Skip to content

Release: 0.12

Compare
Choose a tag to compare
@Foxboron Foxboron released this 20 Oct 19:11
· 173 commits to master since this release
0.12
748bc59

Deprecation notice

sbctl bundle might be deprecated in the future. This functionality is better served by ukify from systemd or the UKI support in mkinitcpio or dracut. I don't have any intentions of improving this feature going forward.

If your local initramfs generation tool does not support UKI generation you should write them some patches.

Custom certificates

sbctl now allows you to enroll custom certificates into KEK and db. This can be done by placing certificates into /usr/share/secureboot/keys/custom/KEK/ and /usr/share/secureboot/keys/custom/db then running sbctl enroll-keys -c.

Key export

sbctl now allows keys to be exported as EFI Signature Lists (esl) or EFI Authenticated Variables (auth), which are pre-signed.

Enrolling default certificates

sbctl can now enroll certificates found in dbxDefault, dbDefault, KEKDefault and PKDefault. These variables contains the default configuration for the machine and might have certificates that might be missing when only enrolling the microsoft certificates.

Usage:

// Defaults to "db,KEK"
sbctl enroll-keys --firmware-builtin

// Enroll everything from the vendor
sbctl enroll-keys --firmware-builtin "dbx,db,KEK,PK"

Support for partial key hierarchies

Before this release sbctl would enroll, reset and rotate the entire key hierarchy when requested. With this release several improvements have been made to have the ability to support partial key hierarchies. This can be used through the --partial flag in their respective commands.

Generated list of changes:

What's Changed

New Contributors

Full Changelog: 0.11...0.12