0.18

Important

Binary builds are broken in the CI because of the new pcsclite dependency with cgo. Work in progress to fix.

Support for yubikey

sbctl now supports a yubikey backend for signing keys. This can be controlled through the usual --keytype, --pk-keytype, --kek-keytype and --db-keytype flags with sbctl create-keys.

Please note that sbctl does not carry any infrastructure to do interactive prompts. Any PINs needs to be passed through with the SBCTL_YUBIKEY_PIN environment variable.

Changelog

• Fixed a bug where sbctl verify would choke on any non-PE executables.
• sbctl sign -s will not save files before checking if we can sign them.
• Misc dependency updates

Generated list of changes

What's Changed

• Initial yubikey backend keytype support by @tomis007 in #418
• CI: missing libpcsclite pkg by @pheiduck in #445

New Contributors

• @tomis007 made their first contribution in #418

Full Changelog: 0.17...0.18

0.17

Changelog

Small release to ensure sbctl comes preloaded with the new 2023 Microsoft certificates.

• Ensure we don't wrongly compare input/output files when signing
• Added --json supprt to sbctl verify
• Ensure sbctl setup with no arguments returns a helpful output
• Import latest Microsoft keys for KEK and db databases
• Ensure we print the path of the file when encountering an invalid PE file
• Misc fixups in tests
• Misc typo fixes in prints

Generated list of changes

What's Changed

• build.yml: download artifacts using a wildcard by @pheiduck in #392
• Fix input/output file comparison when signing by @bkrochta in #393
• sbctl setup migrate: fix typo by @TheConner in #396
• Verified JSON support by @cybik in #402
• fix: print an error on setup without args by @acuteenvy in #412
• various fixes by @pheiduck in #419
• Typo fix by @stmille in #430
• certs: import 2023 Microsoft keys by @K900 in #432

New Contributors

• @TheConner made their first contribution in #396
• @cybik made their first contribution in #402
• @stmille made their first contribution in #430

Full Changelog: 0.16...0.17

0.16

Changelog

• Updated go-uefi dependency
• Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is present
• Fixed a bug where sbctl would abort if the TPM eventlog contains the same byte multiple times
• Fixed a landlock bug where enroll-keys --export did not work
• Fixed a bug where an ESP mounted to multiple paths would not be detected
• Exporting keys without efivars present work again
• sbctl sign will now use the saved output path if the signed file is enrolled
• enroll-keys --append will now work without --force.

Generated list of changes

What's Changed

• sbctl.8: fix typo in the man page by @acuteenvy in #350
• Allow exporting keys without efivars present and update CI staticcheck by @Cornelicorn in #363
• Morten/fix signing by @Foxboron in #360
• fix esp detection with multiple mountpoints and failing udev info by @Foxboron in #358
• Read output file path from db if output not specified by @bkrochta in #377
• fix: allow -a/--append without force by @tippfehlr in #378
• quirks: Add MS-7D70 as unaffected by @matteodev8 in #382
• add usr/share/**/.efi to paths for pacman hook by @nebrassy in #385
• build.yml: bump actions/upload-artifact@v4 by @pheiduck in #388
• enroll-keys: if --export, add CWD to RWDirs by @ZLima12 in #389
• gitignore: add generated man pages in section 5. by @ZLima12 in #390

New Contributors

• @acuteenvy made their first contribution in #350
• @bkrochta made their first contribution in #377
• @tippfehlr made their first contribution in #378
• @matteodev8 made their first contribution in #382
• @nebrassy made their first contribution in #385
• @ZLima12 made their first contribution in #389

Full Changelog: 0.15.4...0.16

0.15.4

Final landlock fixup, everything should be fine now.

• Fixed an issue where sign-all did not report a non-zero exit code when something failed
• Fixed and issue where we couldn't write to a file with landlock
• Fixed an issue where --json would print the human readable output and the json
• Fixes landlock for UKI/bundles by disabling the sandbox feature
• Some doc fixups that mentioned /usr/share/

Generated list of changes

What's Changed

• 91-sbctl.install: Unconditionally remove file from database by @chenxiaolong in #341
• sbctl: Fix human readable output being printed when using --json by @chenxiaolong in #342
• Ensure landlock works for signing entries by @Foxboron in #344

New Contributors

• @chenxiaolong made their first contribution in #341

Full Changelog: 0.15.3...0.15.4

0.15.3

Third time is the charm!

• Fixed a mistake where the db_additions setting in sbctl.conf was not wired up to sbctl setup.
• Relaxed the check for an existing install in sbctl setup form looking after /var/lib/sbctl to check for /var/lib/sbctl/keys.
• Fixed a bug where dmi information was not read for quirk detection when landlock was enabled.
• Fixed a bug where sbctl create-keys did not have access to /var/lib under landlock.
• Fixed a bug where sbctl setup didn't have access to /usr/share.

Bugfix release 0.15.2

What's better than one bugfix release? Two bugfix releases!

• Fixed a bug where sbctl setup aborts early because /var/lib/sbctl already exists.

