search

Foxboron / sbctl

:computer: :lock: :key: Secure Boot key manager
MIT License
1.35k stars 71 forks source link

Ensure file signing hook is run when initrd is rebuilt #271

Closed Joseph-DiGiovanni closed 6 months ago

Joseph-DiGiovanni commented 6 months ago

Initrd is rebuilt when a DKMS module or firmware package is installed or updated as of these commits to mkinitcpio: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/aff81712789b9f2c1664fe1cfb5c1ecdbc5c993b https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/3576b03d29420ccd1913eaa18c7f8950e7de3103

Without this change, images created by mkinitcpio will not be automatically signed for secure boot in the events mentioned above.

agowa commented 6 months ago

How about also adding an initcpio hook? That way it it almost guaranteed to call sbctl every time when the kernel gets rebuilt. Regardless what triggered it (or if the user itself triggered it and forgot that they have to sign the kernel too, *not me*)

Also see #218

Foxboron commented 6 months ago

At that point I'd rather just deprecate the pacman hook and replace with kernel-install or mkinitcpio hooks.

agowa commented 6 months ago

It doesn't hurt to have it. I kinda like have the "double protection" of two independent hooks making sure that the image is really signed. But yea, the pacman one is then basically completely useless...

Joseph-DiGiovanni commented 6 months ago

I agree the mkinitcpio post hook is the way to go. However, I think the best solution is to just keep the sign-all command from the pacman hook rather than the hook making assumptions of what files should be signed.

This should close #263 and #218.

Foxboron commented 6 months ago

Actually, I realized this would be a bad idea, maybe.

We do sign more then just the initrd. Namely things like sd-boot and fwudpmgr. And I'm not sure if signing those as part of a post-hook in mkinitcpio makes sense?

Joseph-DiGiovanni commented 6 months ago

Good point. So we should keep both. For the sake of not breaking anything we should keep it as is with the exception of the usr/lib/initcpio/* target and my other additions. It will attempt to sign twice most of the time but this is preferable to not signing at all.

agowa commented 6 months ago

And I'm not sure if signing those as part of a post-hook in mkinitcpio makes sense?

It doesn't hurt and sbctl noops already if these files are already signed.

I'd say still stick with it is better to have a potentially useless pacman hook in addition to the initcpio one than risking a non bootable system because of unforeseen circumstances....

Foxboron commented 6 months ago

Thanks!