Secure Boot - Would it be possible to support?

[Torxed]

Outlining and researching how and if we can incorporate secure boot as a HOOK that's persistent during upgrades etc. I would like to add security increasing options if possible where it doesn't break anything, here is an example:

/etc/pacman.d/hooks/99-secureboot.hook

[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = linux
Target = systemd

[Action]
Description = Signing Kernel for SecureBoot
When = PostTransaction
Exec = /usr/bin/sh -c "/usr/bin/find /boot/ -type f \( -name 'vmlinuz-*' -o -name 'systemd*' \) -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q \"signature certificates\"; then /usr/bin/sbsign --key db.key --cert db.crt --output {} {}; fi' \;"
Depends = sbsigntools
Depends = findutils
Depends = grep

Secure boot has not been supported since 2016 on the install medium, but there are aur packages that does enable secure boot as a hook for builds and upgrades.

There's a few requirements for me to consider this feature:

• Does it potentially break more than 1% of users installations in any way and if so why?
• Are there any clear disadvantages other than "EFI is flawed by design"
• Can we inform users of the library or potentially example installations on what the risks are (if any)

[grazzolini]

This approach depends on using your own keys for secure boot. While it's a good idea to ditch microsoft keys with your own, this has the potential to break dual boot setups, because the microsoft bootloader requires the MS certs to be at least on secure boot's DB (the efistub binary can have multiple signatures). I would recommend staying away from SB on archinstall if we can avoid that.

[Torxed]

This approach depends on using your own keys for secure boot. While it's a good idea to ditch microsoft keys with your own, this has the potential to break dual boot setups, because the microsoft bootloader requires the MS certs to be at least on secure boot's DB (the efistub binary can have multiple signatures). I would recommend staying away from SB on archinstall if we can avoid that.

That sounds familiar. I will go on yours and others recommendations here as I have no knowledge myself on manual secure boot configuration (other than what RedHat and others have done). Perhaps this can be parked as a "Addon" alternative in a separate repo (like some of the other ideas) :)

[grazzolini]

Red Hat uses shim, as far as I know. That's the standard way of getting secure boot on linux with MS keys. Of course, it would be lovely if we can get SB automated with archinstall, but, in my opinion this is a messy subject, which would be better handled as a plugin or addon, and not as part of the core lib.

[Torxed]

Will implement this as a plugin in the future. The core code will not contain secure boot unless the future of Linux and signing keys become a standardized thing and easily supported with for instance systemd-bootctl or something.