Full Changelog: 0.15.1...0.15.2

Bugfix release 0.15.1

• Fixed an issue where sbctl migrate did not work without --disable-landlock.

• Fixed an issue where bundles.db would be written to files.json deleting list of files.

Full Changelog: 0.15...0.15.1

0.15

Deprecation Notice

Caution

The bundle/UKI support in sbctl will be removed next release. Please move to dracut/mkinitcpio/ukify.

Important Changes

Landlock support

sbctl will try to sandbox all commands with landlock.
Landlock is a unpriviledged sandbox, similar to OpenBSD pledge, that allows
sbctl to declare the directories and files we are reading/writing a head. This
feature is enabled by default and can be disabled by setting landlock: false
in the new config file, or by passing --disable-landlock flag.

The landlock feature is run with "best effort" and will degrade it's feature set
on unsupported kernels before turning it off completely.

Please note that any file permission issues might be because of landlock.

Warning

Please try --disable-landlock before reporting bugs.

Major changes

Move from /usr/share/secureboot to /var/lib/sbctl and sbctl migrate

Important

Please run sbctl setup --migrate --disable-landlock. See #333

sbctl has moved from using /usr/share/secureboot to /var/lib/sbctl. The
useage of /usr was mostly for legacy reasons but there wasn't any motivation
to fix this until now.

To help with the migration sbctl migrate has been implemented. It will move
all the files from the old location to /var/lib/sbctl and rename files
accordingly.

Existing sbctl installations should continue to work with a warning message
that they should run sbctl migrate.

Important

For packagers:

The sbctl.DatabasePath variable is used by sbctl internally to denote the "old path" when using sbctl migrate. If you override this from the default /usr location during building do not remove it when building the new release.

Configuration file and sbctl setup

A new way to setup sbctl has been introduced, along with a declarative
configuration file . The default config file location is /etc/sbctl/sbctl.conf
and will be read on startup if available. If the file is not present sbctl
will use default settings.

The new sbctl setup --setup commnd will do a complete sbctl installation
based off on the new configuration file. If the file is not passed through
--config or read from /etc/sbctl/sbctl.conf it will use the default settings
to create and enroll Secure Boot certificates.

If a configuration file is provided then sbctl will attempt to sign the
default files and save them to the database for future signing.

In the future sbctl setup will provide an interactive setup that will sign the
default boot chain and produce a configuration file.

Example configuration file:

---
landlock: true
keydir: /var/lib/sbctl/keys
guid: /var/lib/sbctl/GUID
files_db: /var/lib/sbctl/files.json
bundles_db: /var/lib/sbctl/bundles.json
files:
- path: /efi/EFI/BOOT/BOOTX64.EFI
  output: /efi/EFI/BOOT/BOOTX64.EFI
- path: /efi/EFI/Linux/arch-linux.efi
  output: /efi/EFI/Linux/arch-linux.efi
- path: /usr/lib/fwupd/efi/fwupdx64.efi
  output: /usr/lib/fwupd/efi/fwupdx64.efi.signed
- path: /usr/lib/systemd/boot/efi/systemd-bootx64.efi
  output: /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
keys:
  pk:
    privkey: /var/lib/sbctl/keys/PK/PK.key
    pubkey: /var/lib/sbctl/keys/PK/PK.pem
    type: file
  kek:
    privkey: /var/lib/sbctl/keys/KEK/KEK.key
    pubkey: /var/lib/sbctl/keys/KEK/KEK.pem
    type: file
  db:
    privkey: /var/lib/sbctl/keys/db/db.key
    pubkey: /var/lib/sbctl/keys/db/db.pem
    type: file

TPM key files

sbctl now support creation of TPM key files using
go-tpm-keyfiles. These keys are
mostly compatible with how other TPM2 TSS keyfiles are created. This key type
can be used by passing on of several keytype flags to create-keys or
rotate-keys, or by specifying the type in the new configuration file.

The flags for create-keys and rotate-keys are

• --keytype - Set keytype for all keys
• --pk-keytype - Set PK key type
• --kek-keytype - Set KEK key type
• --db-keytype - Set db key type

The current x509 and RSA key type used by sbctl is now called file, and the
new TPM key file is called tpm.

Note that only RSA 2048 is supported by most TPMs while the default file type
defaults to RSA 4096. The default key type for sbctl will continue to be
file.

If you wish to rotate to a key hierarchy where PK and KEK are stored as tpm
key file, and db as a file keytype you can issue the following commands:

λ » sudo sbctl reset
✓ Removed Platform Key!
Use `sbctl enroll-keys` to enroll the Platform Key again.

λ » sudo sbctl rotate-keys --pk-keytype tpm --kek-keytype kek --db-keytype file
Backed up keys to /var/tmp/sbctl/sbctl_backup_keys_1722423218
Creating secure boot keys...✓
Secure boot keys created!
✓ Enrolled new keys into UEFI!
✓ Signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
✓ Signed /efi/EFI/BOOT/BOOTX64.EFI
✓ Signed /efi/EFI/Linux/arch-linux.efi
✓ Signed /usr/lib/fwupd/efi/fwupdx64.efi.signed

Other changes

sbctl debug

To help with debugging efforts sbctl debug has been implemented. It will dump
most of the efivarfs, the configuration, state information and version
information into a tarball which can be uploaded.

