Arch Linux User Repository

@andreyv Thanks for your outstanding work on this project! It was quite useful while it was alive and I am grateful that you took from your personal time to maintain it for almost 7 years 🙏. Given that mkinitcpio is now able to generate UKIs and that there already exist many tools to sign boot images, it sounds like a fairly reasonable decision to retire sbupdate. However, I would only suggest to add a final commit, just to display a deprecation warning to users when they sign an image with sbupdate. Many users might not be aware that the project EOLed just by looking at the PKGBUILD. I only realized it EOLed when I stumbled upon the git repository by accident.

For the records, I switched to mkinitcpio to generate the UKI, and after some hesitancy I opted for sbctl for the signature. Thanks to the archwiki, the process was straightforward. I was initially reluctant to switch to a bloated tool like sbctl, but the key enrollment and image signature processes were so smooth that it eventually earned my vote… Otherwise I would probably have written some manual hooks to sign the UKI with sbsign, which I guess would also have been OK.

@SleepyMario

Is using one of the forks instead an option? Or is that madness.

Is there any properly maintained fork of sbupdate in the wild? I found this one: sbupdate-mkinitcpio (which has a deceptive name IMHO) that switched from pacman hooks to a systemd unit to trigger the signature script.

My personal suggestion would be to refrain from using such fork (unless I'm missing some use case). mkinitcpio can generate the UKI for you, and you can sign it with whatever tools you want (sbsign+some manually written pacman hooks, or sbctl and its shipped hooks). It's not a lot of work.

@mephinet I no longer have the capability to develop the tool, and anyway it's largely obsolete — see https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot for replacements.

@andreyv Thanks for your outstanding work on this project! It was quite useful while it was alive and I am grateful that you took from your personal time to maintain it for almost 7 years 🙏. Given that mkinitcpio is now able to generate UKIs and that there already exist many tools to sign boot images, it sounds like a fairly reasonable decision to retire sbupdate. However, I would only suggest to add a final commit, just to display a deprecation warning to users when they sign an image with sbupdate. Many users might not be aware that the project EOLed just by looking at the PKGBUILD. I only realized it EOLed when I stumbled upon the git repository by accident.

For the records, I switched to mkinitcpio to generate the UKI, and after some hesitancy I opted for sbctl for the signature. Thanks to the archwiki, the process was straightforward. I was initially reluctant to switch to a bloated tool like sbctl, but the key enrollment and image signature processes were so smooth that it eventually earned my vote… Otherwise I would probably have written some manual hooks to sign the UKI with sbsign, which I guess would also have been OK.

@SleepyMario

Is using one of the forks instead an option? Or is that madness.

Is there any properly maintained fork of sbupdate in the wild? I found this one: sbupdate-mkinitcpio (which has a deceptive name IMHO) that switched from pacman hooks to a systemd unit to trigger the signature script.

My personal suggestion would be to refrain from using such fork (unless I'm missing some use case). mkinitcpio can generate the UKI for you, and you can sign it with whatever tools you want (sbsign+some manually written pacman hooks, or sbctl and its shipped hooks). It's not a lot of work.

Is using one of the forks instead an option? Or is that madness.

@eternalfloof for the records: it's not even necessary to change the keys: after running sbctl create-keys once, you're able to import your existing keys with the sbctl enroll command. It might be necessary to convert the existing certificates to the PEM format using openssl x509 -in x.crt -outform pem -out x.pem.

@mephinet I agree. I gave kernel-install a whirl, but it ended up changing my workflow too much to be a simple dropin.

Instead I:

1. Uninstalled sbupdate
2. Went into my BIOS and deleted the secure boot keys & turned secure boot off
3. Installed sbctl, and went through the setup flow to install the sbctl keys
4. created a linux.preset file to have mkinitcpio generate the efi file: https://wiki.archlinux.org/title/Unified_kernel_image#.preset_file
5. ran sbctl sign -s "path/to/efi". Also signed the other files that need signing: /efi/EFI/Arch/fwupdx64.efi /efi/EFI/BOOT/BOOTX64.EFI /efi/EFI/systemd/systemd-bootx64.efi /usr/lib/fwupd/efi/fwupdx64.efi.signed

and that's it. The default pacman hooks for mkinitcpio ensure it runs, and then sbctl installs a hook that calls sbctl sign-all (which signs anything registered with sbctl sign

@eternalfloof after using it for one week, the best setup from my experience is to configure mkinitcpio to generate (only) the UKI. Once you used sbctl sign --save xy.efi once on every .efi file, the hook that comes with sbctl will re-sign the files whenever necessary. No need to create manual hooks. With this setup it was also easy to split /efi and /boot.

If we switch to sbctl is there an existing package to manage creating the unified kernel image and signing it? Or is the best way to manually create our own hooks as suggested https://wiki.archlinux.org/title/Unified_kernel_image#Signing_the_UKIs_for_Secure_Boot

Thanks for the explanation, @andreyv - and for your work! I've enjoyed using sbupdate - and I now switched to sbctl + mkinitcpio.

@mephinet I no longer have the capability to develop the tool, and anyway it's largely obsolete — see https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot for replacements.

Hi @andreyv, I saw that you've set the upstream git repository to state "archived". Could you please elaborate?

@traysh sbupdate does not sign extra files in hook mode (see README for details), so renaming the hook will not help. I intend to add specific support for systemd-boot-update.service later, but for now you can systemctl edit systemd-boot-update.service and add a manual sign command.