Štěpán Škorpil :skorpil_cz:

1 month ago • •

Štěpán Škorpil :skorpil_cz:
1 month ago • •

After the last update sbctl package stopped signing the efi kernel bundle. 🧐
I don't know why, yet. It builds the efi from vmlinuz and initrd, copies it to efi partition, but doesn't sign it for some reason.
I only found a notice about deprecating the bundling feature in the future.
Well I will have to find another way of uki bundling and signing...

#ArchLinux #sbctl

in reply to Štěpán Škorpil :skorpil_cz:

Dean Wallace :archlinux: 🖖

in reply to Štěpán Škorpil :skorpil_cz: • 1 month ago • •

I just use the mkinitcpio way, bundles and sbctl still signs with the hook it provides.

in reply to Dean Wallace :archlinux: 🖖

Štěpán Škorpil :skorpil_cz:

in reply to Dean Wallace :archlinux: 🖖 • 1 month ago • •

@angrylinus does it mean you have unsigned bundle in efi created by mkinitcpio and second signed bundle created by sbctl? Or can sbctl sign the bundle in place?

@Dean Wallace :archlinux: 🖖

in reply to Štěpán Škorpil :skorpil_cz:

Dean Wallace :archlinux: 🖖

in reply to Štěpán Škorpil :skorpil_cz: • 1 month ago • •

I have mkinitcpio create the bundle and then sdbctl signs it, as I've always had.
usr/lib/initcpio/post/sbctl

This entry was edited (1 month ago)

in reply to Dean Wallace :archlinux: 🖖

Štěpán Škorpil :skorpil_cz:

in reply to Dean Wallace :archlinux: 🖖 • 1 month ago • •

@angrylinus I stopped to look for the reason of why bundles are not signed when I found the notice about future deprecation of the sbctl bundling. I want to solve this in a long term.
I now use the mkinitcpio to create the bundle and sbctl signes these perfectly fine.
Actually I don't know why I used sbctl for bundling at all. Did mkinitcpio add this feature later? Or I didn't find the proper setting in the wiki back then? 🤷‍♂️
Glad it all works again together...

@Dean Wallace :archlinux: 🖖

in reply to Štěpán Škorpil :skorpil_cz:

Dean Wallace :archlinux: 🖖

in reply to Štěpán Škorpil :skorpil_cz: • 1 month ago • •

supported it for well over a year, not sure exactly..

in reply to Dean Wallace :archlinux: 🖖

Štěpán Škorpil :skorpil_cz:

in reply to Dean Wallace :archlinux: 🖖 • 1 month ago • •

@angrylinus Aha, ok That's why. 😄 I have set secure boot 4 years ago and started to use sbctl a bit later. Like 3y ago?
Tools are evolving the good way, it's nice to have it natively in mkinitcpio.

Btw I also have to update the way I am using tpm2 for drive encryption. Back than I had to hack it (and it still works), but now there also should be a native way to set it up.

@Dean Wallace :archlinux: 🖖

in reply to Štěpán Škorpil :skorpil_cz:

Dean Wallace :archlinux: 🖖

in reply to Štěpán Škorpil :skorpil_cz: • 1 month ago • •

gitlab.archlinux.org/archlinux…

I'm relatively new to the SB thing..

[mkinitcpio] Create UEFI executables (9cc35234) · Commits · Arch Linux / Mkinitcpio / mkinitcpio · GitLab

Implement UEFI executable generation in mkinitcpio by utilizing UEFI stubs provided by systemd/gummiboot. This allows us to create a unified boot image we can boot from UEFI with. These are...

^GitLab

This entry was edited (1 month ago)

in reply to Štěpán Škorpil :skorpil_cz:

Morten Linderud

in reply to Štěpán Škorpil :skorpil_cz: • 1 month ago • •

That shouldn't happen. Feel free to make an issue upstream, might be due to landlock.

⇧