chenxiaolong/secure-boot

Project ID: 55247

Description

[2023-11-12 Update]: This repo is deprecated because I have switched to using systemd-ukify for generating UKIs. Because sbctl is very useful on its own, I will continue to package it in a separate repo. Folks who currently use this repo should expect things to continue to work, though no further updates will be provided and repos for Fedora 40+ will not be created.

This repo contains two packages:

  • sbctl - A command line application for creating and enrolling UEFI secure boot keys and signing UEFI executables.
  • dracut-config-efistub - A kernel install hook and dracut configuration for creating a UKI (unified kernel image) images.

Installation Instructions

sbctl

Follow the upstream instructions for information on how to create and enroll UEFI secure boot keys.

When a file signing configuration is saved to sbctl's database with -s, eg.:

sbctl sign -s /usr/lib/systemd/boot/efi/systemd-bootx64.efi

then the file will be resigned when the EFI executable is updated due to a package update. This is done via an RPM file trigger, which runs when an .efi file in /boot, /efi, /usr/lib, or /usr/libexec is updated.

dracut-config-efistub

Once installed, dracut will create/remove UKI images in <ESP>/EFI/Linux/ when a kernel package is installed/updated/removed. This is done by adding a new kernel install hook that executes dracut --uefi (as opposed to the plain old dracut command used for generating initramfs images). This package does not replace the default dracut behavior. This means both initramfs and UKI images will be generated when the kernel is updated.

Note: It is necessary to manually create /etc/kernel/cmdline with the desired kernel command line (eg. with the contents of /proc/cmdline on the running system) or else the UKIs will not be bootable. After that file is updated, run:

sudo dracut -vf --uefi --regenerate-all

to regenerate the UKIs. If sbctl is also installed, run:

sudo sbctl sign-all

to sign the newly generated UKIs.

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 39 x86_64 (112)* Fedora 39 (82 downloads)

* Total number of downloaded packages.