sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.
Firmware Quirks
sbctl now supports a system to detect firmware quirks that might affect the security or functionality of Secure Boot.
The initial revision supports detecting the widely reported MSI Secure Boot quirk.
Please see "MSI has very insecure Secure Boot defaults" for details, and #189 for the feature.
Big thanks to @dawidpotocki for solving the initial issue, the implementation of this new feature in sbctl and the
efforts he has put into this :)
Wiki pages
One wiki page for the new firmware quirk system has been added.
Other changes
-
UKIs generated by sbctl now has correct section alignment.
-
enroll-keyswith--microsoftwill now also enroll the KEK. -
sbctlnow has a filesystem abstraction layer which allows writing proper end-to-end tests of allefivarfsinteractions and filesystem interaction.
Full Changelog: 0.10...0.11
Generated list of changes:
What's Changed
- pacman: Add 'extramodules' target to hook by @memchr in #191
- Fix POSIX sh comparison by @swsnr in #183
- Update README.md by @vanillajonathan in #193
- Fix arbitrary sizes in UKI generation by @eNV25 in #194
- enroll-keys: Enroll Microsoft KEK along with their other keys by @alois31 in #192
- Always include vendor keys in status output by @swsnr in #205
- status: Warn about firmware quirks by @dawidpotocki in #189
- Add trailing newline to JSON output by @dawidpotocki in #206
New Contributors
- @memchr made their first contribution in #191
- @swsnr made their first contribution in #183
- @vanillajonathan made their first contribution in #193
- @alois31 made their first contribution in #192
- @dawidpotocki made their first contribution in #189
Full Changelog: 0.10...0.11