Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sbctl for openSUSE:Factory checked in at 2024-01-03 12:27:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sbctl (Old) and /work/SRC/openSUSE:Factory/.sbctl.new.28375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sbctl" Wed Jan 3 12:27:17 2024 rev:2 rq:1135886 version:0.13 Changes: -------- --- /work/SRC/openSUSE:Factory/sbctl/sbctl.changes 2023-11-22 18:54:57.460344740 +0100 +++ /work/SRC/openSUSE:Factory/.sbctl.new.28375/sbctl.changes 2024-01-03 12:27:21.064656156 +0100 @@ -1,0 +2,26 @@ +Wed Dec 27 08:21:25 UTC 2023 - Joshua Smith <[email protected]> + +- Update to version 0.13: + * --export,-e and --database-path,-d now work properly and don't + overwrite the create-keys variables internally + * remove erronous dbx enrollment. Previous release implemented + support for dbx that doesn't really work as expected. It + would also fail to enroll keys for previously setup clients. + Implementation has been removed and will be iterated upon at a + later date. + * make: fix github artifact upload + * Change shebang + * Ensure file signing hook is run when initrd is rebuilt + * Fixed typo, removed mention enroll-keys enables Secure Boot + automatically + * Ignore Setup mode and immutable variables for export + * Specify file origin + always print signing message + * tests/utils/certs.go: drop keyUsage bitfield + * update manpage docs + * allow specifying keys and GUID paths + * Update README.md + * keys.go: drop the keyUsage bitfield + * Check and return Open errs + * Update documentation for custom dbx + +------------------------------------------------------------------- Old: ---- sbctl-0.12.tar.gz New: ---- sbctl-0.13.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sbctl.spec ++++++ --- /var/tmp/diff_new_pack.JnrHGn/_old 2024-01-03 12:27:22.056692383 +0100 +++ /var/tmp/diff_new_pack.JnrHGn/_new 2024-01-03 12:27:22.060692529 +0100 @@ -17,7 +17,7 @@ Name: sbctl -Version: 0.12 +Version: 0.13 Release: 0 Summary: Secure Boot key manager License: MIT ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.JnrHGn/_old 2024-01-03 12:27:22.096693843 +0100 +++ /var/tmp/diff_new_pack.JnrHGn/_new 2024-01-03 12:27:22.100693990 +0100 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/Foxboron/sbctl.git</param> - <param name="changesrevision">748bc59d24a4d14087d8d92431606c5fb57afeb0</param> + <param name="changesrevision">ee7cf4a33c6fb3be8f192641420d8c4234f7ae31</param> </service> </servicedata> (No newline at EOF) ++++++ sbctl-0.12.tar.gz -> sbctl-0.13.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/Makefile new/sbctl-0.13/Makefile --- old/sbctl-0.12/Makefile 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/Makefile 2023-12-23 23:02:48.000000000 +0100 @@ -45,7 +45,7 @@ mkdir -p releases git archive --prefix=${PROGNM}-${TAG}/ -o releases/${PROGNM}-${TAG}.tar.gz ${TAG}; gpg --detach-sign -o releases/${PROGNM}-${TAG}.tar.gz.sig releases/${PROGNM}-${TAG}.tar.gz - hub release create -m "Release: ${TAG}" -a releases/${PROGNM}-${TAG}.tar.gz.sig -a releases/${PROGNM}-${TAG}.tar.gz ${TAG} + gh release upload ${TAG} releases/${PROGNM}-${TAG}.tar.gz.sig releases/${PROGNM}-${TAG}.tar.gz ${TAG} .PHONY: push-aur push-aur: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/README.md new/sbctl-0.13/README.md --- old/sbctl-0.12/README.md 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/README.md 2023-12-23 23:02:48.000000000 +0100 @@ -57,12 +57,17 @@ For Arch Linux: ``` -$ pacman -S sbctl +# pacman -S sbctl ``` For Alpine Linux: ``` -$ apk add sbctl +# apk add sbctl +``` + +For Gentoo Linux: +``` +# emerge --ask app-crypt/sbctl ``` You can find a updated list of [sbctl packages on diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/certs/builtin.go new/sbctl-0.13/certs/builtin.go --- old/sbctl-0.12/certs/builtin.