{"id":13395919,"url":"https://github.com/andreyv/sbupdate","last_synced_at":"2025-03-13T22:31:14.784Z","repository":{"id":10527995,"uuid":"66061834","full_name":"andreyv/sbupdate","owner":"andreyv","description":"Generate and sign kernel images for UEFI Secure Boot on Arch Linux","archived":true,"fork":false,"pushed_at":"2023-08-02T18:10:15.000Z","size":114,"stargazers_count":227,"open_issues_count":7,"forks_count":20,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-07-31T18:16:00.859Z","etag":null,"topics":["secure-boot","uefi"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andreyv.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-08-19T07:21:54.000Z","updated_at":"2024-07-13T02:01:49.000Z","dependencies_parsed_at":"2024-01-18T10:16:02.663Z","dependency_job_id":"1fc0b784-80df-427f-b5f4-51f722589660","html_url":"https://github.com/andreyv/sbupdate","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreyv%2Fsbupdate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreyv%2Fsbupdate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreyv%2Fsbupdate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreyv%2Fsbupdate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andreyv","download_url":"https://codeload.github.com/andreyv/sbupdate/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221417248,"owners_count":16816841,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["secure-boot","uefi"],"created_at":"2024-07-30T18:00:35.570Z","updated_at":"2024-10-25T10:30:59.030Z","avatar_url":"https://github.com/andreyv.png","language":"Shell","funding_links":[],"categories":["Tools"],"sub_categories":[],"readme":"# sbupdate\n\n![](https://github.com/andreyv/sbupdate/workflows/CI/badge.svg)\n\nThis tool allows you to sign Arch Linux kernels using your own Secure Boot keys.\n\n## Installation\n\nYou should be familiar with the process of creating, installing and using\ncustom Secure Boot keys. See:\n* https://wiki.archlinux.org/index.php/Secure_Boot\n* https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html\n\nAfter you have generated your custom keys, proceed with setup:\n* Install [sbupdate-git](https://aur.archlinux.org/packages/sbupdate-git/) from AUR\n* Place your custom keys in `/etc/efi-keys`\n* Configure `/etc/sbupdate.conf` (see [Configuration](#configuration))\n* Run `sudo sbupdate` for first-time image generation\n\nFor each installed Arch kernel, a signed UEFI image will be generated, by default\nin `/boot/EFI/Arch/\u003cNAME\u003e-signed.efi`. Multiple images can be generated with\nadvanced configuration. Now you can [add these images](#direct-booting-vs-boot-manager)\nto your UEFI firmware or boot manager configuration.\n\nAfter the initial setup, signed images will be (re)generated automatically when\nyou install or update kernels using Pacman.\n\nNote that the kernel command line, initramfs and boot splash will be embedded in\nthe signed UEFI image.\n\n## Configuration\n\nEdit the file `/etc/sbupdate.conf`. Set your default kernel command line\nin the `CMDLINE_DEFAULT` variable. If the file `/etc/kernel/cmdline` exists,\nit is read into `CMDLINE_DEFAULT` automatically.\n\nThe following optional settings are available:\n* Command line, initramfs[\u003csup\u003e†\u003c/sup\u003e](#ucode) and output name for each kernel\n  config (each kernel can have multiple configs)\n* A list of additional boot files to sign\n* Locations of the key, ESP and output directories\n* Boot splash image\n\n\u003ca name=\"ucode\"\u003e💡 _Hint_:\u003c/a\u003e Intel and AMD microcode updates are handled\nautomatically.\n\n💡 _Hint_: Disable boot splash to keep the UEFI boot logo. Oppositely, to keep\nthe boot splash image during boot, add the `quiet video=efifb:nobgrt`\nparameters to the kernel command line.\n\n## Direct booting vs. boot manager\n\nThe generated images are UEFI executables and can be directly booted by UEFI\nfirmware. Therefore, a separate boot manager such as systemd-boot is technically\nnot required. This is similar to Linux [EFISTUB](https://wiki.archlinux.org/index.php/EFISTUB).\n\nBooting directly from firmware is arguably more secure, but may also be harder\nto set up and use. See [Using UEFI directly](https://wiki.archlinux.org/index.php/EFISTUB#Using_UEFI_directly)\nin the above article, with the exception that the kernel command line does not\nneed to be specified in this case.\n\n---\n\nAlternatively, you can use a boot manager. In this case you need to add the generated UEFI\nimages to the boot manager configuration. For systemd-boot, the basic entry\nformat is\n\n    title Arch Linux \u003cNAME\u003e\n    efi   /EFI/Arch/\u003cNAME\u003e-signed.efi\n\nYou also need to sign your boot manager's own UEFI executables with your\ncustom keys. For systemd-boot, this is handled automatically on update. For\nfirst-time setup, run\n\n```shell\necho /usr/lib/systemd/boot/efi/systemd-boot*.efi | sudo sbupdate -f\nsudo bootctl update\n```\n\nFor other boot managers, add corresponding ESP executables to the `EXTRA_SIGN`\narray in `/etc/sbupdate.conf` and re-run the tool if needed. You should\nremember to run the tool every time you update your boot manager's files.\n\n⚠️ **Note**: When booting with Secure Boot disabled, options passed from an EFI shell\n(_even empty_) may override the built-in command line in the combined image, and\nthe boot may fail. See [#4](https://github.com/andreyv/sbupdate/issues/4).\n\n\n## ESP mount point\n\nTypically [ESP](https://wiki.archlinux.org/title/EFI_system_partition) is\nmounted on `/boot` and contains also the original, unsigned files such as the\nLinux kernel image and initramfs. These files are susceptible to offline\ntampering.\n\nIt is recommended to mount ESP on a different directory, such as\n[`/efi`](https://www.freedesktop.org/software/systemd/man/bootctl.html#--esp-path=),\nand keep `/boot` itself on the secure root file system. This way ESP will only\ncontain signed images which cannot be tampered with.\n\nSee [Configuration](#configuration) to change the ESP directory.\n\nNote that if you use a boot manager other than systemd-boot, then its files\nstill need to be on the ESP before they are signed. It is customary to sign\nthese files right after they have been installed on the ESP. Direct booting is\nrecommended for increased security.\n\n## Related resources\n\n* https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface\n* https://wiki.archlinux.org/index.php/Secure_Boot\n* https://www.rodsbooks.com/efi-bootloaders/index.html\n* https://bentley.link/secureboot/\n* [`mkinitcpio(8)`](https://man.archlinux.org/man/mkinitcpio.8) `--uefi` option\n* [Foxboron/sbctl](https://github.com/Foxboron/sbctl) — Secure Boot Manager\n* [gdamjan/secure-boot](https://github.com/gdamjan/secure-boot)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandreyv%2Fsbupdate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandreyv%2Fsbupdate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandreyv%2Fsbupdate/lists"}