From 46227b9917ca136a25a4b5ed35eb695439f1d06b3e4da6ade118541ecb93acb8 Mon Sep 17 00:00:00 2001 From: Jan Loeser Date: Mon, 11 Nov 2024 07:48:00 +0000 Subject: [PATCH 1/5] - Disable tests that fail due to gh/foxboron/sbctl#343 - Update to version 0.16: * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is present * Fixed a bug where sbctl would abort if the TPM eventlog contains the same byte multiple times * Fixed a landlock bug where enroll-keys --export did not work * Fixed a bug where an ESP mounted to multiple paths would not be detected * Exporting keys without efivars present work again * sbctl sign will now use the saved output path if the signed file is enrolled * enroll-keys --append will now work without --force. - Updates from version 0.15.4: * Fixed an issue where sign-all did not report a non-zero exit code when something failed * Fixed and issue where we couldn't write to a file with landlock * Fixed an issue where --json would print the human readable output and the json * Fixes landlock for UKI/bundles by disabling the sandbox feature * Some doc fixups that mentioned /usr/share/ OBS-URL: https://build.opensuse.org/package/show/utilities/sbctl?expand=0&rev=13 --- .gitattributes | 23 ++++++ .gitignore | 1 + _service | 18 +++++ _servicedata | 6 ++ sbctl-0.14.tar.gz | 3 + sbctl-0.15.3.tar.gz | 3 + sbctl-0.16.tar.gz | 3 + sbctl-rpmlintrc | 2 + sbctl.changes | 193 ++++++++++++++++++++++++++++++++++++++++++++ sbctl.spec | 96 ++++++++++++++++++++++ vendor.tar.gz | 3 + 11 files changed, 351 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 sbctl-0.14.tar.gz create mode 100644 sbctl-0.15.3.tar.gz create mode 100644 sbctl-0.16.tar.gz create mode 100644 sbctl-rpmlintrc create mode 100644 sbctl.changes create mode 100644 sbctl.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..870f6f3 --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/Foxboron/sbctl.git + git + .git + @PARENT_TAG@ + @PARENT_TAG@ + + + sbctl + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..2e049b3 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://github.com/Foxboron/sbctl.git + b7e1302c440f24b24d4cea5bb17aa4b703f46c87 + + \ No newline at end of file diff --git a/sbctl-0.14.tar.gz b/sbctl-0.14.tar.gz new file mode 100644 index 0000000..d752b1a --- /dev/null +++ b/sbctl-0.14.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1e7b62c66e842113a31ab1c1505886e38475c5f1ee8a5f15f2ab32f25ad3ef4 +size 17935856 diff --git a/sbctl-0.15.3.tar.gz b/sbctl-0.15.3.tar.gz new file mode 100644 index 0000000..9266e18 --- /dev/null +++ b/sbctl-0.15.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af78a78997f903aaa9d275d026e094cc4cbd668254ca320d463232728f91ad5f +size 17951470 diff --git a/sbctl-0.16.tar.gz b/sbctl-0.16.tar.gz new file mode 100644 index 0000000..38145c2 --- /dev/null +++ b/sbctl-0.16.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a33dd99307254b7e51737137798e571898a82387bd61a1ee98520dbdff1ef8e7 +size 17953194 diff --git a/sbctl-rpmlintrc b/sbctl-rpmlintrc new file mode 100644 index 0000000..7206721 --- /dev/null +++ b/sbctl-rpmlintrc @@ -0,0 +1,2 @@ +# providing deb packages from this spec requires the tag to be hard coded +addFilter("W: hardcoded-packager-tag"); diff --git a/sbctl.changes b/sbctl.changes new file mode 100644 index 0000000..99ef2b3 --- /dev/null +++ b/sbctl.changes @@ -0,0 +1,193 @@ +------------------------------------------------------------------- +Tue Oct 22 03:56:54 UTC 2024 - Joshua Smith + +- Disable tests that fail due to gh/foxboron/sbctl#343 +- Update to version 0.16: + * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is + present + * Fixed a bug where sbctl would abort if the TPM eventlog + contains the same byte multiple times + * Fixed a landlock bug where enroll-keys --export did not work + * Fixed a bug where an ESP mounted to multiple paths would not be + detected + * Exporting keys without efivars present work again + * sbctl sign will now use the saved output path if the signed + file is enrolled + * enroll-keys --append will now work without --force. +- Updates from version 0.15.4: + * Fixed an issue where sign-all did not report a non-zero exit + code when something failed + * Fixed and issue where we couldn't write to a file with landlock + * Fixed an issue where --json would print the human readable + output and the json + * Fixes landlock for UKI/bundles by disabling the sandbox feature + * Some doc fixups that mentioned /usr/share/ + +------------------------------------------------------------------- +Wed Jul 31 23:55:22 UTC 2024 - Joshua Smith + +- Update to version 0.15.3: + * Fixed a mistake where the db_additions setting in sbctl.conf + was not wired up to sbctl setup. + * Relaxed the check for an existing install in sbctl setup form + looking after /var/lib/sbctl to check for /var/lib/sbctl/keys. + * Fixed a bug where dmi information was not read for quirk + detection when landlock was enabled. + * Fixed a bug where sbctl create-keys did not have access to + /var/lib under landlock. + * Fixed a bug where sbctl setup didn't have access to /usr/share. + +------------------------------------------------------------------- +Wed Jul 31 14:13:47 UTC 2024 - Joshua Smith + +- Added minimum go required version +- Update to version 0.15.2: + * Fixed a bug where sbctl setup aborts early because + /var/lib/sbctl already exists. +- Updates from version 0.15.1: + * Fixed an issue where sbctl migrate did not work without + --disable-landlock. + * Fixed an issue where bundles.db would be written to files.json + deleting list of files. +- Updates from version 0.15: + See the release for full changes. + https://github.com/Foxboron/sbctl/releases/tag/0.15 + * sbctl will try to sandbox all commands with landlock. Landlock + is a unpriviledged sandbox, similar to OpenBSD pledge, that + allows sbctl to declare the directories and files we are + reading/writing a head. This feature is enabled by default and + can be disabled by setting landlock: false in the new config + file, or by passing --disable-landlock flag. + * sbctl has moved from using /usr/share/secureboot to + /var/lib/sbctl. The useage of /usr was mostly for legacy + reasons but there wasn't any motivation to fix this until now. + To help with the migration sbctl migrate has been implemented. + It will move all the files from the old location to + /var/lib/sbctl and rename files accordingly. + * sbctl now support creation of TPM key files using + go-tpm-keyfiles. These keys are mostly compatible with how + other TPM2 TSS keyfiles are created. This key type can be used + by passing on of several keytype flags to create-keys or + rotate-keys, or by specifying the type in the new configuration + file. + +------------------------------------------------------------------- +Thu May 9 15:54:58 UTC 2024 - Joshua Smith + +- Enable tests +- Fix bashism error in 91-sbctl.install by using bash shebang +- Service to use manual instead of deprecated disabled and pattern + cleanup +- Update to version 0.14: + New commands + * export-enrolled-keys will export all enrolled keys on the + system to a directory + * list-enrolled-keys will list the enrolled keys on the system + New Things + * The test suite has now been rewritten to use the new vmtest + library. + Bugfixes + * sign-all won't abort when it encounters a file it can't sign. + * The kernel-install hook won't try to sign things if there are + no signing keys available. + * The kernel-install hook will now only remove things if they + actually did exist on the system. + * The mkinitcpio hook now only sign the built kernel/UKI instead + of all the sbctl files. + +------------------------------------------------------------------- +Wed Dec 27 08:21:25 UTC 2023 - Joshua Smith + +- Update to version 0.13: + * --export,-e and --database-path,-d now work properly and don't + overwrite the create-keys variables internally + * remove erronous dbx enrollment. Previous release implemented + support for dbx that doesn't really work as expected. It + would also fail to enroll keys for previously setup clients. + Implementation has been removed and will be iterated upon at a + later date. + * make: fix github artifact upload + * Change shebang + * Ensure file signing hook is run when initrd is rebuilt + * Fixed typo, removed mention enroll-keys enables Secure Boot + automatically + * Ignore Setup mode and immutable variables for export + * Specify file origin + always print signing message + * tests/utils/certs.go: drop keyUsage bitfield + * update manpage docs + * allow specifying keys and GUID paths + * Update README.md + * keys.go: drop the keyUsage bitfield + * Check and return Open errs + * Update documentation for custom dbx + +------------------------------------------------------------------- +Fri Oct 20 23:32:22 UTC 2023 - Joshua Smith + +- Update to version 0.12: + * sbctl bundle might be depreciated in the future. + * sbctl now allows you to enroll custom certificates into KEK + and db. + * sbctl now allows keys to be exported as EFI Signature Lists + (esl) or EFI Authenticated Variables (auth), which are pre-signed. + * sbctl can now enroll certificates found in dbxDefault, + dbDefault, KEKDefault and PKDefault. + * Before this release sbctl would enroll, reset and rotate the + entire key hierarchy when requested. With this release several + improvements have been made to have the ability to support + partial key hierarchies. This can be used through the --partial + flag in their respective commands. + * add documentation for the extra flags of enroll/rotate/reset + * feat: add option to remove specific certs from db instead of an entire reset + * feat: add append option to enroll-keys + * feat: force key flag + * Add support for OEM dbx enrollment + * feat(dbx): enroll/rotate/reset dbx keys + * feat(rotate): enable partial rotation and providing different sources + * feat(reset): enable partial resets of secureboot keys + * feat(enroll-keys): add partial enrollment of keys + * Implement full support for loading builtin firmware certificates + * Add support for loading certificates from dbDefault + +------------------------------------------------------------------- +Mon Mar 27 07:36:22 UTC 2023 - jan.loeser@posteo.de + +- Update to version 0.11: + * status: Warn about firmware quirks + * Add trailing newline to JSON output + * Improve wording + * Always include vendor keys in status output + * Move a few more functions to afero and fs.Fs + * Remove unused code + * Include fs module + * Implement fs package and remove all direct filesystem calls + * Updated dependencies + * status: Added e2e test + * enroll-keys: remove variable overriding for OEM key enrollment + * updated to go 1.20 + * Fix arbitrary sizes in UKI generation + * Update README.md + * enroll-keys: Enroll Microsoft KEK along with their other keys + * pacman: Add extramodules target to hook + * Fix POSIX sh comparison + * verify: Implement file verification + +------------------------------------------------------------------- +Thu Jan 19 12:29:01 UTC 2023 - Joshua Smith + +- Update to version 0.10: + * go.mod: Properly fetch new library version + * go.mod: update go-uefi and cleanup + * rotate-keys: Implement rotate-keys + * Add support for the uki layout + * Fix typos and some improve grammar a bit + * sbctl.8: Provide more precise setup mode instructions + * enroll-keys: Error if user has Setup Mode disabled + * update manpage to reflect defaults in bundle.go + * Fix crash when ESP is not mounted + * main: Always ensure we allow printing before json prints + +------------------------------------------------------------------- +Mon Nov 28 04:07:35 UTC 2022 - Joshua Smith + +- Initial package of sbctl 0.9.0 for openSUSE diff --git a/sbctl.spec b/sbctl.spec new file mode 100644 index 0000000..57b8233 --- /dev/null +++ b/sbctl.spec @@ -0,0 +1,96 @@ +# +# spec file for package sbctl +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: sbctl +Version: 0.16 +Release: 0 +Summary: Secure Boot key manager +License: MIT +Group: System/Boot +URL: https://github.com/Foxboron/sbctl +%if "%{_vendor}" == "debbuild" +# Needed to set Maintainer in output debs +Packager: Jan Loeser +%endif +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}-rpmlintrc +Requires: binutils +%if 0%{?suse_version} +Requires: util-linux-systemd +%endif +%if 0%{?ubuntu} +Requires: util-linux +%endif +BuildRequires: asciidoc +BuildRequires: binutils +%if 0%{?suse_version} +BuildRequires: go >= 1.22.0 +BuildRequires: golang-packaging +BuildRequires: pkgconfig(openssl) > 3.0.0 +%endif +%if 0%{?ubuntu} +BuildRequires: golang >= 1.22.0 +BuildRequires: libssl-dev > 3.0.0 +%endif + +%description +sbctl intends to be a user-friendly secure boot key manager capable of setting +up secure boot, offer key management capabilities, and keep track of files that +needs to be signed in the boot chain. + +%prep +%autosetup -a 1 + +%build +# Remove toolchain directive as we can't download it from external and we lack a corresponding +# macro package for deb (golang-packaging) +%if 0%{?ubuntu} +sed -i '/^toolchain.*/d' go.mod +%endif + +# Remove upstream version set. +sed -i 's|VERSION =.