Bug#1057873: Working setup for signed UKI images with systemd-boot and sbsign

Matteo Settenvini matteo.settenvini at montecristosoftware.eu
Sat Dec 9 23:25:47 GMT 2023 

For completeness, this is my current diversion for /usr/bin/bootctl:

------------------------------------------------

#!/bin/sh

set -e

# dpkg-divert --divert /usr/bin/bootctl --rename bootctl.real
# mv /usr/bin/bootctl{,.real}

keydir="/usr/share/secureboot/keys/db/"
bl="/usr/lib/systemd/boot/efi/systemd-bootx64.efi"

# if [ "${bl}" -nt "${bl}.signed" ]; then
if [ ! -f "${bl}.signed" -o "${bl}" -nt "${bl}.signed" ]; then
        echo "Signing ${bl} with sbsign"
        sbsign --key "${keydir}/db.key" --cert "${keydir}/db.pem"
"${bl}"
fi

exec /usr/bin/bootctl.real "$@"

------------------------------------------------

As can be deduced, I have the following structure thanks to sbctl, that
is reusable by sbsign:

# find /usr/share/secureboot/
/usr/share/secureboot/
/usr/share/secureboot/keys
/usr/share/secureboot/keys/PK
/usr/share/secureboot/keys/PK/PK.key
/usr/share/secureboot/keys/PK/PK.pem
/usr/share/secureboot/keys/KEK
/usr/share/secureboot/keys/KEK/KEK.key
/usr/share/secureboot/keys/KEK/KEK.pem
/usr/share/secureboot/keys/db
/usr/share/secureboot/keys/db/db.key
/usr/share/secureboot/keys/db/db.pem
/usr/share/secureboot/keys/dbx
/usr/share/secureboot/keys/dbx/dbx.key
/usr/share/secureboot/keys/dbx/dbx.pem
/usr/share/secureboot/GUID
/usr/share/secureboot/files.db
/usr/share/secureboot/bundles.db



I then have /etc/kernel/install.conf:

------------------------------------------------

layout=uki
uki_generator=ukify
initrd_generator=dracut

------------------------------------------------

And in /etc/kernel/uki.conf:

-----------------------------------------------

[UKI]
SecureBootSigningTool=sbsign
SecureBootPrivateKey=/usr/share/secureboot/keys/db/db.key
SecureBootCertificate=/usr/share/secureboot/keys/db/db.pem

-----------------------------------------------

This is enough for me to achieve full secure boot with a ukified image
via dracut. Yay! Next step for me is getting measured boot to work with
the TPM.

While this above is certainly a workable solution, it requires quite a
bit of effort for the non-initiated. 

It would be good if achieving good security in Debian became easier and
easier over time ^_^.

Cheers,
Matteo Settenvini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20231210/113f02ef/attachment.sig>

More information about the Pkg-systemd-maintainers mailing list