Major refactoring

Almost all of the core key handling and key hierarchy code in sbctl has been
reworked to better support different key types. This has lead to a great deal of
internal changes and refactoring. Some stuff might be subtly broken because of
limited ability to test everything.

However in the future it will be easier to create unit-tests for sbctl that
will make it more stable in the long run.

Generated list of changes

What's Changed

• nit(91-sbctl.install): consistent syntax for tests by @MithicSpirit in #310
• Update the mkinitcpio post hook to return 0 when no keys are found by @punoko in #312
• fix: close file by @testwill in #313
• [mkinitcpio] do not add to database by @bseibold in #315
• Rework sbctl backend by @Foxboron in #323
• contrib: support trailing commas in sbctl setup output by @behrmann in #328
• Implement sbctl setup by @Foxboron in #329
• sbctl: implement landlock sandboxing by @Foxboron in #330
• Implment sbctl debug command by @Foxboron in #331
• Implement TPM key files by @Foxboron in #332

New Contributors

• @MithicSpirit made their first contribution in #310
• @punoko made their first contribution in #312
• @testwill made their first contribution in #313
• @bseibold made their first contribution in #315
• @behrmann made their first contribution in #328

Full Changelog: 0.14...0.15

Release: 0.14

Another bugfix release with two new commands

New commands

• export-enrolled-keys will export all enrolled keys on the system to a directory
• list-enrolled-keys will list the enrolled keys on the system

New things

The test suite has now been rewritten to use the new vmtest library.

Bugfixes

• sign-all won't abort when it encounters a file it can't sign.

Packaging changes

• The kernel-install hook won't try to sign things if there are no signing keys available.
• The kernel-install hook will now only remove things if they actually did exist on the system.
• The mkinitcpio hook now only sign the built kernel/UKI instead of all the sbctl files.

Generated list of changes

What's Changed

• 91-sbctl.install: don't sign without signing keys by @ajakk in #188
• Mention COPR package by @dngray in #274
• Add openSUSE to Installation in README by @photosheep in #279
• sign-all don't stop signing if one file does not exist anymore by @jvllmr in #280
• Update the mkinitcpio post hook to only sign the kernel/UKI which is currently being built instead of all the files in the sbctl database by @into-the-v0id in #285
• ci.yaml: use github container registry by @pheiduck in #288
• only remove entries if they are there by @hboetes in #294
• Add list-enrolled-keys command by @jimmykarily in #296
• Add Option ROM warning to Usage section of the manpage by @00-kat in #300
• Run integration using uroot by @jimmykarily in #302
• Add export-enrolled-keys command by @jimmykarily in #303
• Update README.md by @hboetes in #305

New Contributors

• @ajakk made their first contribution in #188
• @dngray made their first contribution in #274
• @photosheep made their first contribution in #279
• @jvllmr made their first contribution in #280
• @into-the-v0id made their first contribution in #285
• @pheiduck made their first contribution in #288
• @hboetes made their first contribution in #294
• @jimmykarily made their first contribution in #296
• @00-kat made their first contribution in #300

Full Changelog: 0.13...0.14

Release: 0.13

This is largely a bugfix release with a couple of changes.

mkinitcpio hook

contrib/mkinitcpio/sbctl now contains a hook for mkinitcpio.

Similar to recent mkinitcpio changes, sbctl will now also sign when dkms modules change.

Fix create-keys flags

--export,-e and --database-path,-d now works properly and doesn't overwrite the create-keys variables internally.

remove erronous dbx enrollment

Previous release implemented support for dbx that doesn't really work as expected. It would also fail to enroll keys for previously setup clients. Implementation has been removed and will be iterated upon at a later date.

Generated list of changes:

What's Changed

• Update documentation for custom dbx by @Cornelicorn in #253
• Check and return Open errs by @quite in #254
• keys.go: drop the keyUsage bitfield by @dkwo in #255
• Update README.md by @scardracs in #256
• create-keys allows for specifying an export directory by @cosmastech in #259
• tests/utils/certs.go: drop keyUsage bitfield by @dkwo in #261
• Update 91-sbctl.install by @cvlc12 in #266
• BUGFIX: f.StringVarP() was clearing the exportPath/databasePath strings by @spillner in #267
• Ignore Setup mode and immutable variables for export by @Cornelicorn in #269
• Fixed typo, removed mention enroll-keys enables Secure Boot automatic… by @tblancher in #270
• Ensure file signing hook is run when initrd is rebuilt by @Joseph-DiGiovanni in #271

New Contributors

• @quite made their first contribution in #254
• @dkwo made their first contribution in #255
• @scardracs made their first contribution in #256
• @cosmastech made their first contribution in #259
• @cvlc12 made their first contribution in #266
• @spillner made their first contribution in #267
• @tblancher made their first contribution in #270
• @Joseph-DiGiovanni made their first contribution in #271

Full Changelog: 0.12...0.13