*||' Makefile +VERSION="%{version}" %make_build all + +%install +%make_install BINDIR="%{_sbindir}" PREFIX="%{_prefix}" + +# Fix potential-bashisms rpmlint error by using bash shebang +sed -i 's|bin/sh|bin/bash|' %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl.install + +%files +%doc README.md +%license LICENSE + +%dir %{_prefix}/lib/kernel/ +%dir %{_prefix}/lib/kernel/install.d/ +%dir %{_datadir}/fish/ +%dir %{_datadir}/fish/vendor_completions.d/ +%dir %{_datadir}/zsh/ +%dir %{_datadir}/zsh/site-functions/ + +%{_prefix}/lib/kernel/install.d/91-sbctl.install +%{_mandir}/man8/sbctl.8* +%{_mandir}/man5/sbctl.conf.5* +%{_datadir}/bash-completion/completions/sbctl +%{_datadir}/fish/vendor_completions.d/sbctl.fish +%{_datadir}/zsh/site-functions/_sbctl +%{_sbindir}/sbctl + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..afaf397 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cbf0bc4e94d5c0a0683e156b5cbb4f0b39ad7c7bba3805d9e5c75ef6dc12c712 +size 4885832 -- 2.51.1 From 07ab3bca7393131f4edd0bdf4826dc37c849ded504e32ac290fbb8a492944185 Mon Sep 17 00:00:00 2001 From: Jan Loeser Date: Mon, 5 May 2025 11:38:27 +0000 Subject: [PATCH 2/5] - Update to version 0.17: * Ensure we don't wrongly compare input/output files when signing * Added --json supprt to sbctl verify * Ensure sbctl setup with no arguments returns a helpful output * Import latest Microsoft keys for KEK and db databases * Ensure we print the path of the file when encountering an invalid PE file * Misc fixups in tests * Misc typo fixes in prints OBS-URL: https://build.opensuse.org/package/show/utilities/sbctl?expand=0&rev=15 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 18 ++++ _servicedata | 6 ++ sbctl-0.14.tar.gz | 3 + sbctl-0.15.3.tar.gz | 3 + sbctl-0.16.tar.gz | 3 + sbctl-0.17.tar.gz | 3 + sbctl-rpmlintrc | 2 + sbctl.changes | 205 ++++++++++++++++++++++++++++++++++++++++++++ sbctl.spec | 96 +++++++++++++++++++++ vendor.tar.gz | 3 + 12 files changed, 366 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 sbctl-0.14.tar.gz create mode 100644 sbctl-0.15.3.tar.gz create mode 100644 sbctl-0.16.tar.gz create mode 100644 sbctl-0.17.tar.gz create mode 100644 sbctl-rpmlintrc create mode 100644 sbctl.changes create mode 100644 sbctl.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..870f6f3 --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/Foxboron/sbctl.git + git + .git + @PARENT_TAG@ + @PARENT_TAG@ + + + sbctl + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..2e049b3 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://github.com/Foxboron/sbctl.git + b7e1302c440f24b24d4cea5bb17aa4b703f46c87 + + \ No newline at end of file diff --git a/sbctl-0.14.tar.gz b/sbctl-0.14.tar.gz new file mode 100644 index 0000000..d752b1a --- /dev/null +++ b/sbctl-0.14.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1e7b62c66e842113a31ab1c1505886e38475c5f1ee8a5f15f2ab32f25ad3ef4 +size 17935856 diff --git a/sbctl-0.15.3.tar.gz b/sbctl-0.15.3.tar.gz new file mode 100644 index 0000000..9266e18 --- /dev/null +++ b/sbctl-0.15.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af78a78997f903aaa9d275d026e094cc4cbd668254ca320d463232728f91ad5f +size 17951470 diff --git a/sbctl-0.16.tar.gz b/sbctl-0.16.tar.gz new file mode 100644 index 0000000..38145c2 --- /dev/null +++ b/sbctl-0.16.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a33dd99307254b7e51737137798e571898a82387bd61a1ee98520dbdff1ef8e7 +size 17953194 diff --git a/sbctl-0.17.tar.gz b/sbctl-0.17.tar.gz new file mode 100644 index 0000000..d8778b2 --- /dev/null +++ b/sbctl-0.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dd4f4d609a203ecc4d37736315377e58949138b3dc9c8d12d8b4b38a2e074e32 +size 17957224 diff --git a/sbctl-rpmlintrc b/sbctl-rpmlintrc new file mode 100644 index 0000000..7206721 --- /dev/null +++ b/sbctl-rpmlintrc @@ -0,0 +1,2 @@ +# providing deb packages from this spec requires the tag to be hard coded +addFilter("W: hardcoded-packager-tag"); diff --git a/sbctl.changes b/sbctl.changes new file mode 100644 index 0000000..7372835 --- /dev/null +++ b/sbctl.changes @@ -0,0 +1,205 @@ +------------------------------------------------------------------- +Mon May 5 11:24:29 UTC 2025 - Jan Loeser + +- Update to version 0.17: + * Ensure we don't wrongly compare input/output files when signing + * Added --json supprt to sbctl verify + * Ensure sbctl setup with no arguments returns a helpful output + * Import latest Microsoft keys for KEK and db databases + * Ensure we print the path of the file when encountering an invalid PE file + * Misc fixups in tests + * Misc typo fixes in prints + +------------------------------------------------------------------- +Tue Oct 22 03:56:54 UTC 2024 - Joshua Smith + +- Disable tests that fail due to gh/foxboron/sbctl#343 +- Update to version 0.16: + * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is + present + * Fixed a bug where sbctl would abort if the TPM eventlog + contains the same byte multiple times + * Fixed a landlock bug where enroll-keys --export did not work + * Fixed a bug where an ESP mounted to multiple paths would not be + detected + * Exporting keys without efivars present work again + * sbctl sign will now use the saved output path if the signed + file is enrolled + * enroll-keys --append will now work without --force. +- Updates from version 0.15.4: + * Fixed an issue where sign-all did not report a non-zero exit + code when something failed + * Fixed and issue where we couldn't write to a file with landlock + * Fixed an issue where --json would print the human readable + output and the json + * Fixes landlock for UKI/bundles by disabling the sandbox feature + * Some doc fixups that mentioned /usr/share/ + +------------------------------------------------------------------- +Wed Jul 31 23:55:22 UTC 2024 - Joshua Smith + +- Update to version 0.15.3: + * Fixed a mistake where the db_additions setting in sbctl.conf + was not wired up to sbctl setup. + * Relaxed the check for an existing install in sbctl setup form + looking after /var/lib/sbctl to check for /var/lib/sbctl/keys. + * Fixed a bug where dmi information was not read for quirk + detection when landlock was enabled. + * Fixed a bug where sbctl create-keys did not have access to + /var/lib under landlock. + * Fixed a bug where sbctl setup didn't have access to /usr/share. + +------------------------------------------------------------------- +Wed Jul 31 14:13:47 UTC 2024 - Joshua Smith + +- Added minimum go required version +- Update to version 0.15.2: + * Fixed a bug where sbctl setup aborts early because + /var/lib/sbctl already exists. +- Updates from version 0.15.1: + * Fixed an issue where sbctl migrate did not work without + --disable-landlock. + * Fixed an issue where bundles.db would be written to files.json + deleting list of files. +- Updates from version 0.15: + See the release for full changes. + https://github.com/Foxboron/sbctl/releases/tag/0.15 + * sbctl will try to sandbox all commands with landlock. Landlock + is a unpriviledged sandbox, similar to OpenBSD pledge, that + allows sbctl to declare the directories and files we are + reading/writing a head. This feature is enabled by default and + can be disabled by setting landlock: false in the new config + file, or by passing --disable-landlock flag. + * sbctl has moved from using /usr/share/secureboot to + /var/lib/sbctl. The useage of /usr was mostly for legacy + reasons but there wasn't any motivation to fix this until now. + To help with the migration sbctl migrate has been implemented. + It will move all the files from the old location to + /var/lib/sbctl and rename files accordingly. + * sbctl now support creation of TPM key files using + go-tpm-keyfiles. These keys are mostly compatible with how + other TPM2 TSS keyfiles are created. This key type can be used + by passing on of several keytype flags to create-keys or + rotate-keys, or by specifying the type in the new configuration + file. + +------------------------------------------------------------------- +Thu May 9 15:54:58 UTC 2024 - Joshua Smith + +- Enable tests +- Fix bashism error in 91-sbctl.install by using bash shebang +- Service to use manual instead of deprecated disabled and pattern + cleanup +- Update to version 0.14: + New commands + * export-enrolled-keys will export all enrolled keys on the + system to a directory + * list-enrolled-keys will list the enrolled keys on the system + New Things + * The test suite has now been rewritten to use the new vmtest + library. + Bugfixes + * sign-all won't abort when it encounters a file it can't sign. + * The kernel-install hook won't try to sign things if there are + no signing keys available. + * The kernel-install hook will now only remove things if they + actually did exist on the system. + * The mkinitcpio hook now only sign the built kernel/UKI instead + of all the sbctl files. + +------------------------------------------------------------------- +Wed Dec 27 08:21:25 UTC 2023 - Joshua Smith + +- Update to version 0.13: + * --export,-e and --database-path,-d now work properly and don't + overwrite the create-keys variables internally + * remove erronous dbx enrollment. Previous release implemented + support for dbx that doesn't really work as expected. It + would also fail to enroll keys for previously setup clients. + Implementation has been removed and will be iterated upon at a + later date. + * make: fix github artifact upload + * Change shebang + * Ensure file signing hook is run when initrd is rebuilt + * Fixed typo, removed mention enroll-keys enables Secure Boot + automatically + * Ignore Setup mode and immutable variables for export + * Specify file origin + always print signing message + * tests/utils/certs.go: drop keyUsage bitfield + * update manpage docs + * allow specifying keys and GUID paths + * Update README.md + * keys.go: drop the keyUsage bitfield + * Check and return Open errs + * Update documentation for custom dbx + +------------------------------------------------------------------- +Fri Oct 20 23:32:22 UTC 2023 - Joshua Smith + +- Update to version 0.12: + * sbctl bundle might be depreciated in the future. + * sbctl now allows you to enroll custom certificates into KEK + and db. + * sbctl now allows keys to be exported as EFI Signature Lists + (esl) or EFI Authenticated Variables (auth), which are pre-signed. + * sbctl can now enroll certificates found in dbxDefault, + dbDefault, KEKDefault and PKDefault. + * Before this release sbctl would enroll, reset and rotate the + entire key hierarchy when requested. With this release several + improvements have been made to have the ability to support + partial key hierarchies. This can be used through the --partial + flag in their respective commands. + * add documentation for the extra flags of enroll/rotate/reset + * feat: add option to remove specific certs from db instead of an entire reset + * feat: add append option to enroll-keys + * feat: force key flag + * Add support for OEM dbx enrollment + * feat(dbx): enroll/rotate/reset dbx keys + * feat(rotate): enable partial rotation and providing different sources + * feat(reset): enable partial resets of secureboot keys + * feat(enroll-keys): add partial enrollment of keys + * Implement full support for loading builtin firmware certificates + * Add support for loading certificates from dbDefault + +------------------------------------------------------------------- +Mon Mar 27 07:36:22 UTC 2023 - jan.loeser@posteo.de + +- Update to version 0.11: + * status: Warn about firmware quirks + * Add trailing newline to JSON output + * Improve wording + * Always include vendor keys in status output + * Move a few more functions to afero and fs.Fs + * Remove unused code + * Include fs module + * Implement fs package and remove all direct filesystem calls + * Updated dependencies + * status: Added e2e test + * enroll-keys: remove variable overriding for OEM key enrollment + * updated to go 1.20 + * Fix arbitrary sizes in UKI generation + * Update README.md + * enroll-keys: Enroll Microsoft KEK along with their other keys + * pacman: Add extramodules target to hook + * Fix POSIX sh comparison + * verify: Implement file verification + +------------------------------------------------------------------- +Thu Jan 19 12:29:01 UTC 2023 - Joshua Smith + +- Update to version 0.10: + * go.mod: Properly fetch new library version + * go.mod: update go-uefi and cleanup + * rotate-keys: Implement rotate-keys + * Add support for the uki layout + * Fix typos and some improve grammar a bit + * sbctl.8: Provide more precise setup mode instructions + * enroll-keys: Error if user has Setup Mode disabled + * update manpage to reflect defaults in bundle.go + * Fix crash when ESP is not mounted + * main: Always ensure we allow printing before json prints + +------------------------------------------------------------------- +Mon Nov 28 04:07:35 UTC 2022 - Joshua Smith + +- Initial package of sbctl 0.9.0 for openSUSE diff --git a/sbctl.spec b/sbctl.spec new file mode 100644 index 0000000..09a4965 --- /dev/null +++ b/sbctl.spec @@ -0,0 +1,96 @@ +# +# spec file for package sbctl +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: sbctl +Version: 0.17 +Release: 0 +Summary: Secure Boot key manager +License: MIT +Group: System/Boot +URL: https://github.com/Foxboron/sbctl +%if "%{_vendor}" == "debbuild" +# Needed to set Maintainer in output debs +Packager: Jan Loeser +%endif +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}-rpmlintrc +Requires: binutils +%if 0%{?suse_version} +Requires: util-linux-systemd +%endif +%if 0%{?ubuntu} +Requires: util-linux +%endif +BuildRequires: asciidoc +BuildRequires: binutils +%if 0%{?suse_version} +BuildRequires: go >= 1.22.0 +BuildRequires: golang-packaging +BuildRequires: pkgconfig(openssl) > 3.0.0 +%endif +%if 0%{?ubuntu} +BuildRequires: golang >= 1.22.0 +BuildRequires: libssl-dev > 3.0.0 +%endif + +%description +sbctl intends to be a user-friendly secure boot key manager capable of setting +up secure boot, offer key management capabilities, and keep track of files that +needs to be signed in the boot chain. + +%prep +%autosetup -a 1 + +%build +# Remove toolchain directive as we can't download it from external and we lack a corresponding +# macro package for deb (golang-packaging) +%if 0%{?ubuntu} +sed -i '/^toolchain.*/d' go.mod +%endif + +# Remove upstream version set. +sed -i 's|VERSION =.*||' Makefile +VERSION="%{version}" %make_build all + +%install +%make_install BINDIR="%{_sbindir}" PREFIX="%{_prefix}" + +# Fix potential-bashisms rpmlint error by using bash shebang +sed -i 's|bin/sh|bin/bash|' %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl.install + +%files +%doc README.md +%license LICENSE + +%dir %{_prefix}/lib/kernel/ +%dir %{_prefix}/lib/kernel/install.d/ +%dir %{_datadir}/fish/ +%dir %{_datadir}/fish/vendor_completions.d/ +%dir %{_datadir}/zsh/ +%dir %{_datadir}/zsh/site-functions/ + +%{_prefix}/lib/kernel/install.d/91-sbctl.install +%{_mandir}/man8/sbctl.8* +%{_mandir}/man5/sbctl.conf.5* +%{_datadir}/bash-completion/completions/sbctl +%{_datadir}/fish/vendor_completions.d/sbctl.fish +%{_datadir}/zsh/site-functions/_sbctl +%{_sbindir}/sbctl + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..bdddbd2 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e450acf9d24a41dc71ed6d2232f36e62506ddcceaf4ba587ea62b1f613240dd9 +size 5177988 -- 2.51.1 From 5c51d31a33175967672fbb951e48536def998d29093bc2bf983ebbee0bad58aa Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 1 Sep 2025 09:40:51 +0000 Subject: [PATCH 3/5] - bsc#1248949 (CVE-2025-58058): Bump xz to 0.5.14 OBS-URL: https://build.opensuse.org/package/show/utilities/sbctl?expand=0&rev=17 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 19 +++++ _servicedata | 6 ++ sbctl-0.17.tar.gz | 3 + sbctl-rpmlintrc | 2 + sbctl.changes | 211 ++++++++++++++++++++++++++++++++++++++++++++++ sbctl.spec | 92 ++++++++++++++++++++ vendor.tar.gz | 3 + 9 files changed, 360 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 sbctl-0.17.tar.gz create mode 100644 sbctl-rpmlintrc create mode 100644 sbctl.changes create mode 100644 sbctl.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..95e8165 --- /dev/null +++ b/_service @@ -0,0 +1,19 @@ + + + https://github.com/Foxboron/sbctl.git + git + .git + @PARENT_TAG@ + @PARENT_TAG@ + + + sbctl + + + *.tar + gz + + + github.com/ulikunitz/xz=github.com/ulikunitz/xz@v0.5.14 + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..2e049b3 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://github.com/Foxboron/sbctl.git + b7e1302c440f24b24d4cea5bb17aa4b703f46c87 + + \ No newline at end of file diff --git a/sbctl-0.17.tar.gz b/sbctl-0.17.tar.gz new file mode 100644 index 0000000..1c6d40d --- /dev/null +++ b/sbctl-0.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf1c9d1b1555faed642deda0257905fb65b67ee84a296969aa5fb5b388c67d37 +size 17956488 diff --git a/sbctl-rpmlintrc b/sbctl-rpmlintrc new file mode 100644 index 0000000..7206721 --- /dev/null +++ b/sbctl-rpmlintrc @@ -0,0 +1,2 @@ +# providing deb packages from this spec requires the tag to be hard coded +addFilter("W: hardcoded-packager-tag"); diff --git a/sbctl.changes b/sbctl.changes new file mode 100644 index 0000000..7272d69 --- /dev/null +++ b/sbctl.changes @@ -0,0 +1,211 @@ +------------------------------------------------------------------- +Mon Sep 1 09:34:54 UTC 2025 - Michael Vetter + +- bsc#1248949 (CVE-2025-58058): + Bump xz to 0.5.14 + +------------------------------------------------------------------- +Mon May 5 11:24:29 UTC 2025 - Jan Loeser + +- Update to version 0.17: + * Ensure we don't wrongly compare input/output files when signing + * Added --json supprt to sbctl verify + * Ensure sbctl setup with no arguments returns a helpful output + * Import latest Microsoft keys for KEK and db databases + * Ensure we print the path of the file when encountering an invalid PE file + * Misc fixups in tests + * Misc typo fixes in prints + +------------------------------------------------------------------- +Tue Oct 22 03:56:54 UTC 2024 - Joshua Smith + +- Disable tests that fail due to gh/foxboron/sbctl#343 +- Update to version 0.16: + * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is + present + * Fixed a bug where sbctl would abort if the TPM eventlog + contains the same byte multiple times + * Fixed a landlock bug where enroll-keys --export did not work + * Fixed a bug where an ESP mounted to multiple paths would not be + detected + * Exporting keys without efivars present work again + * sbctl sign will now use the saved output path if the signed + file is enrolled + * enroll-keys --append will now work without --force. +- Updates from version 0.15.4: + * Fixed an issue where sign-all did not report a non-zero exit + code when something failed + * Fixed and issue where we couldn't write to a file with landlock + * Fixed an issue where --json would print the human readable + output and the json + * Fixes landlock for UKI/bundles by disabling the sandbox feature + * Some doc fixups that mentioned /usr/share/ + +------------------------------------------------------------------- +Wed Jul 31 23:55:22 UTC 2024 - Joshua Smith + +- Update to version 0.15.3: + * Fixed a mistake where the db_additions setting in sbctl.conf + was not wired up to sbctl setup. + * Relaxed the check for an existing install in sbctl setup form + looking after /var/lib/sbctl to check for /var/lib/sbctl/keys. + * Fixed a bug where dmi information was not read for quirk + detection when landlock was enabled. + * Fixed a bug where sbctl create-keys did not have access to + /var/lib under landlock. + * Fixed a bug where sbctl setup didn't have access to /usr/share. + +------------------------------------------------------------------- +Wed Jul 31 14:13:47 UTC 2024 - Joshua Smith + +- Added minimum go required version +- Update to version 0.15.2: + * Fixed a bug where sbctl setup aborts early because + /var/lib/sbctl already exists. +- Updates from version 0.15.1: + * Fixed an issue where sbctl migrate did not work without + --disable-landlock. + * Fixed an issue where bundles.db would be written to files.json + deleting list of files. +- Updates from version 0.15: + See the release for full changes. + https://github.com/Foxboron/sbctl/releases/tag/0.15 + * sbctl will try to sandbox all commands with landlock. Landlock + is a unpriviledged sandbox, similar to OpenBSD pledge, that + allows sbctl to declare the directories and files we are + reading/writing a head. This feature is enabled by default and + can be disabled by setting landlock: false in the new config + file, or by passing --disable-landlock flag. + * sbctl has moved from using /usr/share/secureboot to + /var/lib/sbctl. The useage of /usr was mostly for legacy + reasons but there wasn't any motivation to fix this until now. + To help with the migration sbctl migrate has been implemented. + It will move all the files from the old location to + /var/lib/sbctl and rename files accordingly. + * sbctl now support creation of TPM key files using + go-tpm-keyfiles. These keys are mostly compatible with how + other TPM2 TSS keyfiles are created. This key type can be used + by passing on of several keytype flags to create-keys or + rotate-keys, or by specifying the type in the new configuration + file. + +------------------------------------------------------------------- +Thu May 9 15:54:58 UTC 2024 - Joshua Smith + +- Enable tests +- Fix bashism error in 91-sbctl.install by using bash shebang +- Service to use manual instead of deprecated disabled and pattern + cleanup +- Update to version 0.14: + New commands + * export-enrolled-keys will export all enrolled keys on the + system to a directory + * list-enrolled-keys will list the enrolled keys on the system + New Things + * The test suite has now been rewritten to use the new vmtest + library. + Bugfixes + * sign-all won't abort when it encounters a file it can't sign. + * The kernel-install hook won't try to sign things if there are + no signing keys available. + * The kernel-install hook will now only remove things if they + actually did exist on the system. + * The mkinitcpio hook now only sign the built kernel/UKI instead + of all the sbctl files. + +------------------------------------------------------------------- +Wed Dec 27 08:21:25 UTC 2023 - Joshua Smith + +- Update to version 0.13: + * --export,-e and --database-path,-d now work properly and don't + overwrite the create-keys variables internally + * remove erronous dbx enrollment. Previous release implemented + support for dbx that doesn't really work as expected. It + would also fail to enroll keys for previously setup clients. + Implementation has been removed and will be iterated upon at a + later date. + * make: fix github artifact upload + * Change shebang + * Ensure file signing hook is run when initrd is rebuilt + * Fixed typo, removed mention enroll-keys enables Secure Boot + automatically + * Ignore Setup mode and immutable variables for export + * Specify file origin + always print signing message + * tests/utils/certs.go: drop keyUsage bitfield + * update manpage docs + * allow specifying keys and GUID paths + * Update README.md + * keys.go: drop the keyUsage bitfield + * Check and return Open errs + * Update documentation for custom dbx + +------------------------------------------------------------------- +Fri Oct 20 23:32:22 UTC 2023 - Joshua Smith + +- Update to version 0.12: + * sbctl bundle might be depreciated in the future. + * sbctl now allows you to enroll custom certificates into KEK + and db. + * sbctl now allows keys to be exported as EFI Signature Lists + (esl) or EFI Authenticated Variables (auth), which are pre-signed. + * sbctl can now enroll certificates found in dbxDefault, + dbDefault, KEKDefault and PKDefault. + * Before this release sbctl would enroll, reset and rotate the + entire key hierarchy when requested. With this release several + improvements have been made to have the ability to support + partial key hierarchies. This can be used through the --partial + flag in their respective commands. + * add documentation for the extra flags of enroll/rotate/reset + * feat: add option to remove specific certs from db instead of an entire reset + * feat: add append option to enroll-keys + * feat: force key flag + * Add support for OEM dbx enrollment + * feat(dbx): enroll/rotate/reset dbx keys + * feat(rotate): enable partial rotation and providing different sources + * feat(reset): enable partial resets of secureboot keys + * feat(enroll-keys): add partial enrollment of keys + * Implement full support for loading builtin firmware certificates + * Add support for loading certificates from dbDefault + +------------------------------------------------------------------- +Mon Mar 27 07:36:22 UTC 2023 - jan.loeser@posteo.de + +- Update to version 0.11: + * status: Warn about firmware quirks + * Add trailing newline to JSON output + * Improve wording + * Always include vendor keys in status output + * Move a few more functions to afero and fs.Fs + * Remove unused code + * Include fs module + * Implement fs package and remove all direct filesystem calls + * Updated dependencies + * status: Added e2e test + * enroll-keys: remove variable overriding for OEM key enrollment + * updated to go 1.20 + * Fix arbitrary sizes in UKI generation + * Update README.md + * enroll-keys: Enroll Microsoft KEK along with their other keys + * pacman: Add extramodules target to hook + * Fix POSIX sh comparison + * verify: Implement file verification + +------------------------------------------------------------------- +Thu Jan 19 12:29:01 UTC 2023 - Joshua Smith + +- Update to version 0.10: + * go.mod: Properly fetch new library version + * go.mod: update go-uefi and cleanup + * rotate-keys: Implement rotate-keys + * Add support for the uki layout + * Fix typos and some improve grammar a bit + * sbctl.8: Provide more precise setup mode instructions + * enroll-keys: Error if user has Setup Mode disabled + * update manpage to reflect defaults in bundle.go + * Fix crash when ESP is not mounted + * main: Always ensure we allow printing before json prints + +------------------------------------------------------------------- +Mon Nov 28 04:07:35 UTC 2022 - Joshua Smith + +- Initial package of sbctl 0.9.0 for openSUSE diff --git a/sbctl.spec b/sbctl.spec new file mode 100644 index 0000000..c868fb9 --- /dev/null +++ b/sbctl.spec @@ -0,0 +1,92 @@ +# +# spec file for package sbctl +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: sbctl +Version: 0.17 +Release: 0 +Summary: Secure Boot key manager +License: MIT +Group: System/Boot +URL: https://github.com/Foxboron/sbctl +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}-rpmlintrc +Requires: binutils +%if 0%{?suse_version} +Requires: util-linux-systemd +%endif +%if 0%{?ubuntu} +Requires: util-linux +%endif +BuildRequires: asciidoc +BuildRequires: binutils +%if 0%{?suse_version} +BuildRequires: go >= 1.22.0 +BuildRequires: golang-packaging +BuildRequires: pkgconfig(openssl) > 3.0.0 +%endif +%if 0%{?ubuntu} +BuildRequires: golang >= 1.22.0 +BuildRequires: libssl-dev > 3.0.0 +%endif + +%description +sbctl intends to be a user-friendly secure boot key manager capable of setting +up secure boot, offer key management capabilities, and keep track of files that +needs to be signed in the boot chain. + +%prep +%autosetup -a 1 + +%build +# Remove toolchain directive as we can't download it from external and we lack a corresponding +# macro package for deb (golang-packaging) +%if 0%{?ubuntu} +sed -i '/^toolchain.*/d' go.mod +%endif + +# Remove upstream version set. +sed -i 's|VERSION =.*||' Makefile +VERSION="%{version}" %make_build all + +%install +%make_install BINDIR="%{_sbindir}" PREFIX="%{_prefix}" + +# Fix potential-bashisms rpmlint error by using bash shebang +sed -i 's|bin/sh|bin/bash|' %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl.install + +%files +%doc README.md +%license LICENSE + +%dir %{_prefix}/lib/kernel/ +%dir %{_prefix}/lib/kernel/install.d/ +%dir %{_datadir}/fish/ +%dir %{_datadir}/fish/vendor_completions.d/ +%dir %{_datadir}/zsh/ +%dir %{_datadir}/zsh/site-functions/ + +%{_prefix}/lib/kernel/install.d/91-sbctl.install +%{_mandir}/man8/sbctl.8* +%{_mandir}/man5/sbctl.conf.5* +%{_datadir}/bash-completion/completions/sbctl +%{_datadir}/fish/vendor_completions.d/sbctl.fish +%{_datadir}/zsh/site-functions/_sbctl +%{_sbindir}/sbctl + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..2d1fd4a --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:159c1b127c322dcc0666b3214ac1d658250f0174e2ec9ebb39dbc91a8ce76361 +size 4970021 -- 2.51.1 From 1637564abcb5fc56f0f7ea8e00190822eda107c7c0afc486449ddd447ef837e7 Mon Sep 17 00:00:00 2001 From: Jan Loeser Date: Mon, 13 Oct 2025 09:29:00 +0000 Subject: [PATCH 4/5] - Update to version 0.18: * logging: fixup new go vet warning * workflows: add cc for cross compile * workflow: add sudo to apt * workflow: add pcsclite to ci * workflow: try enable cgo * go.mod: update golang.org/x/ dependencies * fix: avoid adding bogus Country attribute to subject DNs * sbctl: only store file if we did actually sign the file * installkernel: add post install hook for Debian's traditional installkernel * CI: missing libpcsclite pkg * workflows: add missing depends and new pattern keyword * Add yubikey example for create keys to the README * Initial yubikey backend keytype support * verify: ensure we pass args in correct order OBS-URL: https://build.opensuse.org/package/show/utilities/sbctl?expand=0&rev=19 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 19 ++++ _servicedata | 6 ++ sbctl-0.17.tar.gz | 3 + sbctl-0.18.tar.gz | 3 + sbctl-rpmlintrc | 2 + sbctl.changes | 230 ++++++++++++++++++++++++++++++++++++++++++++++ sbctl.spec | 97 +++++++++++++++++++ vendor.tar.gz | 3 + 10 files changed, 387 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 sbctl-0.17.tar.gz create mode 100644 sbctl-0.18.tar.gz create mode 100644 sbctl-rpmlintrc create mode 100644 sbctl.changes create mode 100644 sbctl.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..95e8165 --- /dev/null +++ b/_service @@ -0,0 +1,19 @@ + + + https://github.com/Foxboron/sbctl.git + git + .git + @PARENT_TAG@ + @PARENT_TAG@ + + + sbctl + + + *.tar + gz + + + github.com/ulikunitz/xz=github.com/ulikunitz/xz@v0.5.14 + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..2e049b3 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://github.com/Foxboron/sbctl.git + b7e1302c440f24b24d4cea5bb17aa4b703f46c87 + + \ No newline at end of file diff --git a/sbctl-0.17.tar.gz b/sbctl-0.17.tar.gz new file mode 100644 index 0000000..1c6d40d --- /dev/null +++ b/sbctl-0.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf1c9d1b1555faed642deda0257905fb65b67ee84a296969aa5fb5b388c67d37 +size 17956488 diff --git a/sbctl-0.18.tar.gz b/sbctl-0.18.tar.gz new file mode 100644 index 0000000..9e5bba1 --- /dev/null +++ b/sbctl-0.18.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f244890d1676bc9e7761ebbbdc7e94e516b47642ef37efd0b7b60e5223fcaaa5 +size 17960022 diff --git a/sbctl-rpmlintrc b/sbctl-rpmlintrc new file mode 100644 index 0000000..7206721 --- /dev/null +++ b/sbctl-rpmlintrc @@ -0,0 +1,2 @@ +# providing deb packages from this spec requires the tag to be hard coded +addFilter("W: hardcoded-packager-tag"); diff --git a/sbctl.changes b/sbctl.changes new file mode 100644 index 0000000..2925645 --- /dev/null +++ b/sbctl.changes @@ -0,0 +1,230 @@ +------------------------------------------------------------------- +Mon Oct 13 09:06:05 UTC 2025 - Jan Loeser + +- Update to version 0.18: + * logging: fixup new go vet warning + * workflows: add cc for cross compile + * workflow: add sudo to apt + * workflow: add pcsclite to ci + * workflow: try enable cgo + * go.mod: update golang.org/x/ dependencies + * fix: avoid adding bogus Country attribute to subject DNs + * sbctl: only store file if we did actually sign the file + * installkernel: add post install hook for Debian's traditional installkernel + * CI: missing libpcsclite pkg + * workflows: add missing depends and new pattern keyword + * Add yubikey example for create keys to the README + * Initial yubikey backend keytype support + * verify: ensure we pass args in correct order + +------------------------------------------------------------------- +Mon Sep 1 09:34:54 UTC 2025 - Michael Vetter + +- bsc#1248949 (CVE-2025-58058): + Bump xz to 0.5.14 + +------------------------------------------------------------------- +Mon May 5 11:24:29 UTC 2025 - Jan Loeser + +- Update to version 0.17: + * Ensure we don't wrongly compare input/output files when signing + * Added --json supprt to sbctl verify + * Ensure sbctl setup with no arguments returns a helpful output + * Import latest Microsoft keys for KEK and db databases + * Ensure we print the path of the file when encountering an invalid PE file + * Misc fixups in tests + * Misc typo fixes in prints + +------------------------------------------------------------------- +Tue Oct 22 03:56:54 UTC 2024 - Joshua Smith + +- Disable tests that fail due to gh/foxboron/sbctl#343 +- Update to version 0.16: + * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is + present + * Fixed a bug where sbctl would abort if the TPM eventlog + contains the same byte multiple times + * Fixed a landlock bug where enroll-keys --export did not work + * Fixed a bug where an ESP mounted to multiple paths would not be + detected + * Exporting keys without efivars present work again + * sbctl sign will now use the saved output path if the signed + file is enrolled + * enroll-keys --append will now work without --force. +- Updates from version 0.15.4: + * Fixed an issue where sign-all did not report a non-zero exit + code when something failed + * Fixed and issue where we couldn't write to a file with landlock + * Fixed an issue where --json would print the human readable + output and the json + * Fixes landlock for UKI/bundles by disabling the sandbox feature + * Some doc fixups that mentioned /usr/share/ + +------------------------------------------------------------------- +Wed Jul 31 23:55:22 UTC 2024 - Joshua Smith + +- Update to version 0.15.3: + * Fixed a mistake where the db_additions setting in sbctl.conf + was not wired up to sbctl setup. + * Relaxed the check for an existing install in sbctl setup form + looking after /var/lib/sbctl to check for /var/lib/sbctl/keys. + * Fixed a bug where dmi information was not read for quirk + detection when landlock was enabled. + * Fixed a bug where sbctl create-keys did not have access to + /var/lib