Feature Request: Sign fwupd EFI Loader

andreyv / sbupdate

Generate and sign kernel images for UEFI Secure Boot on Arch Linux

GNU General Public License v3.0

225 stars 20 forks source link

Feature Request: Sign fwupd EFI Loader #14

Closed realk1ko closed 3 years ago

realk1ko commented 5 years ago

It would be nice to have sbupdate automatically sign the fwupd EFI loaders, instead of having to write a custom pacman hook that takes that over.

Additional info can be checked here: https://wiki.archlinux.org/index.php/Fwupd#Secure_Boot

sharadhr commented 4 years ago

I’ve submitted a PR fixing this issue. Do take a look, thanks :)

realk1ko commented 4 years ago

@sharadhr I've taken a look at your PR and added two comments. One might be worth checking, the other is just a question out of curiosity.

Also thank you a ton for your effort. :-)

andreyv commented 4 years ago

Hi, sorry for the delay.

Previously I held off implementing this because it appeared that /usr/lib/fwupd/efi/fwupdx64.efi needs to be signed. But doing this would break the on-disk integrity of the fwupd package. Also I assumed that a Pacman hook was still needed to install fwupd to ESP.

Now I see that fwupd can install itself and supports having a separate /usr/lib/fwupd/efi/fwupdx64.efi.signed file. This is better (although the location still isn't ideal) and could be implemented.

However, observe that sbupdate is only tangentially related to this task. It's actually sufficient to have a Pacman hook that runs on fwupd update and calls sbsign directly.

What could be done in sbupdate is adding a manual signing mode to sign one file. Then the above hook would call sbupdate -s instead of sbsign. The hook itself can also be part of sbupdate.

I plan to implement this in a few days.

Maryse47 commented 4 years ago

@andreyv what's the benefit of calling sbupate instead of sbsign directly in a hook? Maybe it's better to keep things simple.

andreyv commented 3 years ago

Added experimental support for fwupd signing in b51ba62f6522d0c2c70ddd3b5e2254a245e58bf0.

In the end I couldn't think of a concise way to generalize this feature in the main script, so I just implemented this functionality in the hook itself for now.

From reading fwupd source, I see that it should pick up the updated executable file automatically, so I didn't implement any daemon reloads currently.

@Maryse47 It's borderline, but it should be better not to repeat sbsign arguments in the hook. Anyway, if instead of "fwupd" it was "<some popular bootloader>", then I think sbupdate should support signing it.

andreyv commented 3 years ago

Implemented in b51ba62f6522d0c2c70ddd3b5e2254a245e58bf0.