maximbaz
commented
3 years ago Cool idea! As a heads-up, only .auth files need to go to /etc/secureboot/keys/ folder, the tool will complain if you put anything else there... 🤦♂️
I just went through getting rid of efitools dependency altogether in favor of tools in sbsigntools, might be useful for you as a reference: https://github.com/maximbaz/arch-secure-boot/commit/485b6cf2d1ebd14d12377f63976f6c7c0d8d91bf
gdamjan
https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_sbkeysync
sbkeysync, part of sbsigntools, is a tool to enroll the keys automatically. Alas, it assumes its own directory structure for the keys and certificates a bit different than what I did with this tool. While this tools creates all the files in
/etc/secure-boot, it expects a hierarchy/etc/secureboot/keys/{db,dbx,KEK,PK}