Package Details: sbupdate-git 0.r133.1bd9722-2

Git Clone URL: https://aur.archlinux.org/sbupdate-git.git (read-only, click to copy)
Package Base: sbupdate-git
Description: Generate and sign kernel images for UEFI Secure Boot
Upstream URL: https://github.com/andreyv/sbupdate
Keywords: boot uefi
Licenses: GPL3
Conflicts: sbupdate
Provides: sbupdate
Submitter: andreyv
Maintainer: andreyv
Last Packager: andreyv
Votes: 36
Popularity: 0.017222
First Submitted: 2016-08-19 10:22 (UTC)
Last Updated: 2023-08-11 11:32 (UTC)

Pinned Comments

gilbs commented on 2023-09-02 18:05 (UTC) (edited on 2023-09-02 18:37 (UTC) by gilbs)

@andreyv Thanks for your outstanding work on this project! It was quite useful while it was alive and I am grateful that you took from your personal time to maintain it for almost 7 years 🙏. Given that mkinitcpio is now able to generate UKIs and that there already exist many tools to sign boot images, it sounds like a fairly reasonable decision to retire sbupdate. However, I would only suggest to add a final commit, just to display a deprecation warning to users when they sign an image with sbupdate. Many users might not be aware that the project EOLed just by looking at the PKGBUILD. I only realized it EOLed when I stumbled upon the git repository by accident.


For the records, I switched to mkinitcpio to generate the UKI, and after some hesitancy I opted for sbctl for the signature. Thanks to the archwiki, the process was straightforward. I was initially reluctant to switch to a bloated tool like sbctl, but the key enrollment and image signature processes were so smooth that it eventually earned my vote… Otherwise I would probably have written some manual hooks to sign the UKI with sbsign, which I guess would also have been OK.

@SleepyMario

Is using one of the forks instead an option? Or is that madness.

Is there any properly maintained fork of sbupdate in the wild? I found this one: sbupdate-mkinitcpio (which has a deceptive name IMHO) that switched from pacman hooks to a systemd unit to trigger the signature script.

My personal suggestion would be to refrain from using such fork (unless I'm missing some use case). mkinitcpio can generate the UKI for you, and you can sign it with whatever tools you want (sbsign+some manually written pacman hooks, or sbctl and its shipped hooks). It's not a lot of work.

andreyv commented on 2023-08-12 05:44 (UTC)

@mephinet I no longer have the capability to develop the tool, and anyway it's largely obsolete — see https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot for replacements.

Latest Comments

1 2 3 Next › Last »

gilbs commented on 2023-09-02 18:05 (UTC) (edited on 2023-09-02 18:37 (UTC) by gilbs)

@andreyv Thanks for your outstanding work on this project! It was quite useful while it was alive and I am grateful that you took from your personal time to maintain it for almost 7 years 🙏. Given that mkinitcpio is now able to generate UKIs and that there already exist many tools to sign boot images, it sounds like a fairly reasonable decision to retire sbupdate. However, I would only suggest to add a final commit, just to display a deprecation warning to users when they sign an image with sbupdate. Many users might not be aware that the project EOLed just by looking at the PKGBUILD. I only realized it EOLed when I stumbled upon the git repository by accident.


For the records, I switched to mkinitcpio to generate the UKI, and after some hesitancy I opted for sbctl for the signature. Thanks to the archwiki, the process was straightforward. I was initially reluctant to switch to a bloated tool like sbctl, but the key enrollment and image signature processes were so smooth that it eventually earned my vote… Otherwise I would probably have written some manual hooks to sign the UKI with sbsign, which I guess would also have been OK.

@SleepyMario

Is using one of the forks instead an option? Or is that madness.

Is there any properly maintained fork of sbupdate in the wild? I found this one: sbupdate-mkinitcpio (which has a deceptive name IMHO) that switched from pacman hooks to a systemd unit to trigger the signature script.

My personal suggestion would be to refrain from using such fork (unless I'm missing some use case). mkinitcpio can generate the UKI for you, and you can sign it with whatever tools you want (sbsign+some manually written pacman hooks, or sbctl and its shipped hooks). It's not a lot of work.

SleepyMario commented on 2023-08-23 07:50 (UTC)

Is using one of the forks instead an option? Or is that madness.

mephinet commented on 2023-08-20 19:50 (UTC)

@eternalfloof for the records: it's not even necessary to change the keys: after running sbctl create-keys once, you're able to import your existing keys with the sbctl enroll command. It might be necessary to convert the existing certificates to the PEM format using openssl x509 -in x.crt -outform pem -out x.pem.

eternalfloof commented on 2023-08-20 19:30 (UTC) (edited on 2023-08-20 19:31 (UTC) by eternalfloof)

@mephinet I agree. I gave kernel-install a whirl, but it ended up changing my workflow too much to be a simple dropin.

Instead I:

  1. Uninstalled sbupdate
  2. Went into my BIOS and deleted the secure boot keys & turned secure boot off
  3. Installed sbctl, and went through the setup flow to install the sbctl keys
  4. created a linux.preset file to have mkinitcpio generate the efi file: https://wiki.archlinux.org/title/Unified_kernel_image#.preset_file
  5. ran sbctl sign -s "path/to/efi". Also signed the other files that need signing: /efi/EFI/Arch/fwupdx64.efi /efi/EFI/BOOT/BOOTX64.EFI /efi/EFI/systemd/systemd-bootx64.efi /usr/lib/fwupd/efi/fwupdx64.efi.signed

and that's it. The default pacman hooks for mkinitcpio ensure it runs, and then sbctl installs a hook that calls sbctl sign-all (which signs anything registered with sbctl sign

mephinet commented on 2023-08-19 18:36 (UTC)

@eternalfloof after using it for one week, the best setup from my experience is to configure mkinitcpio to generate (only) the UKI. Once you used sbctl sign --save xy.efi once on every .efi file, the hook that comes with sbctl will re-sign the files whenever necessary. No need to create manual hooks. With this setup it was also easy to split /efi and /boot.

eternalfloof commented on 2023-08-19 16:58 (UTC)

If we switch to sbctl is there an existing package to manage creating the unified kernel image and signing it? Or is the best way to manually create our own hooks as suggested https://wiki.archlinux.org/title/Unified_kernel_image#Signing_the_UKIs_for_Secure_Boot

mephinet commented on 2023-08-14 11:11 (UTC)

Thanks for the explanation, @andreyv - and for your work! I've enjoyed using sbupdate - and I now switched to sbctl + mkinitcpio.

andreyv commented on 2023-08-12 05:44 (UTC)

@mephinet I no longer have the capability to develop the tool, and anyway it's largely obsolete — see https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot for replacements.

mephinet commented on 2023-08-11 20:23 (UTC)

Hi @andreyv, I saw that you've set the upstream git repository to state "archived". Could you please elaborate?

andreyv commented on 2022-04-05 18:46 (UTC)

@traysh sbupdate does not sign extra files in hook mode (see README for details), so renaming the hook will not help. I intend to add specific support for systemd-boot-update.service later, but for now you can systemctl edit systemd-boot-update.service and add a manual sign command.