Releases: Foxboron/sbctl
Release: 0.10
sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.
Support for key rotation
sbctl now allows for key rotation through sbctl rotate-keys. This can be used to renew certificates. It is also capable of resigning all signed files.
Wiki pages
A few wiki pages has been added to the project.
Other changes
Language and grammer changes to the manpages, and the Usage section in the man-page has become more precise.
There is also now some WIP documentation on how to reset keys in the BIOS menu.
There has also been several crashes and improvements to the error handling.
Full Changelog: 0.9...0.10
Release: 0.9
What's Changed
- Minor typo fix by @pschichtel in #113
- Fix typo in eventlog warning by @mattiabiondi in #120
- Fix minor typo by @cosandr in #124
- read key from private key file by @tpeacock19 in #126
- Fix typo by @potatoattack in #130
- Remove hardcoded architecture in filename by @WhyNotHugo in #133
- Fail
enroll-keysif any key file does not exist by @WhyNotHugo in #134 - Go needs
gitinstalled by @WhyNotHugo in #140 - Add convenient aliases for some sub-commands by @eNV25 in #106
- Drop panics by @WhyNotHugo in #141
- Drop unused dependency from test image by @WhyNotHugo in #142
New Contributors
- @pschichtel made their first contribution in #113
- @mattiabiondi made their first contribution in #120
- @cosandr made their first contribution in #124
- @tpeacock19 made their first contribution in #126
- @potatoattack made their first contribution in #130
Full Changelog: 0.8...0.9
Contributors
Assets 4
Release: 0.8
sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.
Support for vendor certificates
sbctl now allows one to enroll vendor certificates during enroll-keys. Currently only Microsoft keys are supported, but the foundation for adding other OEM keys have been written. One can enroll the Microsoft CA with enroll-keys --microsoft. This also works on machines with an already bootstrapped Platform Key and one does not need to reset their keys to enroll the new vendor keys.
Experimental support for the TPM Eventlog
Similarly, sbctl also supports reading the TPM Eventlog for any Option ROM entries and we add these checksums to the signature database to allowlist the ROM files. This should help people that does not want to enroll the Microsoft certificate authority on the machines. However this should be considered experimental.
One can enroll the TPM Eventlog checksums with enroll-keys --tpm-eventlog, and one does not need to reset their secure boot keys to do so.
Option ROM warning
Because sbctl can now read the TPM Eventlog, a warning has been added when people attempt to enroll keys where we spot Option ROM. This help prevent people from accidentally soft bricking their devices and offers guidance on what to do. Hopefully this gives people more confidence in the tooling.
Example output:
$ sbctl enroll-keys
Found OptionROM in the bootchain. This means we should not enroll keys into UEFI without some precautions.
There are three flags that can be used:
--microsoft: Enrolls the Microsoft OEM certificates into the sinature database.
--tpm-eventlog: Enroll OpRom checksums into the signature database (experimental!).
--yes-this-might-brick-my-machine: Ignore this warning and continue regardless.
Please read the FAQ for more information: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom
Man pages Usage section
A usage section explaining how to properly setup sbctl on new devices have also been added. Previously people have tried using sbctl reading the example README, but it is not really a guide on how to properly enroll keys. It works more as a feature showcase.
Release: 0.7
Release: 0.6
This release features a few major changes for sbctl!
sbsigntools removal
Since this project started a year ago the goal was also to have the reliance on sbsigntools be a temporary affairs while go-uefi was shaping up to replace it. This has taken quite a bit of time due to lack of time and ensuring proper integration testing to ensure the library is working as intended.
Over the pat month go-uefi got some integration testing done, along with some duplicated work over to sbctl to have key enrollment and signature validation tested through OVMF and tianocore. This ensures that we can hopefully guarantee signing is not bugged and any regressions caught.
Because of this sbctl now implements all secure boot operations through go-uefi and no longer relies on sbsigntools, hopefully this removes some classes of bugs due to key enrollment.
cmd/sbctl refactor and json output
The other larger change is an overhaul of the command line structure in sbctl which makes it easier to extend and adapt future sub command. A lot of these changes won't be visible for end-users, but it does allow for some neat usage of --json output along with better error feedback through the program.
sbctl list-files --json should be a lot easier to parse with jq then going through normal string parsing.
Please do note that the json structure might change and not all commands have been covered yet.
User Interface changes
sbctl now sports a new look. The original command line design dates back to the original efi-roller tool which had output format copy-pasted from other bash-based Arch tooling. Arguably it's not really pretty. It also made it hard to properly format and kill off the color at the appropriate place. The new output should be more in line with existing *ctl tooling and feel modern.
Release: 0.5
Release 0.5
This release contains a few changes to the documentation of sbctl. The most
notable change is to the `GetESP` functionality which should behave better on
systems with more then one EFI partition. This can also be overridden with
`SYSTEMD_ESP_PATH` or `ESP_PATH`.
Hugo Barrera (3):
Update man entry for default cmdline
Update docs/sbctl.8.txt
Typo
Hugo Osvaldo Barrera (4):
Extend the documentation a bit
Refine docs based on feedback
Typos
Tweak unconvincing working
Morten Linderud (5):
bundles: Handle command not found errors
util: Expand array in print generator
Updated readme for libera
sbctl/bundle: Do not default to ESP for fetching kernel and initramfs
man: Mention environment variables for ESP location
igo95862 (3):
Remove ioutil
Improved GetEsp function.
Add SYSTEMD_ESP_PATH and ESP_PATH environment variables support
Release: 0.4
Release 0.4
Morten Linderud (2):
Updated srcinfo
sbctl: Inverted bool broke key enrollment
igo95862 (3):
Directly pass arguments to subprocesses instead of args spliting
Use argument list for objcopy instead of split by whitespace
Redirect objcopy stderr to parent stderr
Érico Nogueira (1):
Use x/sys/unix for ioctl instead of rolling our own.
Release: 0.3
Release 0.3
This is mostly just a quick bugfix release. The x509 cert change adds a
expire date for 5 years, but shouldn't matter too much in the immediate
future.
The bug is that sbctl gets confused if the PK file in efivarfs does not
exist since we are checking for immutable
Morten Linderud (3):
sbctl: Create valid x509 certs for the kernel
sbctl: IsImmutable should return false if the file does not exist
Fixed sbctl hooks in PKGBUILD
Release: 0.2
Release 0.2
This release has mostly UX issues and improves the error handling of the
underlying commands.
The major change has been moving from /proc/cmdline as the default cmdline file
to /etc/kernel/cmdline which should be better suited for this task.
Morten Linderud (13):
sbctl: Added missing format argument
sbctl: Microcode won't always be passed
cmd/sbctl: proper exit if we fail creating bundle
cmd/sbctl: Typo in err
sbctl: Check for immutable files before sbkeysync
keys: sbkeysync can have "Permissiond denide" errors
sbctl: Check for persmission denied. Use errors package
sbctl/bundle: Change default cmdline to /etc/kernel/cmdline
sbctl.hook: Renamed to be ordered last, added more paths
Release: 0.1
Release 0.1 First release of sbctl 🎉 Thanks to Érico Nogueira Rolim for sticking with this project :) (Proper release notes when they make sense. I swear)