savchenko
commented
3 years ago Open komachi opened 3 years ago
savchenko
commented
3 years ago savchenko
commented
3 years ago Oh, and this one: https://github.com/Foxboron/sbctl
komachi
commented
3 years ago Bootstraping should be covered with sbkeysync. sbctl looks nice, but I am trying to avoid deps outside of debian as well as I can.
For DKMS signing there is sign_tool= option in /etc/dkms/framework.conf which should run something like /lib/modules/"$1"/build/scripts/sign-file sha512 /root/mok.priv /root/mok.der "$2", so DKMS modules can be automatically signed on install.
For kernel upgrades we can install custom postinst hook, something like this. I found also sicherboot for inspiration, it doubles sbkeysync in some features, but shows how to sign efi kernel image.
savchenko
commented
3 years ago Bootstraping should be covered with sbkeysync
Interesting find! Had no idea it exists... Which is probably unsurprising given it's available only in unstable.
Are you planning to wrap SB-related steps into some sort of automated or guided workflow? Ansible playbook, shell script, etc.
komachi
commented
3 years ago Yes. this requires sbsigntool from unstable, hope it get's backported soon. It doesn't depends on anything besides libc, libssl, and libuuid, so this could be installed on bullseye without breaking much even in case if it doesn't get backported.
Yes, I plan to manage SB with ansible. There is some (not tested and unused for now) draft for moving to systemd-boot in roles/boot_manager, so this will be updated to support secureboot.
With deploying your own keys and signing everything with own keys, including dkms modules.