chenxiaolong/secure-boot
Project ID: 55247
Description
[2023-11-12 Update]: This repo is deprecated because I have switched to using systemd-ukify for generating UKIs. Because sbctl is very useful on its own, I will continue to package it in a separate repo. Folks who currently use this repo should expect things to continue to work, though no further updates will be provided and repos for Fedora 40+ will not be created.
This repo contains two packages:
sbctl
- A command line application for creating and enrolling UEFI secure boot keys and signing UEFI executables.dracut-config-efistub
- A kernel install hook and dracut configuration for creating a UKI (unified kernel image) images.
Installation Instructions
sbctl
Follow the upstream instructions for information on how to create and enroll UEFI secure boot keys.
When a file signing configuration is saved to sbctl's database with -s
, eg.:
sbctl sign -s /usr/lib/systemd/boot/efi/systemd-bootx64.efi
then the file will be resigned when the EFI executable is updated due to a package update. This is done via an RPM file trigger, which runs when an .efi
file in /boot
, /efi
, /usr/lib
, or /usr/libexec
is updated.
dracut-config-efistub
Once installed, dracut will create/remove UKI images in <ESP>/EFI/Linux/
when a kernel package is installed/updated/removed. This is done by adding a new kernel install hook that executes dracut --uefi
(as opposed to the plain old dracut
command used for generating initramfs images). This package does not replace the default dracut behavior. This means both initramfs and UKI images will be generated when the kernel is updated.
Note: It is necessary to manually create /etc/kernel/cmdline
with the desired kernel command line (eg. with the contents of /proc/cmdline
on the running system) or else the UKIs will not be bootable. After that file is updated, run:
sudo dracut -vf --uefi --regenerate-all
to regenerate the UKIs. If sbctl
is also installed, run:
sudo sbctl sign-all
to sign the newly generated UKIs.
Active Releases
The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).
Release | Architectures | Repo Download |
---|---|---|
Fedora 39 | x86_64 (114)* | Fedora 39 (0 downloads) |
* Total number of downloaded packages.