sbctl is a Secure Boot key manager that helps users create and enroll Platform Keys and managing signing files.
Support for vendor certificates
sbctl
now allows one to enroll vendor certificates during enroll-keys
. Currently only Microsoft keys are supported, but the foundation for adding other OEM keys have been written. One can enroll the Microsoft CA with enroll-keys --microsoft
. This also works on machines with an already bootstrapped Platform Key and one does not need to reset their keys to enroll the new vendor keys.
Experimental support for the TPM Eventlog
Similarly, sbctl
also supports reading the TPM Eventlog for any Option ROM entries and we add these checksums to the signature database to allowlist the ROM files. This should help people that does not want to enroll the Microsoft certificate authority on the machines. However this should be considered experimental.
One can enroll the TPM Eventlog checksums with enroll-keys --tpm-eventlog
, and one does not need to reset their secure boot keys to do so.
Option ROM warning
Because sbctl
can now read the TPM Eventlog, a warning has been added when people attempt to enroll keys where we spot Option ROM. This help prevent people from accidentally soft bricking their devices and offers guidance on what to do. Hopefully this gives people more confidence in the tooling.
Example output:
$ sbctl enroll-keys
Found OptionROM in the bootchain. This means we should not enroll keys into UEFI without some precautions.
There are three flags that can be used:
--microsoft: Enrolls the Microsoft OEM certificates into the sinature database.
--tpm-eventlog: Enroll OpRom checksums into the signature database (experimental!).
--yes-this-might-brick-my-machine: Ignore this warning and continue regardless.
Please read the FAQ for more information: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom
Man pages Usage section
A usage section explaining how to properly setup sbctl
on new devices have also been added. Previously people have tried using sbctl
reading the example README, but it is not really a guide on how to properly enroll keys. It works more as a feature showcase.