Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ericonr/generate-sb-efi

Automate generation of Secure Boot signed single file kernel images
https://github.com/ericonr/generate-sb-efi

efi linux secure-boot secureboot uefi

Last synced: about 1 month ago
JSON representation

Automate generation of Secure Boot signed single file kernel images

Host: GitHub
URL: https://github.com/ericonr/generate-sb-efi
Owner: ericonr
License: mit
Created: 2019-12-29T03:16:49.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2020-04-06T02:20:15.000Z (almost 5 years ago)
Last Synced: 2024-11-05T09:53:01.473Z (3 months ago)
Topics: efi, linux, secure-boot, secureboot, uefi
Language: Python
Size: 13.7 KB
Stars: 4
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Automate generation of Secure Boot signed single file kernel images

[![forthebadge](https://forthebadge.com/images/badges/as-seen-on-tv.svg)](https://forthebadge.com)
[![forthebadge](https://forthebadge.com/images/badges/made-with-python.svg)](https://forthebadge.com)

## Motivation

If you are a user of boot managers like [rEFInd](https://www.rodsbooks.com/refind/), [systemd-boot](https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/), or don't use any boot manager, you might be unable to boot directly from an encrypted partition. Because of this, you might find it necessary to leave your whole `/boot` partition unencrypted.

However, if the UEFI implementation on your device allows you to [register your own Secure Boot keys and sign the kernel with them](https://wiki.archlinux.org/index.php/Secure_Boot#Using_your_own_keys), you can, theoretically, guarantee that the kernel hasn't been tampered with. The issue with this approach, however, is that the initial ramdisk (`initramfs`), the processor microcode and the boot parameters are still prone to tampering, with no easy way to avoid said tampering. One of the slightly complicated ways of fixing this is to create a single EFI bootable image, which combines the kernel, information about the distro, boot parameters and the initial ramdisk into a single file that can then be signed with your own Secure Boot keys.

Unfortunately, this can quickly become a gargantuan task for maintenance, especially when using a distro which has several versions of the kernel installed at the same time. Therefore, automating the generation of these images becomes an interesting project.

## Configuration

Currently, configuration is done through the `/etc/generate-sb-efi.conf` file, which contains the configuration for the whole process of generating the signed kernel images. An example can be found inside `res/generate-sb-efi.conf`.

## External libraries

This program currently requires the [click](https://pypi.org/project/click/) library for parsing command line arguments.