What does HackerNews think of sbupdate?

Generate and sign kernel images for UEFI Secure Boot on Arch Linux

Language: Shell

Arch Linux Btrfs with hibernation in a swapfile | Mar 2023
Expand Context ↕
I use sbupdate [0] to build the unified kernel image and to sign it with my keys. It's run by a hook in the arch's package manager whenever the kernel, the initrd or the firmware images change. I saw the other day that systemd recently got an utility to do this, but I've never looked into that. sbupdate has been working fine for me for several years now.

It doesn't store a new key in the uefi, it signs the new image with the key that uefi already knows about.

See [1] for the whole setup and [2] for the signing part specifically.

[0] https://github.com/andreyv/sbupdate

[1] https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

[2] https://wiki.archlinux.org/title/Unified_Extensible_Firmware...
ZFS on Linux 0.8.0 | May 2019
Expand Context ↕
If it's signed with Secure Boot keys it's no different for loading signed Grub image. Grub would also need to be unencrypted to work.

As for signing kernel: https://github.com/andreyv/sbupdate
Ask HN: What Do You Use for Linux Full Disk Crypto? | Mar 2019
Expand Context ↕
For modern setups that support UEFI, GRUB is unnecessary as you can boot Linux kernel directly as EFI executable.

If one cares about SecureBoot then this package automates everything: https://github.com/andreyv/sbupdate (it's setup only once and works later without supervision).
PureBoot, the High Security Boot Process | Mar 2019
Expand Context ↕
No problem.

If I may suggest something if you have TPM version 2 use sha256 everywhere. And you can expand the PCRs list to cover more stuff. I'm using PCRs 0 to 8 (or 9? Can't check now) so any hardware configuration change is apparent during boot.

Another useful package is sbupdate [0] that not only signs kernel for SecureBoot but additionally makes it possible to boot the kernel directly from UEFI firmware bypassing the need for bootloader (be it grub or systemd boot). Once setup it just works!

[0]: https://github.com/andreyv/sbupdate
Announcing flicker-free boot for Fedora 29 | Oct 2018
Expand Context ↕
That's basically what sbupdate [0] for Arch does, it allows you to set your own bitmap for boot logo (after the vendor logo, of course).

Another benefit of sbupdate (besides Secure Boot) is that it allows running Linux kernel directly as a UEFI executable, no GRUB or systemd-boot needed!

[0]: https://github.com/andreyv/sbupdate