroll keys after upgrading system HOT 4
- Kernel removal fails if image file is already removed, resulting in multiple installed kernels on fedora HOT 2
- Unable to make secure boot to work on Surface Go 1st Gen and Arch Linux
- sbctl sign-all does not sign all efi binaries HOT 8
- `sbctl reset` when in setup mode results in PC hang
- Suggestion: Only sign generated file in initcpio hook, use sign-all in a separate pacman hook HOT 4
- sbctl won't work on Fujtsu Lifebook A574/M, BIOS would just reset ANY USER intervention of the secure boot changes HOT 6
- [archlinux] failed signing ***: *** does not exist HOT 3
- my Bios gone black HOT 4
- pacstrap fails due to mkinitcpio post hook HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbctl.