For example one that will allow you to enter sb setup mode, clear EFI keys, but not offer a way to enroll new ones from the firmware setup UI. While simultaneously making the EFI KeyTool fail enrollment with a cryptic error message. :)
The Arch wiki also adds some additional warnings that you may want to check into. For instance, my Thinkpad with an Nvidia GPU will be bricked if I use the normal API to load secure boot keys, because on boot certain firmware is executed before the setup utility, which means that if that firmware fails verification, the entire laptop becomes unbootable. The workaround (load keys through the UEFI setup utility instead of any other tools) doesn't let me get rid of the manufacturer keys and take full control, unfortunately. I'll keep Lenovo's choices here in mind next time I buy a laptop.
Thanks to updates to sbctl, you can create keys with `sbctl create-keys` rather than typing out complex openssl commands. sbctl's `enroll-keys` should also make the key enrollment procedure easier.
Your distro probably also comes with an optional package manager hook so you don't need to repeat the sign commands every time your bootloader updates.
I mean, reading Rod Smiths post is what originally made me write secure boot tooling many years ago. I didn't understand why it had to be soooo complicated.
If you read the original `efi-roller` project I started out with you'll see it's largely just a wrapper around the stuff in Rod Smiths book, that was later refined by actually implementing a proper library in Go and tooling on top.
I just don't want people to think that now, a decade later, you still need to mess with shell scripts calling openssl commands to get secure boot to work.
My laptop is out of warranty and I'm not interested in starting a legal battle should the firmware bug persist and soft brick the motherboard, so I'm not going to try it.
Anyone here made it work? If UEFI can do it, what is the bootloader for?
You can use `efibootmgr` to insert the `vmlinuz` binary as a boot entry. But honestly, you are better off using a proper bootloader as it makes things a lot simpler for you to manage.
The UEFI bootloader menu is mediocre if you are lucky, terrible in most cases.
But on a typical boot it works just fine either way.
Bootloaders and boot managers take away a lot of the management, which is welcome with many UEFI screens. You have some, like HP's, that will let you browse to an EFI file and/or manually manage custom entries, basically removing the need for a bootloader in most cases, and then there are the ones like my MSI board that will corrupt their own configuration if you call efibootmgr too many times and that hide any custom boot defintions from the management UI so you have to use the Linux command line to set the preference right.
Whether you need one is up to you to decide. Most distros default to using a bootloader because that's what users expect, but there's no strict requirement for using bootloaders if you don't want Grub or rEFInd or systemd-boot on your system. However, if you want to do things like "edit the kernel parameters once every now and then", a bootloader is probably the way to go for most people.
When you're building an embedded Linux application that will only boot kernels signed by your company, I don't see the need for a bootloader, though.
sylware•6mo ago
...