How to Manage Secure Boot with sbctl (with examples)

How to Manage Secure Boot with sbctl (with examples)

sbctl is a command-line tool designed to simplify the management of secure boot keys. Secure Boot is a feature of the latest UEFI firmware that ensures only signed, trusted software can be executed during the boot process. This prevents unauthorized operating systems or malicious programs from running. sbctl provides a user-friendly interface to create, enroll, and manage secure boot keys on Linux systems, playing a crucial role in maintaining system security.

Use case 1: Show the current secure boot status

Code:

sbctl status

Motivation: Understanding whether secure boot is enabled and functioning correctly is critical for system security. Checking the current status allows users to confirm that their system is protected by secure boot and to identify any issues that might arise from incorrect configurations.

Explanation: The sbctl status command doesn’t require any additional arguments. Executing this command fetches and displays the current status of secure boot on the system, including whether it is enabled or disabled and any associated key information.

Example output:

Secure Boot: Enabled
Setup Mode: Disabled
Platform Key: Present
Signature databases: 

Use case 2: Create custom secure boot keys

Code:

sbctl create-keys

Motivation: Creating custom secure boot keys is essential for users who want to manage their own keys rather than relying on third-party certificates. This can enhance system security by ensuring that only trusted binaries can execute on the system, tailored to specific needs and configurations.

Explanation: This command generates a set of keys required for secure boot. By default, the keys are stored in /var/lib/sbctl. The keys include the Platform Key (PK), the Key Exchange Key (KEK), and the Signature Database (db). These keys are crucial for setting up secure boot to control what software is trusted to run on the system.

Example output:

==> Generating secure boot keys...
-> Created PK: /var/lib/sbctl/keys/PK.key
-> Created KEK: /var/lib/sbctl/keys/KEK.key
-> Created db: /var/lib/sbctl/keys/db.key

Use case 3: Enroll custom secure boot keys and Microsoft’s UEFI vendor certificates

Code:

sbctl enroll-keys --microsoft

Motivation: Enrolling keys is the step where the generated or chosen keys are registered with the firmware. Including Microsoft’s UEFI vendor certificates ensures compatibility with a wide range of software, especially if you plan to run Windows or use software that relies on Microsoft’s signatures.

Explanation: This command takes the generated custom secure boot keys and enrolls them in the system’s UEFI firmware, allowing the system to boot using these keys. The --microsoft flag specifically includes Microsoft’s vendor certificates, which ensures that other widely-used software and drivers continue to work correctly.

Example output:

==> Enrolling custom Secure Boot keys...
-> Secure boot keys enrolled successfully!
-> Microsoft's UEFI vendor certificates added.

Use case 4: Automatically run create-keys and enroll-keys based on the settings in sbctl.conf

Code:

sbctl setup --setup

Motivation: Automation can save time and reduce errors by ensuring that the secure boot setup follows a predefined configuration. This command is useful for users who set up multiple machines and require consistent secure boot environments across them.

Explanation: The setup command scans the /etc/sbctl/sbctl.conf file for instructions on how to create and enroll keys automatically. The --setup flag indicates that the command should execute these actions to create and register keys as specified.

Example output:

==> Running setup from /etc/sbctl/sbctl.conf...
-> Keys created and enrolled according to configuration.
-> Secure Boot setup completed.

Use case 5: Sign an EFI binary with the created key and save the file to the database

Code:

sbctl sign --save /path/to/efi_binary

Motivation: Signing binaries ensures that they are trusted by Secure Boot, provided that the appropriate keys have been enrolled. Saving the file in the database allows for easy retrieval and management of signed binaries.

Explanation: In this command, --save is an option that saves the signed EFI binary to the sbctl database at a specified path. This database helps keep track of all signed binaries, making it easier to manage and re-sign them if needed.

Example output:

==> Signing EFI binary: /path/to/efi_binary
-> Saved signed binary to sbctl database.

Use case 6: Re-sign all the saved files

Code:

sbctl sign-all

Motivation: If keys have changed or updates have been applied that require binaries to be re-signed, this command automatically re-signs all files stored in the sbctl database, ensuring system consistency.

Explanation: sign-all doesn’t require additional arguments as it automatically processes all stored files in the sbctl database, applying the current signing keys to each one.

Example output:

==> Re-signing all saved EFI binaries...
-> Binaries re-signed successfully.

Use case 7: Verify that all EFI executables on the EFI system partition have been signed

Code:

sbctl verify

Motivation: Verifying that all EFI executables are signed is a critical security step. It ensures that no unauthorized or unsigned code is allowed to execute, thereby protecting the system from potential compromises during the boot process.

Explanation: This command scans the EFI system partition to check each executable for a valid signature that matches registered secure boot keys. It doesn’t require additional input as it performs a comprehensive check against all discovered EFI binaries.

Example output:

Verification successful: All EFI binaries are signed and trusted.

Conclusion:

The sbctl tool provides a streamlined and efficient means of managing secure boot settings and keys on Linux systems. From generating custom keys to verifying that all executables are correctly signed, sbctl enhances your system’s security posture with user-friendly commands and comprehensive functionality. It’s an essential tool for anyone managing UEFI secure boot, ensuring that only trusted software is allowed to execute right from the boot process.

Related Posts

How to Use the Command 'doctl kubernetes cluster' (with examples)

How to Use the Command 'doctl kubernetes cluster' (with examples)

doctl kubernetes cluster is a command-line interface utility for managing Kubernetes clusters on DigitalOcean.

Read More
How to Use the Command 'rake' (with examples)

How to Use the Command 'rake' (with examples)

Rake is a powerful command-line tool for automating tasks in Ruby projects.

Read More
Using 'xgettext' for Localization (with Examples)

Using 'xgettext' for Localization (with Examples)

xgettext is a valuable command-line tool primarily used in software internationalization and localization.

Read More