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/certs/builtin.go 2023-12-23 23:02:48.000000000 +0100 @@ -13,7 +13,6 @@ var ( efiGlobalGuid = util.EFIGUID{0x8be4df61, 0x93ca, 0x11d2, [8]uint8{0xaa, 0x0d, 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c}} defaultSignatureDatabaseNames = map[string]string{ - "dbx": "dbxDefault", "db": "dbDefault", "KEK": "KEKDefault", "PK": "PKDefault", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/create-keys.go new/sbctl-0.13/cmd/sbctl/create-keys.go --- old/sbctl-0.12/cmd/sbctl/create-keys.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/cmd/sbctl/create-keys.go 2023-12-23 23:02:48.000000000 +0100 @@ -8,21 +8,26 @@ "github.com/spf13/cobra" ) +var ( + exportPath string = sbctl.KeysPath + databasePath string = sbctl.DatabasePath +) + var createKeysCmd = &cobra.Command{ Use: "create-keys", Short: "Create a set of secure boot signing keys", RunE: func(cmd *cobra.Command, args []string) error { - if err := sbctl.CreateDirectory(sbctl.KeysPath); err != nil { + if err := sbctl.CreateDirectory(exportPath); err != nil { return err } - uuid, err := sbctl.CreateGUID(sbctl.DatabasePath) + uuid, err := sbctl.CreateGUID(databasePath) if err != nil { return err } logging.Print("Created Owner UUID %s\n", uuid) - if !sbctl.CheckIfKeysInitialized(sbctl.KeysPath) { + if !sbctl.CheckIfKeysInitialized(exportPath) { logging.Print("Creating secure boot keys...") - err := sbctl.InitializeSecureBootKeys(sbctl.KeysPath) + err := sbctl.InitializeSecureBootKeys(exportPath) if err != nil { logging.NotOk("") return fmt.Errorf("couldn't initialize secure boot: %w", err) @@ -36,7 +41,15 @@ }, } +func createKeysCmdFlags(cmd *cobra.Command) { + f := cmd.Flags() + f.StringVarP(&exportPath, "export", "e", sbctl.KeysPath, "export file path. defaults to "+sbctl.KeysPath) + f.StringVarP(&databasePath, "database-path", "d", sbctl.DatabasePath, "location to create GUID file. defaults to "+sbctl.DatabasePath) +} + func init() { + createKeysCmdFlags(createKeysCmd) + CliCommands = append(CliCommands, cliCommand{ Cmd: createKeysCmd, }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/enroll-keys.go new/sbctl-0.13/cmd/sbctl/enroll-keys.go --- old/sbctl-0.12/cmd/sbctl/enroll-keys.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/cmd/sbctl/enroll-keys.go 2023-12-23 23:02:48.000000000 +0100 @@ -51,7 +51,7 @@ var ( systemEventlog = "/sys/kernel/security/tpm0/binary_bios_measurements" enrollKeysCmdOptions = EnrollKeysCmdOptions{ - Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db", "dbx"}}, + Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db"}}, Export: stringset.StringSet{Allowed: []string{"esl", "auth"}}, } enrollKeysCmd = &cobra.Command{ @@ -90,19 +90,12 @@ return err } - dbxPem, err := fs.ReadFile(filepath.Join(keydir, "dbx", "dbx.pem")) - if err != nil { - return err - } - // Create the signature databases - var sigdb, sigdbx, sigkek, sigpk *signature.SignatureDatabase + var sigdb, sigkek, sigpk *signature.SignatureDatabase if !enrollKeysCmdOptions.Append { sigdb = signature.NewSignatureDatabase() - sigdbx = signature.NewSignatureDatabase() - sigkek = signature.NewSignatureDatabase() sigpk = signature.NewSignatureDatabase() @@ -113,11 +106,6 @@ return err } - sigdbx, err = efi.Getdbx() - if err != nil { - return err - } - sigkek, err = efi.GetKEK() if err != nil { return err @@ -133,10 +121,6 @@ return err } - if err = sigdbx.Append(signature.CERT_X509_GUID, guid, dbxPem); err != nil { - return err - } - if err = sigkek.Append(signature.CERT_X509_GUID, guid, KEKPem); err != nil { return err } @@ -168,13 +152,6 @@ } sigdb.AppendDatabase(oemSigDb) - // dbx - oemSigDbx, err := certs.GetOEMCerts(oem, "dbx") - if err != nil { - return fmt.Errorf("could not enroll db keys: %w", err) - } - sigdbx.AppendDatabase(oemSigDbx) - // KEK oemSigKEK, err := certs.GetOEMCerts(oem, "KEK") if err != nil { @@ -193,13 +170,6 @@ } sigdb.AppendDatabase(customSigDb) - // dbx - customSigDbx, err := certs.GetCustomCerts(keydir, "dbx") - if err != nil { - return fmt.Errorf("could not enroll custom dbx keys: %w", err) - } - sigdbx.AppendDatabase(customSigDbx) - // KEK customSigKEK, err := certs.GetCustomCerts(keydir, "KEK") if err != nil { @@ -217,8 +187,6 @@ switch cert { case "db": sigdb.AppendDatabase(builtinSigDb) - case "dbx": - sigdbx.AppendDatabase(builtinSigDb) case "KEK": sigkek.AppendDatabase(builtinSigDb) case "PK": @@ -236,11 +204,6 @@ return err } - sigdbx, err := sbctl.SignDatabase(sigdbx, KEKKey, KEKPem, "dbx") - if err != nil { - return err - } - sigkek, err := sbctl.SignDatabase(sigkek, PKKey, PKPem, "KEK") if err != nil { return err @@ -252,9 +215,6 @@ if err := fs.WriteFile("db.auth", sigdb, 0o644); err != nil { return err } - if err := fs.WriteFile("dbx.auth", sigdbx, 0o644); err != nil { - return err - } if err := fs.WriteFile("KEK.auth", sigkek, 0o644); err != nil { return err } @@ -266,9 +226,6 @@ if err := fs.WriteFile("db.esl", sigdb.Bytes(), 0o644); err != nil { return err } - if err := fs.WriteFile("dbx.esl", sigdbx.Bytes(), 0o644); err != nil { - return err - } if err := fs.WriteFile("KEK.esl", sigkek.Bytes(), 0o644); err != nil { return err } @@ -285,10 +242,6 @@ if err := sbctl.Enroll(sigdb, KEKKey, KEKPem, value); err != nil { return err } - case "dbx": - if err := sbctl.Enroll(sigdbx, KEKKey, KEKPem, value); err != nil { - return err - } case "KEK": if err := sbctl.Enroll(sigkek, PKKey, PKPem, value); err != nil { return err @@ -307,9 +260,6 @@ if err := sbctl.Enroll(sigdb, KEKKey, KEKPem, "db"); err != nil { return err } - if err := sbctl.Enroll(sigdbx, KEKKey, KEKPem, "dbx"); err != nil { - return err - } if err := sbctl.Enroll(sigkek, PKKey, PKPem, "KEK"); err != nil { return err } @@ -322,7 +272,7 @@ func RunEnrollKeys(cmd *cobra.Command, args []string) error { // SetupMode is not necessarily required on a partial enrollment - if !efi.GetSetupMode() && enrollKeysCmdOptions.Partial.Value == "" { + if !efi.GetSetupMode() && enrollKeysCmdOptions.Partial.Value == "" && enrollKeysCmdOptions.Export.Value == "" { return ErrSetupModeDisabled } @@ -359,7 +309,7 @@ if len(enrollKeysCmdOptions.BuiltinFirmwareCerts) >= 1 { oems = append(oems, "firmware-builtin") } - if !enrollKeysCmdOptions.IgnoreImmutable { + if !enrollKeysCmdOptions.IgnoreImmutable && enrollKeysCmdOptions.Export.Value == "" { if err := sbctl.CheckImmutable(); err != nil { return err } @@ -401,8 +351,6 @@ switch hierarchy { case "db": fallthrough - case "dbx": - fallthrough case "KEK": fallthrough case "PK": diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/import-keys.go new/sbctl-0.13/cmd/sbctl/import-keys.go --- old/sbctl-0.12/cmd/sbctl/import-keys.