How to Manage Secure Boot with sbctl (with examples)
- Linux
- December 17, 2024
sbctl
is a command-line tool designed to simplify the management of secure boot keys. Secure Boot is a feature of the latest UEFI firmware that ensures only signed, trusted software can be executed during the boot process. This prevents unauthorized operating systems or malicious programs from running. sbctl
provides a user-friendly interface to create, enroll, and manage secure boot keys on Linux systems, playing a crucial role in maintaining system security.
Use case 1: Show the current secure boot status
Code:
sbctl status
Motivation: Understanding whether secure boot is enabled and functioning correctly is critical for system security. Checking the current status allows users to confirm that their system is protected by secure boot and to identify any issues that might arise from incorrect configurations.
Explanation:
The sbctl status
command doesn’t require any additional arguments. Executing this command fetches and displays the current status of secure boot on the system, including whether it is enabled or disabled and any associated key information.
Example output:
Secure Boot: Enabled
Setup Mode: Disabled
Platform Key: Present
Signature databases:
Use case 2: Create custom secure boot keys
Code:
sbctl create-keys
Motivation: Creating custom secure boot keys is essential for users who want to manage their own keys rather than relying on third-party certificates. This can enhance system security by ensuring that only trusted binaries can execute on the system, tailored to specific needs and configurations.
Explanation:
This command generates a set of keys required for secure boot. By default, the keys are stored in /var/lib/sbctl
. The keys include the Platform Key (PK), the Key Exchange Key (KEK), and the Signature Database (db). These keys are crucial for setting up secure boot to control what software is trusted to run on the system.
Example output:
==> Generating secure boot keys...
-> Created PK: /var/lib/sbctl/keys/PK.key
-> Created KEK: /var/lib/sbctl/keys/KEK.key
-> Created db: /var/lib/sbctl/keys/db.key
Use case 3: Enroll custom secure boot keys and Microsoft’s UEFI vendor certificates
Code:
sbctl enroll-keys --microsoft
Motivation: Enrolling keys is the step where the generated or chosen keys are registered with the firmware. Including Microsoft’s UEFI vendor certificates ensures compatibility with a wide range of software, especially if you plan to run Windows or use software that relies on Microsoft’s signatures.
Explanation:
This command takes the generated custom secure boot keys and enrolls them in the system’s UEFI firmware, allowing the system to boot using these keys. The --microsoft
flag specifically includes Microsoft’s vendor certificates, which ensures that other widely-used software and drivers continue to work correctly.
Example output:
==> Enrolling custom Secure Boot keys...
-> Secure boot keys enrolled successfully!
-> Microsoft's UEFI vendor certificates added.
Use case 4: Automatically run create-keys
and enroll-keys
based on the settings in sbctl.conf
Code:
sbctl setup --setup
Motivation: Automation can save time and reduce errors by ensuring that the secure boot setup follows a predefined configuration. This command is useful for users who set up multiple machines and require consistent secure boot environments across them.
Explanation:
The setup
command scans the /etc/sbctl/sbctl.conf
file for instructions on how to create and enroll keys automatically. The --setup
flag indicates that the command should execute these actions to create and register keys as specified.
Example output:
==> Running setup from /etc/sbctl/sbctl.conf...
-> Keys created and enrolled according to configuration.
-> Secure Boot setup completed.
Use case 5: Sign an EFI binary with the created key and save the file to the database
Code:
sbctl sign --save /path/to/efi_binary
Motivation: Signing binaries ensures that they are trusted by Secure Boot, provided that the appropriate keys have been enrolled. Saving the file in the database allows for easy retrieval and management of signed binaries.
Explanation:
In this command, --save
is an option that saves the signed EFI binary to the sbctl database at a specified path. This database helps keep track of all signed binaries, making it easier to manage and re-sign them if needed.
Example output:
==> Signing EFI binary: /path/to/efi_binary
-> Saved signed binary to sbctl database.
Use case 6: Re-sign all the saved files
Code:
sbctl sign-all
Motivation: If keys have changed or updates have been applied that require binaries to be re-signed, this command automatically re-signs all files stored in the sbctl database, ensuring system consistency.
Explanation:
sign-all
doesn’t require additional arguments as it automatically processes all stored files in the sbctl database, applying the current signing keys to each one.
Example output:
==> Re-signing all saved EFI binaries...
-> Binaries re-signed successfully.
Use case 7: Verify that all EFI executables on the EFI system partition have been signed
Code:
sbctl verify
Motivation: Verifying that all EFI executables are signed is a critical security step. It ensures that no unauthorized or unsigned code is allowed to execute, thereby protecting the system from potential compromises during the boot process.
Explanation: This command scans the EFI system partition to check each executable for a valid signature that matches registered secure boot keys. It doesn’t require additional input as it performs a comprehensive check against all discovered EFI binaries.
Example output:
Verification successful: All EFI binaries are signed and trusted.
Conclusion:
The sbctl
tool provides a streamlined and efficient means of managing secure boot settings and keys on Linux systems. From generating custom keys to verifying that all executables are correctly signed, sbctl
enhances your system’s security posture with user-friendly commands and comprehensive functionality. It’s an essential tool for anyone managing UEFI secure boot, ensuring that only trusted software is allowed to execute right from the boot process.