Deprecation Notice

Important Changes

Landlock support

sbctl will try to sandbox all commands with landlock.
Landlock is a unpriviledged sandbox, similar to OpenBSD pledge, that allows
sbctl to declare the directories and files we are reading/writing a head. This
feature is enabled by default and can be disabled by setting landlock: false
in the new config file, or by passing --disable-landlock flag.

The landlock feature is run with "best effort" and will degrade it's feature set
on unsupported kernels before turning it off completely.

Please note that any file permission issues might be because of landlock.

Major changes

Move from /usr/share/secureboot to /var/lib/sbctl and sbctl migrate

sbctl has moved from using /usr/share/secureboot to /var/lib/sbctl. The
useage of /usr was mostly for legacy reasons but there wasn't any motivation
to fix this until now.

To help with the migration sbctl migrate has been implemented. It will move
all the files from the old location to /var/lib/sbctl and rename files
accordingly.

Existing sbctl installations should continue to work with a warning message
that they should run sbctl migrate.

Configuration file and sbctl setup

A new way to setup sbctl has been introduced, along with a declarative
configuration file . The default config file location is /etc/sbctl/sbctl.conf
and will be read on startup if available. If the file is not present sbctl
will use default settings.

The new sbctl setup --setup commnd will do a complete sbctl installation
based off on the new configuration file. If the file is not passed through
--config or read from /etc/sbctl/sbctl.conf it will use the default settings
to create and enroll Secure Boot certificates.

If a configuration file is provided then sbctl will attempt to sign the
default files and save them to the database for future signing.

In the future sbctl setup will provide an interactive setup that will sign the
default boot chain and produce a configuration file.

Example configuration file:

---
landlock: true
keydir: /var/lib/sbctl/keys
guid: /var/lib/sbctl/GUID
files_db: /var/lib/sbctl/files.json
bundles_db: /var/lib/sbctl/bundles.json
files:
- path: /efi/EFI/BOOT/BOOTX64.EFI
  output: /efi/EFI/BOOT/BOOTX64.EFI
- path: /efi/EFI/Linux/arch-linux.efi
  output: /efi/EFI/Linux/arch-linux.efi
- path: /usr/lib/fwupd/efi/fwupdx64.efi
  output: /usr/lib/fwupd/efi/fwupdx64.efi.signed
- path: /usr/lib/systemd/boot/efi/systemd-bootx64.efi
  output: /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
keys:
  pk:
    privkey: /var/lib/sbctl/keys/PK/PK.key
    pubkey: /var/lib/sbctl/keys/PK/PK.pem
    type: file
  kek:
    privkey: /var/lib/sbctl/keys/KEK/KEK.key
    pubkey: /var/lib/sbctl/keys/KEK/KEK.pem
    type: file
  db:
    privkey: /var/lib/sbctl/keys/db/db.key
    pubkey: /var/lib/sbctl/keys/db/db.pem
    type: file

TPM key files

sbctl now support creation of TPM key files using
go-tpm-keyfiles. These keys are
mostly compatible with how other TPM2 TSS keyfiles are created. This key type
can be used by passing on of several keytype flags to create-keys or
rotate-keys, or by specifying the type in the new configuration file.

The flags for create-keys and rotate-keys are

• --keytype - Set keytype for all keys
• --pk-keytype - Set PK key type
• --kek-keytype - Set KEK key type
• --db-keytype - Set db key type

The current x509 and RSA key type used by sbctl is now called file, and the
new TPM key file is called tpm.

Note that only RSA 2048 is supported by most TPMs while the default file type
defaults to RSA 4098. The default key type for sbctl will continue to be
file.

If you wish to rotate to a key hierarchy where PK and KEK are stored as tpm
key file, and db as a file keytype you can issue the following commands:

λ » sudo sbctl reset
✓ Removed Platform Key!
Use `sbctl enroll-keys` to enroll the Platform Key again.

λ » sudo sbctl rotate-keys --pk-keytype tpm --kek-keytype kek --db-keytype file
Backed up keys to /var/tmp/sbctl/sbctl_backup_keys_1722423218
Creating secure boot keys...✓
Secure boot keys created!
✓ Enrolled new keys into UEFI!
✓ Signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
✓ Signed /efi/EFI/BOOT/BOOTX64.EFI
✓ Signed /efi/EFI/Linux/arch-linux.efi
✓ Signed /usr/lib/fwupd/efi/fwupdx64.efi.signed

Other changes

sbctl debug

To help with debugging efforts sbctl debug has been implemented. It will dump
most of the efivarfs, the configuration, state information and version
information into a tarball which can be uploaded.

Major refactoring

Almost all of the core key handling and key hierarchy code in sbctl has been
reworked to better support different key types. This has lead to a great deal of
internal changes and refactoring. Some stuff might be subtly broken because of
limited ability to test everything.

However in the future it will be easier to create unit-tests for sbctl that
will make it more stable in the long run.

Generated list of changes

What's Changed

• nit(91-sbctl.install): consistent syntax for tests by @MithicSpirit in #310
• Update the mkinitcpio post hook to return 0 when no keys are found by @punoko in #312
• fix: close file by @testwill in #313
• [mkinitcpio] do not add to database by @bseibold in #315
• Rework sbctl backend by @Foxboron in #323
• contrib: support trailing commas in sbctl setup output by @behrmann in #328
• Implement sbctl setup by @Foxboron in #329
• sbctl: implement landlock sandboxing by @Foxboron in #330
• Implment sbctl debug command by @Foxboron in #331
• Implement TPM key files by @Foxboron in #332

New Contributors

• @MithicSpirit made their first contribution in #310
• @punoko made their first contribution in #312
• @testwill made their first contribution in #313
• @bseibold made their first contribution in #315
• @behrmann made their first contribution in #328

Full Changelog: 0.14...0.15