0.16

Changelog

• Updated go-uefi dependency
• Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is present
• Fixed a bug where sbctl would abort if the TPM eventlog contains the same byte multiple times
• Fixed a landlock bug where enroll-keys --export did not work
• Fixed a bug where an ESP mounted to multiple paths would not be detected
• Exporting keys without efivars present work again
• sbctl sign will now use the saved output path if the signed file is enrolled
• enroll-keys --append will now work without --force.

Generated list of changes

What's Changed

• sbctl.8: fix typo in the man page by @acuteenvy in #350
• Allow exporting keys without efivars present and update CI staticcheck by @Cornelicorn in #363
• Morten/fix signing by @Foxboron in #360
• fix esp detection with multiple mountpoints and failing udev info by @Foxboron in #358
• Read output file path from db if output not specified by @bkrochta in #377
• fix: allow -a/--append without force by @tippfehlr in #378
• quirks: Add MS-7D70 as unaffected by @matteodev8 in #382
• add usr/share/**/.efi to paths for pacman hook by @nebrassy in #385
• build.yml: bump actions/upload-artifact@v4 by @pheiduck in #388
• enroll-keys: if --export, add CWD to RWDirs by @ZLima12 in #389
• gitignore: add generated man pages in section 5. by @ZLima12 in #390

New Contributors

• @acuteenvy made their first contribution in #350
• @bkrochta made their first contribution in #377
• @tippfehlr made their first contribution in #378
• @matteodev8 made their first contribution in #382
• @nebrassy made their first contribution in #385
• @ZLima12 made their first contribution in #389

Full Changelog: 0.15.4...0.16

0.15.4

Final landlock fixup, everything should be fine now.

• Fixed an issue where sign-all did not report a non-zero exit code when something failed
• Fixed and issue where we couldn't write to a file with landlock
• Fixed an issue where --json would print the human readable output and the json
• Fixes landlock for UKI/bundles by disabling the sandbox feature
• Some doc fixups that mentioned /usr/share/

Generated list of changes

What's Changed

• 91-sbctl.install: Unconditionally remove file from database by @chenxiaolong in #341
• sbctl: Fix human readable output being printed when using --json by @chenxiaolong in #342
• Ensure landlock works for signing entries by @Foxboron in #344

New Contributors

• @chenxiaolong made their first contribution in #341

Full Changelog: 0.15.3...0.15.4

0.15.3

Third time is the charm!

• Fixed a mistake where the db_additions setting in sbctl.conf was not wired up to sbctl setup.
• Relaxed the check for an existing install in sbctl setup form looking after /var/lib/sbctl to check for /var/lib/sbctl/keys.
• Fixed a bug where dmi information was not read for quirk detection when landlock was enabled.
• Fixed a bug where sbctl create-keys did not have access to /var/lib under landlock.
• Fixed a bug where sbctl setup didn't have access to /usr/share.

Bugfix release 0.15.2

What's better than one bugfix release? Two bugfix releases!

• Fixed a bug where sbctl setup aborts early because /var/lib/sbctl already exists.

Full Changelog: 0.15.1...0.15.2

Bugfix release 0.15.1

• Fixed an issue where sbctl migrate did not work without --disable-landlock.

• Fixed an issue where bundles.db would be written to files.json deleting list of files.

Full Changelog: 0.15...0.15.1

0.15

Deprecation Notice

Caution

The bundle/UKI support in sbctl will be removed next release. Please move to dracut/mkinitcpio/ukify.

Important Changes

Landlock support

sbctl will try to sandbox all commands with landlock.
Landlock is a unpriviledged sandbox, similar to OpenBSD pledge, that allows
sbctl to declare the directories and files we are reading/writing a head. This
feature is enabled by default and can be disabled by setting landlock: false
in the new config file, or by passing --disable-landlock flag.

The landlock feature is run with "best effort" and will degrade it's feature set
on unsupported kernels before turning it off completely.

Please note that any file permission issues might be because of landlock.

Warning

Please try --disable-landlock before reporting bugs.

Major changes

Move from /usr/share/secureboot to /var/lib/sbctl and sbctl migrate

Important

Please run sbctl setup --migrate --disable-landlock. See #333

sbctl has moved from using /usr/share/secureboot to /var/lib/sbctl. The
useage of /usr was mostly for legacy reasons but there wasn't any motivation
to fix this until now.

To help with the migration sbctl migrate has been implemented. It will move
all the files from the old location to /var/lib/sbctl and rename files
accordingly.

Existing sbctl installations should continue to work with a warning message
that they should run sbctl migrate.

Important

For packagers:

The sbctl.DatabasePath variable is used by sbctl internally to denote the "old path" when using sbctl migrate. If you override this from the default /usr location during building do not remove it when building the new release.

Configuration file and sbctl setup

A new way to setup sbctl has been introduced, along with a declarative
configuration file . The default config file location is /etc/sbctl/sbctl.conf
and will be read on startup if available. If the file is not present sbctl
will use default settings.

The new sbctl setup --setup commnd will do a complete sbctl installation
based off on the new configuration file. If the file is not passed through
--config or read from /etc/sbctl/sbctl.conf it will use the default settings
to create and enroll Secure Boot certificates.

If a configuration file is provided then sbctl will attempt to sign the
default files and save them to the database for future signing.

In the future sbctl setup will provide an interactive setup that will sign the
default boot chain and produce a configuration file.

Example configuration file:

---
landlock: true
keydir: /var/lib/sbctl/keys
guid: /var/lib/sbctl/GUID
files_db: /var/lib/sbctl/files.json
bundles_db: /var/lib/sbctl/bundles.json
files:
- path: /efi/EFI/BOOT/BOOTX64.EFI
  output: /efi/EFI/BOOT/BOOTX64.EFI
- path: /efi/EFI/Linux/arch-linux.efi
  output: /efi/EFI/Linux/arch-linux.efi
- path: /usr/lib/fwupd/efi/fwupdx64.efi
  output: /usr/lib/fwupd/efi/fwupdx64.efi.signed
- path: /usr/lib/systemd/boot/efi/systemd-bootx64.efi
  output: /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
keys:
  pk:
    privkey: /var/lib/sbctl/keys/PK/PK.key
    pubkey: /var/lib/sbctl/keys/PK/PK.pem
    type: file
  kek:
    privkey: /var/lib/sbctl/keys/KEK/KEK.key
    pubkey: /var/lib/sbctl/keys/KEK/KEK.pem
    type: file
  db:
    privkey: /var/lib/sbctl/keys/db/db.key
    pubkey: /var/lib/sbctl/keys/db/db.pem
    type: file

TPM key files

sbctl now support creation of TPM key files using
go-tpm-keyfiles. These keys are
mostly compatible with how other TPM2 TSS keyfiles are created. This key type
can be used by passing on of several keytype flags to create-keys or
rotate-keys, or by specifying the type in the new configuration file.

The flags for create-keys and rotate-keys are

• --keytype - Set keytype for all keys
• --pk-keytype - Set PK key type
• --kek-keytype - Set KEK key type
• --db-keytype - Set db key type

The current x509 and RSA key type used by sbctl is now called file, and the
new TPM key file is called tpm.

Note that only RSA 2048 is supported by most TPMs while the default file type
defaults to RSA 4096. The default key type for sbctl will continue to be
file.

If you wish to rotate to a key hierarchy where PK and KEK are stored as tpm
key file, and db as a file keytype you can issue the following commands:

λ » sudo sbctl reset
✓ Removed Platform Key!
Use `sbctl enroll-keys` to enroll the Platform Key again.

λ » sudo sbctl rotate-keys --pk-keytype tpm --kek-keytype kek --db-keytype file
Backed up keys to /var/tmp/sbctl/sbctl_backup_keys_1722423218
Creating secure boot keys...✓
Secure boot keys created!
✓ Enrolled new keys into UEFI!
✓ Signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
✓ Signed /efi/EFI/BOOT/BOOTX64.EFI
✓ Signed /efi/EFI/Linux/arch-linux.efi
✓ Signed /usr/lib/fwupd/efi/fwupdx64.efi.signed

Other changes

sbctl debug

To help with debugging efforts sbctl debug has been implemented. It will dump
most of the efivarfs, the configuration, state information and version
information into a tarball which can be uploaded.

Major refactoring

Almost all of the core key handling and key hierarchy code in sbctl has been
reworked to better support different key types. This has lead to a great deal of
internal changes and refactoring. Some stuff might be subtly broken because of
limited ability to test everything.

However in the future it will be easier to create unit-tests for sbctl that
will make it more stable in the long run.

Generated list of changes

What's Changed

• nit(91-sbctl.install): consistent syntax for tests by @MithicSpirit in #310
• Update the mkinitcpio post hook to return 0 when no keys are found by @punoko in #312
• fix: close file by @testwill in #313
• [mkinitcpio] do not add to database by @bseibold in #315
• Rework sbctl backend by @Foxboron in #323
• contrib: support trailing commas in sbctl setup output by @behrmann in #328
• Implement sbctl setup by @Foxboron in #329
• sbctl: implement landlock sandboxing by @Foxboron in #330
• Implment sbctl debug command by @Foxboron in #331
• Implement TPM key files by @Foxboron in #332

New Contributors

• @MithicSpirit made their first contribution in #310
• @punoko made their first contribution in #312
• @testwill made their first contribution in #313
• @bseibold made their first contribution in #315
• @behrmann made their first contribution in #328

Full Changelog: 0.14...0.15

Release: 0.14

Another bugfix release with two new commands

New commands

• export-enrolled-keys will export all enrolled keys on the system to a directory
• list-enrolled-keys will list the enrolled keys on the system

New things

The test suite has now been rewritten to use the new vmtest library.

Bugfixes

• sign-all won't abort when it encounters a file it can't sign.

Packaging changes

• The kernel-install hook won't try to sign things if there are no signing keys available.
• The kernel-install hook will now only remove things if they actually did exist on the system.
• The mkinitcpio hook now only sign the built kernel/UKI instead of all the sbctl files.

Generated list of changes

What's Changed

• 91-sbctl.install: don't sign without signing keys by @ajakk in #188
• Mention COPR package by @dngray in #274
• Add openSUSE to Installation in README by @photosheep in #279
• sign-all don't stop signing if one file does not exist anymore by @jvllmr in #280
• Update the mkinitcpio post hook to only sign the kernel/UKI which is currently being built instead of all the files in the sbctl database by @into-the-v0id in #285
• ci.yaml: use github container registry by @pheiduck in #288
• only remove entries if they are there by @hboetes in #294
• Add list-enrolled-keys command by @jimmykarily in #296
• Add Option ROM warning to Usage section of the manpage by @00-kat in #300
• Run integration using uroot by @jimmykarily in #302
• Add export-enrolled-keys command by @jimmykarily in #303
• Update README.md by @hboetes in #305

New Contributors

• @ajakk made their first contribution in #188
• @dngray made their first contribution in #274
• @photosheep made their first contribution in #279
• @jvllmr made their first contribution in #280
• @into-the-v0id made their first contribution in #285
• @pheiduck made their first contribution in #288
• @hboetes made their first contribution in #294
• @jimmykarily made their first contribution in #296
• @00-kat made their first contribution in #300

Full Changelog: 0.13...0.14

Release: 0.13

This is largely a bugfix release with a couple of changes.

mkinitcpio hook

contrib/mkinitcpio/sbctl now contains a hook for mkinitcpio.

Similar to recent mkinitcpio changes, sbctl will now also sign when dkms modules change.

Fix create-keys flags

--export,-e and --database-path,-d now works properly and doesn't overwrite the create-keys variables internally.

remove erronous dbx enrollment

Previous release implemented support for dbx that doesn't really work as expected. It would also fail to enroll keys for previously setup clients. Implementation has been removed and will be iterated upon at a later date.

Generated list of changes:

What's Changed

• Update documentation for custom dbx by @Cornelicorn in #253
• Check and return Open errs by @quite in #254
• keys.go: drop the keyUsage bitfield by @dkwo in #255
• Update README.md by @scardracs in #256
• create-keys allows for specifying an export directory by @cosmastech in #259
• tests/utils/certs.go: drop keyUsage bitfield by @dkwo in #261
• Update 91-sbctl.install by @cvlc12 in #266
• BUGFIX: f.StringVarP() was clearing the exportPath/databasePath strings by @spillner in #267
• Ignore Setup mode and immutable variables for export by @Cornelicorn in #269
• Fixed typo, removed mention enroll-keys enables Secure Boot automatic… by @tblancher in #270
• Ensure file signing hook is run when initrd is rebuilt by @Joseph-DiGiovanni in #271

New Contributors

• @quite made their first contribution in #254
• @dkwo made their first contribution in #255
• @scardracs made their first contribution in #256
• @cosmastech made their first contribution in #259
• @cvlc12 made their first contribution in #266
• @spillner made their first contribution in #267
• @tblancher made their first contribution in #270
• @Joseph-DiGiovanni made their first contribution in #271

Full Changelog: 0.12...0.13

Release: 0.12

Deprecation notice

sbctl bundle might be deprecated in the future. This functionality is better served by ukify from systemd or the UKI support in mkinitcpio or dracut. I don't have any intentions of improving this feature going forward.

If your local initramfs generation tool does not support UKI generation you should write them some patches.

Custom certificates

sbctl now allows you to enroll custom certificates into KEK and db. This can be done by placing certificates into /usr/share/secureboot/keys/custom/KEK/ and /usr/share/secureboot/keys/custom/db then running sbctl enroll-keys -c.

Key export

sbctl now allows keys to be exported as EFI Signature Lists (esl) or EFI Authenticated Variables (auth), which are pre-signed.

Enrolling default certificates

sbctl can now enroll certificates found in dbxDefault, dbDefault, KEKDefault and PKDefault. These variables contains the default configuration for the machine and might have certificates that might be missing when only enrolling the microsoft certificates.

Usage:

// Defaults to "db,KEK"
sbctl enroll-keys --firmware-builtin

// Enroll everything from the vendor
sbctl enroll-keys --firmware-builtin "dbx,db,KEK,PK"

Support for partial key hierarchies

Before this release sbctl would enroll, reset and rotate the entire key hierarchy when requested. With this release several improvements have been made to have the ability to support partial key hierarchies. This can be used through the --partial flag in their respective commands.

Generated list of changes:

What's Changed

• dmi: Test all used DMI fields by @dawidpotocki in #208
• Add packages section to README by @jloeser in #209
• Allow enrolling custom db and KEK certs by @Cornelicorn in #217
• enroll-keys: implement --export by @Foxboron in #223
• Add support for loading certificates from dbDefault by @Foxboron in #222
• Add asciidoc dependency to README by @flanfly in #227
• feat(enroll-keys): add partial enrollment of keys by @RiSKeD in #231
• Fix typo by @swsnr in #230
• Partial Reset of a hierarchy by @RiSKeD in #232
• Dbx Key Management by @RiSKeD in #236
• Add support for OEM dbx enrollment by @Cornelicorn in #237
• feat(custom-keys): roll out any bytes to the specificed hierarchy by @RiSKeD in #239
• Add append option by @RiSKeD in #244
• fix: Create dest directory when importing keys by @svenschwermer in #246
• fix: don't immediately fail if we can't find default EFI stub by @K900 in #247

New Contributors

• @jloeser made their first contribution in #209
• @Cornelicorn made their first contribution in #217
• @flanfly made their first contribution in #227
• @RiSKeD made their first contribution in #231
• @svenschwermer made their first contribution in #246
• @K900 made their first contribution in #247

Full Changelog: 0.11...0.12

Release: 0.11

sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.

Firmware Quirks

sbctl now supports a system to detect firmware quirks that might affect the security or functionality of Secure Boot.

The initial revision supports detecting the widely reported MSI Secure Boot quirk.

Please see "MSI has very insecure Secure Boot defaults" for details, and #189 for the feature.

Big thanks to @dawidpotocki for solving the initial issue, the implementation of this new feature in sbctl and the
efforts he has put into this :)

Wiki pages

One wiki page for the new firmware quirk system has been added.

• F0001

Other changes

• UKIs generated by sbctl now has correct section alignment.

• enroll-keys with --microsoft will now also enroll the KEK.

• sbctl now has a filesystem abstraction layer which allows writing proper end-to-end tests of all efivarfs interactions and filesystem interaction.

Full Changelog: 0.10...0.11

Generated list of changes:

What's Changed

• pacman: Add 'extramodules' target to hook by @memchr in #191
• Fix POSIX sh comparison by @swsnr in #183
• Update README.md by @vanillajonathan in #193
• Fix arbitrary sizes in UKI generation by @eNV25 in #194
• enroll-keys: Enroll Microsoft KEK along with their other keys by @alois31 in #192
• Always include vendor keys in status output by @swsnr in #205
• status: Warn about firmware quirks by @dawidpotocki in #189
• Add trailing newline to JSON output by @dawidpotocki in #206

New Contributors

• @memchr made their first contribution in #191
• @swsnr made their first contribution in #183
• @vanillajonathan made their first contribution in #193
• @alois31 made their first contribution in #192
• @dawidpotocki made their first contribution in #189

Full Changelog: 0.10...0.11