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/cmd/sbctl/import-keys.go 2023-12-23 23:02:48.000000000 +0100 @@ -18,8 +18,6 @@ Force bool DbCert string DbKey string - DbxCert string - DbxKey string KEKCert string KEKKey string PKCert string @@ -58,8 +56,6 @@ "KEK/KEK.pem", "db/db.key", "db/db.pem", - "dbx/dbx.key", - "dbx/dbx.pem", } dir, err := filepath.Abs(dir) if err != nil { @@ -90,7 +86,6 @@ Cert string }{ {"db", importKeysCmdOptions.DbKey, importKeysCmdOptions.DbCert}, - {"dbx", importKeysCmdOptions.DbxKey, importKeysCmdOptions.DbxCert}, {"KEK", importKeysCmdOptions.KEKKey, importKeysCmdOptions.KEKCert}, {"PK", importKeysCmdOptions.PKKey, importKeysCmdOptions.PKCert}, } @@ -142,8 +137,6 @@ f := cmd.Flags() f.StringVarP(&importKeysCmdOptions.DbCert, "db-cert", "", "", "Database (db) certificate") f.StringVarP(&importKeysCmdOptions.DbKey, "db-key", "", "", "Database (db) key") - f.StringVarP(&importKeysCmdOptions.DbxCert, "dbx-cert", "", "", "Forbidden Database (dbx) certificate") - f.StringVarP(&importKeysCmdOptions.DbxKey, "dbx-key", "", "", "Forbidden Database (dbx) key") f.StringVarP(&importKeysCmdOptions.KEKCert, "kek-cert", "", "", "Key Exchange Key (KEK) certificate") f.StringVarP(&importKeysCmdOptions.KEKKey, "kek-key", "", "", "Key Exchange Key (KEK) key") f.StringVarP(&importKeysCmdOptions.PKCert, "pk-cert", "", "", "Platform Key (PK) certificate") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/reset.go new/sbctl-0.13/cmd/sbctl/reset.go --- old/sbctl-0.12/cmd/sbctl/reset.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/cmd/sbctl/reset.go 2023-12-23 23:02:48.000000000 +0100 @@ -24,7 +24,7 @@ var ( resetCmdOpts = resetCmdOptions{ - Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db", "dbx"}}, + Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db"}}, } resetCmd = &cobra.Command{ Use: "reset", @@ -53,10 +53,6 @@ if err := resetDB(paths...); err != nil { return err } - case "dbx": - if err := resetDBX(paths...); err != nil { - return err - } case "KEK": if err := resetKEK(paths...); err != nil { return err @@ -85,19 +81,6 @@ return nil } -func resetDBX(certPaths ...string) error { - KEKKey := filepath.Join(sbctl.KeysPath, "KEK", "KEK.key") - KEKPem := filepath.Join(sbctl.KeysPath, "KEK", "KEK.pem") - - if err := resetDatabase(KEKKey, KEKPem, "dbx", certPaths...); err != nil { - return err - } - - logging.Ok("Removed Fobidden Signature Database!") - logging.Println("Use `sbctl enroll-keys` to enroll the Forbidden Signature Database again.") - return nil -} - func resetKEK(certPaths ...string) error { PKKey := filepath.Join(sbctl.KeysPath, "PK", "PK.key") PKPem := filepath.Join(sbctl.KeysPath, "PK", "PK.pem") @@ -146,8 +129,6 @@ switch efivar { case "db": db, err = efi.Getdb() - case "dbx": - db, err = efi.Getdbx() case "KEK": db, err = efi.GetKEK() case "PK": diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/rotate-keys.go new/sbctl-0.13/cmd/sbctl/rotate-keys.go --- old/sbctl-0.12/cmd/sbctl/rotate-keys.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/cmd/sbctl/rotate-keys.go 2023-12-23 23:02:48.000000000 +0100 @@ -26,7 +26,7 @@ var ( rotateKeysCmdOptions = RotateKeysCmdOptions{ - Partial: stringset.StringSet{Allowed: []string{hierarchy.PK.String(), hierarchy.KEK.String(), hierarchy.Db.String(), hierarchy.Dbx.String()}}, + Partial: stringset.StringSet{Allowed: []string{hierarchy.PK.String(), hierarchy.KEK.String(), hierarchy.Db.String()}}, } rotateKeysCmd = &cobra.Command{ Use: "rotate-keys", @@ -44,7 +44,6 @@ PK *KeyCertPair KEK *KeyCertPair Db *KeyCertPair - Dbx *KeyCertPair } func ReadKeysFromDir(src string) (*Keys, error) { @@ -66,10 +65,6 @@ return &k, err } - k.Dbx, err = ReadPair(src, hierarchy.Dbx) - if err != nil { - return &k, err - } return &k, err } @@ -105,8 +100,6 @@ sl, err = efi.GetKEK() case hierarchy.Db: sl, err = efi.Getdb() - case hierarchy.Dbx: - sl, err = efi.Getdbx() } if err != nil { @@ -208,10 +201,6 @@ return fmt.Errorf("could not rotate db: %v", err) } - if err := rotateCerts(hierarchy.Dbx, oldKeys.Dbx.Cert, newKeys.Dbx.Cert, newKeys.KEK); err != nil { - return fmt.Errorf("could not rotate db: %v", err) - } - logging.Ok("Enrolled new keys into UEFI!") if err := SignAll(); err != nil { @@ -267,13 +256,6 @@ importKeyDst = sbctl.DBKey importCertDst = sbctl.DBCert - case hierarchy.Dbx.String(): - if err := rotateCerts(hierarchy.Dbx, oldKeys.Dbx.Cert, newCert, oldKeys.KEK); err != nil { - return fmt.Errorf("could not rotate dbx: %v", err) - } - - importKeyDst = sbctl.DBXKey - importCertDst = sbctl.DBXCert } logging.Ok("Enrolled new key of hierarchy %s into UEFI!", hiera) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/contrib/kernel-install/91-sbctl.install new/sbctl-0.13/contrib/kernel-install/91-sbctl.install --- old/sbctl-0.12/contrib/kernel-install/91-sbctl.install 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/contrib/kernel-install/91-sbctl.install 2023-12-23 23:02:48.000000000 +0100 @@ -1,8 +1,10 @@ #!/bin/sh +# This file is part of sbctl. COMMAND="$1" KERNEL_VERSION="$2" ENTRY_DIR_ABS="$3" +# shellcheck disable=SC2034 # Unused variables left for readability KERNEL_IMAGE="$4" IMAGE_FILE="$ENTRY_DIR_ABS/linux" @@ -25,13 +27,12 @@ case "$COMMAND" in add) - [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && - printf 'Signing kernel %s\n' "$IMAGE_FILE" + printf 'sbctl: Signing kernel %s\n' "$IMAGE_FILE" sbctl sign -s "$IMAGE_FILE" 1>/dev/null ;; remove) [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && - printf 'Removing kernel %s from signing database\n' "$IMAGE_FILE" + printf 'sbctl: Removing kernel %s from signing database\n' "$IMAGE_FILE" sbctl remove-file "$IMAGE_FILE" 1>/dev/null ;; esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/contrib/mkinitcpio/sbctl new/sbctl-0.13/contrib/mkinitcpio/sbctl --- old/sbctl-0.12/contrib/mkinitcpio/sbctl 1970-01-01 01:00:00.000000000 +0100 +++ new/sbctl-0.13/contrib/mkinitcpio/sbctl 2023-12-23 23:02:48.000000000 +0100 @@ -0,0 +1,3 @@ +#!/usr/bin/bash +echo "Signing EFI binaries..." +/usr/bin/sbctl sign-all -g diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/contrib/pacman/ZZ-sbctl.hook new/sbctl-0.13/contrib/pacman/ZZ-sbctl.hook --- old/sbctl-0.12/contrib/pacman/ZZ-sbctl.hook 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/contrib/pacman/ZZ-sbctl.hook 2023-12-23 23:02:48.000000000 +0100 @@ -7,7 +7,6 @@ Target = efi/* Target = usr/lib/modules/*/vmlinuz Target = usr/lib/modules/*/extramodules/* -Target = usr/lib/initcpio/* Target = usr/lib/**/efi/*.efi* [Action] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/docs/sbctl.8.txt new/sbctl-0.13/docs/sbctl.8.txt --- old/sbctl-0.12/docs/sbctl.8.txt 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/docs/sbctl.8.txt 2023-12-23 23:02:48.000000000 +0100 @@ -29,12 +29,21 @@ Creates a set of signing keys used to sign EFI binaries. Currently, it will create the following keys: * Platform Key - * Key Exchange key + * Key Exchange Key * Signature Database Key + *-e*, *--export*;; + The directory to persist the exported keys. + + Default: "/usr/share/secureboot/keys/" + + *-d*, *--database-path*;; + Path to save the GUID file when generating keys. + + Default: "/usr/share/secureboot/" + **enroll-keys**:: - Enrolls the creates key into the EFI variables. This puts the computer - out of