Deprecation notice
sbctl bundle might be deprecated in the future. This functionality is better served by ukify from systemd or the UKI support in mkinitcpio or dracut. I don't have any intentions of improving this feature going forward.
If your local initramfs generation tool does not support UKI generation you should write them some patches.
Custom certificates
sbctl now allows you to enroll custom certificates into KEK and db. This can be done by placing certificates into /usr/share/secureboot/keys/custom/KEK/ and /usr/share/secureboot/keys/custom/db then running sbctl enroll-keys -c.
Key export
sbctl now allows keys to be exported as EFI Signature Lists (esl) or EFI Authenticated Variables (auth), which are pre-signed.
Enrolling default certificates
sbctl can now enroll certificates found in dbxDefault, dbDefault, KEKDefault and PKDefault. These variables contains the default configuration for the machine and might have certificates that might be missing when only enrolling the microsoft certificates.
Usage:
// Defaults to "db,KEK"
sbctl enroll-keys --firmware-builtin
// Enroll everything from the vendor
sbctl enroll-keys --firmware-builtin "dbx,db,KEK,PK"
Support for partial key hierarchies
Before this release sbctl would enroll, reset and rotate the entire key hierarchy when requested. With this release several improvements have been made to have the ability to support partial key hierarchies. This can be used through the --partial flag in their respective commands.
Generated list of changes:
What's Changed
- dmi: Test all used DMI fields by @dawidpotocki in #208
- Add packages section to README by @jloeser in #209
- Allow enrolling custom db and KEK certs by @Cornelicorn in #217
- enroll-keys: implement --export by @Foxboron in #223
- Add support for loading certificates from dbDefault by @Foxboron in #222
- Add asciidoc dependency to README by @flanfly in #227
- feat(enroll-keys): add partial enrollment of keys by @RiSKeD in #231
- Fix typo by @swsnr in #230
- Partial Reset of a hierarchy by @RiSKeD in #232
- Dbx Key Management by @RiSKeD in #236
- Add support for OEM dbx enrollment by @Cornelicorn in #237
- feat(custom-keys): roll out any bytes to the specificed hierarchy by @RiSKeD in #239
- Add append option by @RiSKeD in #244
- fix: Create dest directory when importing keys by @svenschwermer in #246
- fix: don't immediately fail if we can't find default EFI stub by @K900 in #247
New Contributors
- @jloeser made their first contribution in #209
- @Cornelicorn made their first contribution in #217
- @flanfly made their first contribution in #227
- @RiSKeD made their first contribution in #231
- @svenschwermer made their first contribution in #246
- @K900 made their first contribution in #247
Full Changelog: 0.11...0.12