Closed realk1ko closed 3 years ago
I’ve submitted a PR fixing this issue. Do take a look, thanks :)
@sharadhr I've taken a look at your PR and added two comments. One might be worth checking, the other is just a question out of curiosity.
Also thank you a ton for your effort. :-)
Hi, sorry for the delay.
Previously I held off implementing this because it appeared that /usr/lib/fwupd/efi/fwupdx64.efi
needs to be signed. But doing this would break the on-disk integrity of the fwupd
package. Also I assumed that a Pacman hook was still needed to install fwupd to ESP.
Now I see that fwupd can install itself and supports having a separate /usr/lib/fwupd/efi/fwupdx64.efi.signed
file. This is better (although the location still isn't ideal) and could be implemented.
However, observe that sbupdate is only tangentially related to this task. It's actually sufficient to have a Pacman hook that runs on fwupd update and calls sbsign
directly.
What could be done in sbupdate is adding a manual signing mode to sign one file. Then the above hook would call sbupdate -s
instead of sbsign
. The hook itself can also be part of sbupdate.
I plan to implement this in a few days.
@andreyv what's the benefit of calling sbupate
instead of sbsign
directly in a hook? Maybe it's better to keep things simple.
Added experimental support for fwupd signing in b51ba62f6522d0c2c70ddd3b5e2254a245e58bf0.
In the end I couldn't think of a concise way to generalize this feature in the main script, so I just implemented this functionality in the hook itself for now.
From reading fwupd source, I see that it should pick up the updated executable file automatically, so I didn't implement any daemon reloads currently.
@Maryse47 It's borderline, but it should be better not to repeat sbsign
arguments in the hook. Anyway, if instead of "fwupd" it was "<some popular bootloader>", then I think sbupdate should support signing it.
Implemented in b51ba62f6522d0c2c70ddd3b5e2254a245e58bf0.
It would be nice to have sbupdate automatically sign the fwupd EFI loaders, instead of having to write a custom pacman hook that takes that over.
Additional info can be checked here: https://wiki.archlinux.org/index.php/Fwupd#Secure_Boot