SetupMode and enables Secure Boot. + Enrolls the created key into the EFI variables. Note that some devices have hardware firmware that is signed and validated when Secure Boot is enabled. Failing to validate this firmware @@ -54,8 +63,9 @@ This feature is experimental *-c*, *--custom*;; - Enroll custom KEK and db certificates from "/usr/share/secureboot/keys/custom/KEK/" - and "/usr/share/secureboot/keys/custom/db/", respectively. + Enroll custom KEK and db certificates from "/usr/share/secureboot/keys/custom/KEK/", + "/usr/share/secureboot/keys/custom/db/", + respectively. *-f*, *--firmware-builtin*;; Enroll signatures from dbDefault, KEKDefault or PKDefault. This @@ -88,7 +98,7 @@ *-p*, *--partial*;; Enroll keys only for the hierarchy specified. - Valid values are: db, dbx, KEK, PK. + Valid values are: db, KEK, PK. *--custom-bytes*;; Enroll a custom bytefile provided by its path to the efivar specified by partial. @@ -157,7 +167,7 @@ *-p*, *--partial*;; Reset keys only for the hierarchy specified. - Valid values are: db, dbx, KEK, PK. + Valid values are: db, KEK, PK. **rotate-keys**:: Rotate the secure boot keys and replace them with newly generated keys. @@ -170,7 +180,7 @@ *-p*, *--partial*;; Rotate keys only for the hierarchy specified. - Valid values are: db, dbx, KEK, PK. + Valid values are: db, KEK, PK. *-k*, *--key-file*;; Key file to be appended for the specified hierarchy. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/keys.go new/sbctl-0.13/keys.go --- old/sbctl-0.12/keys.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/keys.go 2023-12-23 23:02:48.000000000 +0100 @@ -35,8 +35,6 @@ KEKCert = filepath.Join(KeysPath, "KEK", "KEK.pem") DBKey = filepath.Join(KeysPath, "db", "db.key") DBCert = filepath.Join(KeysPath, "db", "db.pem") - DBXKey = filepath.Join(KeysPath, "dbx", "dbx.key") - DBXCert = filepath.Join(KeysPath, "dbx", "dbx.pem") DBPath = filepath.Join(DatabasePath, "files.db") GUIDPath = filepath.Join(DatabasePath, "GUID") @@ -59,7 +57,6 @@ SignatureAlgorithm: x509.SHA256WithRSA, NotBefore: time.Now(), NotAfter: time.Now().AddDate(5, 0, 0), - KeyUsage: x509.KeyUsageDigitalSignature, Subject: pkix.Name{ Country: []string{name}, CommonName: name, @@ -242,10 +239,10 @@ Key: "db", Description: "Database Key", }, - { - Key: "dbx", - Description: "Forbidden Database Key", - }, + // { + // Key: "dbx", + // Description: "Forbidden Database Key", + // }, } // Check if we have already intialized keys in the given output directory diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/sbctl.go new/sbctl-0.13/sbctl.go --- old/sbctl-0.12/sbctl.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/sbctl.go 2023-12-23 23:02:48.000000000 +0100 @@ -171,10 +171,16 @@ return nil, err } - one, _ := fs.Fs.Open(microcode) + one, err := fs.Fs.Open(microcode) + if err != nil { + return nil, err + } defer one.Close() - two, _ := fs.Fs.Open(initramfs) + two, err := fs.Fs.Open(initramfs) + if err != nil { + return nil, err + } defer two.Close() _, err = io.Copy(tmpFile, one) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/tests/utils/certs.go new/sbctl-0.13/tests/utils/certs.go --- old/sbctl-0.12/tests/utils/certs.go 2023-10-20 20:54:47.000000000 +0200 +++ new/sbctl-0.13/tests/utils/certs.go 2023-12-23 23:02:48.000000000 +0100 @@ -24,7 +24,6 @@ SignatureAlgorithm: x509.SHA256WithRSA, NotBefore: time.Now(), NotAfter: time.Now().AddDate(5, 0, 0), - KeyUsage: x509.KeyUsageDigitalSignature, Subject: pkix.Name{ Country: []string{"Test Suite Key"}, CommonName: "Test Suite", ++++++ vendor.tar.gz ++++++
