add sbctl + systemd-cryptenroll
All checks were successful
ci/woodpecker/push/validate_schema Pipeline was successful
All checks were successful
ci/woodpecker/push/validate_schema Pipeline was successful
This commit is contained in:
parent
064dc6c5d3
commit
c85814db1a
GPG key ID:
901B2ADDF27C2263
4 changed files with 221 additions and 14 deletions
57
technology/linux/sbctl.md
Normal file
57
technology/linux/sbctl.md
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
obj: application
|
||||
repo: https://github.com/Foxboron/sbctl
|
||||
rev: 2024-12-16
|
||||
---
|
||||
|
||||
# sbctl (Secure Boot Manager)
|
||||
sbctl intends to be a user-friendly secure boot key manager capable of setting up secure boot, offer key management capabilities, and keep track of files that needs to be signed in the boot chain.
|
||||
|
||||
## Usage
|
||||
Install the necessary packages:
|
||||
```sh
|
||||
pacman -S sbctl sbsigntools
|
||||
```
|
||||
|
||||
Check that Secure Boot "Setup Mode" is "Enabled" in UEFI:
|
||||
```sh
|
||||
sbctl status
|
||||
```
|
||||
|
||||
Create your own signing keys:
|
||||
```sh
|
||||
sbctl create-keys
|
||||
```
|
||||
|
||||
Sign the systemd bootloader:
|
||||
```sh
|
||||
sbctl sign -s \
|
||||
-o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed \
|
||||
/usr/lib/systemd/boot/efi/systemd-bootx64.efi
|
||||
```
|
||||
|
||||
Enroll your custom keys:
|
||||
```sh
|
||||
sbctl enroll-keys
|
||||
|
||||
# Enroll and include Microsoft Keys
|
||||
sbctl enroll-keys --microsoft
|
||||
```
|
||||
|
||||
Sign EFI files:
|
||||
```sh
|
||||
sbctl sign -s /boot/EFI/Linux/arch-linux.efi
|
||||
sbctl sign -s /boot/EFI/Linux/arch-linux-fallback.efi
|
||||
sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
|
||||
sbctl sign -s /efi/EFI/Boot/bootx64.efi
|
||||
```
|
||||
|
||||
Verify signature of EFI files:
|
||||
```sh
|
||||
sbctl verify
|
||||
```
|
||||
|
||||
Resign everything:
|
||||
```sh
|
||||
sbctl sign-all
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue