{"id":15039278,"url":"https://github.com/foxboron/sbctl","last_synced_at":"2025-05-14T06:13:26.276Z","repository":{"id":41234498,"uuid":"260986040","full_name":"Foxboron/sbctl","owner":"Foxboron","description":":computer: :lock: :key: Secure Boot key manager","archived":false,"fork":false,"pushed_at":"2025-03-01T14:12:52.000Z","size":18149,"stargazers_count":1610,"open_issues_count":59,"forks_count":91,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-04-03T17:04:50.722Z","etag":null,"topics":["efi","efi-stub","go","golang","linux","secure-boot","secureboot","signatures","uefi","uefi-secureboot"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Foxboron.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-03T17:40:47.000Z","updated_at":"2025-04-02T12:02:16.000Z","dependencies_parsed_at":"2023-09-26T18:53:18.695Z","dependency_job_id":"97aeeb5f-1796-4ee8-9457-03787eecf4d6","html_url":"https://github.com/Foxboron/sbctl","commit_stats":{"total_commits":362,"total_committers":61,"mean_commits":5.934426229508197,"dds":0.3950276243093923,"last_synced_commit":"64e649b31c8ebb739a082ee6628a071f4555186c"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fsbctl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fsbctl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fsbctl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fsbctl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Foxboron","download_url":"https://codeload.github.com/Foxboron/sbctl/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248314079,"owners_count":21082977,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["efi","efi-stub","go","golang","linux","secure-boot","secureboot","signatures","uefi","uefi-secureboot"],"created_at":"2024-09-24T20:42:11.069Z","updated_at":"2025-04-10T23:27:22.010Z","avatar_url":"https://github.com/Foxboron.png","language":"Go","readme":"# sbctl - Secure Boot Manager\n[![Build Status](https://github.com/Foxboron/sbctl/workflows/CI/badge.svg)](https://github.com/Foxboron/sbctl/actions)\n\nsbctl intends to be a user-friendly secure boot key manager capable of setting\nup secure boot, offer key management capabilities, and keep track of files that\nneeds to be signed in the boot chain.\n\nIt is written top-to-bottom in [Golang](https://golang.org/) using\n[go-uefi](https://github.com/Foxboron/go-uefi) for the API layer and doesn't\nrely on existing secure boot tooling. It also tries to sport some integration\ntesting towards [tianocore](https://www.tianocore.org/) utilizing\n[vmtest](https://github.com/anatol/vmtest).\n\n![](https://pkgbuild.com/~foxboron/sbctl_demo.gif)\n\n## Features\n* User-friendly\n* Manages secure boot keys\n* Live enrollment of keys\n* Signing database to help keep track of files to sign\n* Verify ESP of files missing signatures\n* EFI stub generation\n* JSON output\n\n## Roadmap to 1.0\n* Key rotation\n* TPM support\n* Hardware token support\n* Configuration Files\n* Automatic boot chain signing using the [Boot Loader Interface](https://systemd.io/BOOT_LOADER_INTERFACE/)\n\n## Dependencies\n* util-linux (using `lsblk`)\n* binutils (using `objcopy`)\n* Go \u003e= 1.20\n* asciidoc (only for building)\n\n# Installation\n\nTo fetch, build and install sbctl from the Github source:\n\n```\n$ go install github.com/foxboron/sbctl/cmd/sbctl@latest\n$ $(go env GOPATH)/bin/sbctl\n```\n\nTo install through git:\n\n```\n$ git clone https://github.com/foxboron/sbctl.git\n$ cd sbctl\n$ make\n$ ./sbctl\n```\n\n### Available packages\n\nFor Arch Linux:\n```\n# pacman -S sbctl\n```\n\nFor Alpine Linux:\n```\n# apk add sbctl\n```\n\nFor Gentoo Linux:\n```\n# emerge --ask app-crypt/sbctl\n```\n\nFor openSUSE:\n```\n# zypper install sbctl\n```\n\nFor Fedora Linux (unofficial package):\n```\n# dnf copr enable chenxiaolong/sbctl\n# dnf install sbctl\n```\n\nYou can find a updated list of [sbctl packages on\nRepology](https://repology.org/project/sbctl/versions).\n\nIn addition, sbctl is also available for [Ubuntu\n(unofficial)](https://software.opensuse.org/package/sbctl?search_term=sbctl).\nFollow the `Expert Download` links to find installation instructions according\nto your operating system.\n\n# Support and development channel\n\nDevelopment discussions and support happens in `#sbctl` on the [libera.chat](https://kiwiirc.com/nextclient/irc.libera.chat/#sbctl) IRC network.\n\n# Usage\n\n```\n$ sbctl\nSecure Boot Key Manager\n\nUsage:\n  sbctl [command]\n\nAvailable Commands:\n  bundle               Bundle the needed files for an EFI stub image\n  create-keys          Create a set of secure boot signing keys\n  enroll-keys          Enroll the current keys to EFI\n  export-enrolled-keys Export already enrolled keys from the system\n  generate-bundles     Generate all EFI stub bundles\n  help                 Help about any command\n  import-keys          Import keys into sbctl\n  list-bundles         List stored bundles\n  list-enrolled-keys   List enrolled keys on the system\n  list-files           List enrolled files\n  remove-bundle        Remove bundle from database\n  remove-file          Remove file from database\n  reset                Reset Secure Boot Keys\n  rotate-keys          Rotate secure boot keys with new keys.\n  setup                Setup sbctl\n  sign                 Sign a file with secure boot keys\n  sign-all             Sign all enrolled files with secure boot keys\n  status               Show current boot status\n  verify               Find and check if files in the ESP are signed or not\n\nFlags:\n      --config string      Path to configuration file\n      --debug              debug logging\n      --disable-landlock   disable landlock\n  -h, --help               help for sbctl\n      --json               Output as json\n      --quiet              Mute info from logging\n\nUse \"sbctl [command] --help\" for more information about a command.\n```\n\n## Key creation and enrollment\nSee [example enrollment](docs/workflow-example.md) for a workflow with\nscreenshots of real firmware setup menus.\n\n```\n# sbctl status\nInstalled:\t✘ Sbctl is not installed\nSetup Mode:\t✘ Enabled\nSecure Boot:\t✘ Disabled\n\n# sbctl create-keys\nCreated Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70\nCreating secure boot keys...✔\nSecure boot keys created!\n\n# sbctl enroll-keys\nEnrolling keys to EFI variables...✔\nEnrolled keys to the EFI variables!\n\n# sbctl status\nInstalled:\t✔ Sbctl is installed\nOwner GUID:\ta9fbbdb7-a05f-48d5-b63a-08c5df45ee70\nSetup Mode:\t✔ Disabled\nSecure Boot:\t✘ Disabled\n\n// Reboot and enable secure boot in the bios!\n# sbctl status\nInstalled:\t✔ Sbctl is installed\nOwner GUID:\ta9fbbdb7-a05f-48d5-b63a-08c5df45ee70\nSetup Mode:\t✔ Disabled\nSecure Boot:\t✔ Enabled\n```\n\n\n## Signatures\n```\n# sbctl verify\nVerifying file database and EFI images in /efi...\n✘ /boot/vmlinuz-linux is not signed\n✘ /efi/EFI/BOOT/BOOTX64.EFI is not signed\n✘ /efi/EFI/BOOT/KeyTool-signed.efi is not signed\n✘ /efi/EFI/Linux/linux-linux.efi is not signed\n✘ /efi/EFI/arch/fwupdx64.efi is not signed\n✘ /efi/EFI/systemd/systemd-bootx64.efi is not signed\n\n# sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI\n✔ Signed /efi/EFI/BOOT/BOOTX64.EFI...\n\n# sbctl sign -s /efi/EFI/arch/fwupdx64.efi\n✔ Signed /efi/EFI/arch/fwupdx64.efi...\n\n# sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi\n✔ Signed /efi/EFI/systemd/systemd-bootx64.efi...\n\n# sbctl sign -s /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed\n✔ Signed /usr/lib/fwupd/efi/fwupdx64.efi...\n\n# sbctl verify\nVerifying file database and EFI images in /efi...\n✔ /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed\n✔ /efi/EFI/BOOT/BOOTX64.EFI is signed\n✔ /efi/EFI/arch/fwupdx64.efi is signed\n✔ /efi/EFI/systemd/systemd-bootx64.efi is signed\n✘ /boot/vmlinuz-linux is not signed\n✘ /efi/EFI/BOOT/KeyTool-signed.efi is not signed\n✘ /efi/EFI/Linux/linux-linux.efi is not signed\n\n# sbctl list-files\n/boot/vmlinuz-linux\nSigned:\t\t✘ Not Signed\n\n/efi/EFI/BOOT/KeyTool-signed.efi\nSigned:\t\t✘ Not Signed\n\n/efi/EFI/Linux/linux-linux.efi\nSigned:\t\t✘ Not Signed\n\n/efi/EFI/arch/fwupdx64.efi\nSigned:\t\t✔ Signed\n\n/efi/EFI/BOOT/BOOTX64.EFI\nSigned:\t\t✔ Signed\n\n/usr/lib/fwupd/efi/fwupdx64.efi\nSigned:\t\t✔ Signed\nOutput File:\t/usr/lib/fwupd/efi/fwupdx64.efi.signed\n\n/efi/EFI/systemd/systemd-bootx64.efi\nSigned:\t\t✔ Signed\n```\n\n## Generate Unified Kernel Images (UKI)\n\n**Note:** It is generally recommended to use the initramfs generator for this.\n`mkinitcpio` and `dracut` support this through their respective `--uki` and\n`--uefi` flags, or the `ukify` tool from `systemd`.\n\nThis feature is considered a second class citizen in `sbctl`.\n\n```\n# sbctl bundle -s -i /boot/intel-ucode.img \\\n      -l /usr/share/systemd/bootctl/splash-arch.bmp \\\n      -k /boot/vmlinuz-linux \\\n      -f /boot/initramfs-linux.img \\\n      /efi/EFI/Linux/linux-linux.efi\nWrote EFI bundle /efi/EFI/Linux/linux-linux.efi\n\n# sbctl list-bundles\nEnrolled bundles:\n\n/efi/EFI/Linux/linux-linux.efi\n\tSigned:\t\t✔ Signed\n\tESP Location:\t/efi\n\tOutput:\t\t└─/EFI/Linux/linux-linux.efi\n\tEFI Stub Image:\t  └─/usr/lib/systemd/boot/efi/linuxx64.efi.stub\n\tSplash Image:\t    ├─/usr/share/systemd/bootctl/splash-arch.bmp\n\tCmdline:\t    ├─/etc/kernel/cmdline\n\tOS Release:\t    ├─/usr/lib/os-release\n\tKernel Image:\t    ├─/boot/vmlinuz-linux\n\tInitramfs Image:    └─/boot/initramfs-linux.img\n\tIntel Microcode:      └─/boot/intel-ucode.img\n\n\n# sbctl generate-bundles\nGenerating EFI bundles....\nWrote EFI bundle /efi/EFI/Linux/linux-linux.efi\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffoxboron%2Fsbctl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffoxboron%2Fsbctl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffoxboron%2Fsbctl/lists"}