under landlock. + * Fixed a bug where sbctl setup didn't have access to /usr/share. + +------------------------------------------------------------------- +Wed Jul 31 14:13:47 UTC 2024 - Joshua Smith + +- Added minimum go required version +- Update to version 0.15.2: + * Fixed a bug where sbctl setup aborts early because + /var/lib/sbctl already exists. +- Updates from version 0.15.1: + * Fixed an issue where sbctl migrate did not work without + --disable-landlock. + * Fixed an issue where bundles.db would be written to files.json + deleting list of files. +- Updates from version 0.15: + See the release for full changes. + https://github.com/Foxboron/sbctl/releases/tag/0.15 + * sbctl will try to sandbox all commands with landlock. Landlock + is a unpriviledged sandbox, similar to OpenBSD pledge, that + allows sbctl to declare the directories and files we are + reading/writing a head. This feature is enabled by default and + can be disabled by setting landlock: false in the new config + file, or by passing --disable-landlock flag. + * sbctl has moved from using /usr/share/secureboot to + /var/lib/sbctl. The useage of /usr was mostly for legacy + reasons but there wasn't any motivation to fix this until now. + To help with the migration sbctl migrate has been implemented. + It will move all the files from the old location to + /var/lib/sbctl and rename files accordingly. + * sbctl now support creation of TPM key files using + go-tpm-keyfiles. These keys are mostly compatible with how + other TPM2 TSS keyfiles are created. This key type can be used + by passing on of several keytype flags to create-keys or + rotate-keys, or by specifying the type in the new configuration + file. + +------------------------------------------------------------------- +Thu May 9 15:54:58 UTC 2024 - Joshua Smith + +- Enable tests +- Fix bashism error in 91-sbctl.install by using bash shebang +- Service to use manual instead of deprecated disabled and pattern + cleanup +- Update to version 0.14: + New commands + * export-enrolled-keys will export all enrolled keys on the + system to a directory + * list-enrolled-keys will list the enrolled keys on the system + New Things + * The test suite has now been rewritten to use the new vmtest + library. + Bugfixes + * sign-all won't abort when it encounters a file it can't sign. + * The kernel-install hook won't try to sign things if there are + no signing keys available. + * The kernel-install hook will now only remove things if they + actually did exist on the system. + * The mkinitcpio hook now only sign the built kernel/UKI instead + of all the sbctl files. + +------------------------------------------------------------------- +Wed Dec 27 08:21:25 UTC 2023 - Joshua Smith + +- Update to version 0.13: + * --export,-e and --database-path,-d now work properly and don't + overwrite the create-keys variables internally + * remove erronous dbx enrollment. Previous release implemented + support for dbx that doesn't really work as expected. It + would also fail to enroll keys for previously setup clients. + Implementation has been removed and will be iterated upon at a + later date. + * make: fix github artifact upload + * Change shebang + * Ensure file signing hook is run when initrd is rebuilt + * Fixed typo, removed mention enroll-keys enables Secure Boot + automatically + * Ignore Setup mode and immutable variables for export + * Specify file origin + always print signing message + * tests/utils/certs.go: drop keyUsage bitfield + * update manpage docs + * allow specifying keys and GUID paths + * Update README.md + * keys.go: drop the keyUsage bitfield + * Check and return Open errs + * Update documentation for custom dbx + +------------------------------------------------------------------- +Fri Oct 20 23:32:22 UTC 2023 - Joshua Smith + +- Update to version 0.12: + * sbctl bundle might be depreciated in the future. + * sbctl now allows you to enroll custom certificates into KEK + and db. + * sbctl now allows keys to be exported as EFI Signature Lists + (esl) or EFI Authenticated Variables (auth), which are pre-signed. + * sbctl can now enroll certificates found in dbxDefault, + dbDefault, KEKDefault and PKDefault. + * Before this release sbctl would enroll, reset and rotate the + entire key hierarchy when requested. With this release several + improvements have been made to have the ability to support + partial key hierarchies. This can be used through the --partial + flag in their respective commands. + * add documentation for the extra flags of enroll/rotate/reset + * feat: add option to remove specific certs from db instead of an entire reset + * feat: add append option to enroll-keys + * feat: force key flag + * Add support for OEM dbx enrollment + * feat(dbx): enroll/rotate/reset dbx keys + * feat(rotate): enable partial rotation and providing different sources + * feat(reset): enable partial resets of secureboot keys + * feat(enroll-keys): add partial enrollment of keys + * Implement full support for loading builtin firmware certificates + * Add support for loading certificates from dbDefault + +------------------------------------------------------------------- +Mon Mar 27 07:36:22 UTC 2023 - jan.loeser@posteo.de + +- Update to version 0.11: + * status: Warn about firmware quirks + * Add trailing newline to JSON output + * Improve wording + * Always include vendor keys in status output + * Move a few more functions to afero and fs.Fs + * Remove unused code + * Include fs module + * Implement fs package and remove all direct filesystem calls + * Updated dependencies + * status: Added e2e test + * enroll-keys: remove variable overriding for OEM key enrollment + * updated to go 1.20 + * Fix arbitrary sizes in UKI generation + * Update README.md + * enroll-keys: Enroll Microsoft KEK along with their other keys + * pacman: Add extramodules target to hook + * Fix POSIX sh comparison + * verify: Implement file verification + +------------------------------------------------------------------- +Thu Jan 19 12:29:01 UTC 2023 - Joshua Smith + +- Update to version 0.10: + * go.mod: Properly fetch new library version + * go.mod: update go-uefi and cleanup + * rotate-keys: Implement rotate-keys + * Add support for the uki layout + * Fix typos and some improve grammar a bit + * sbctl.8: Provide more precise setup mode instructions + * enroll-keys: Error if user has Setup Mode disabled + * update manpage to reflect defaults in bundle.go + * Fix crash when ESP is not mounted + * main: Always ensure we allow printing before json prints + +------------------------------------------------------------------- +Mon Nov 28 04:07:35 UTC 2022 - Joshua Smith + +- Initial package of sbctl 0.9.0 for openSUSE diff --git a/sbctl.spec b/sbctl.spec new file mode 100644 index 0000000..553f16b --- /dev/null +++ b/sbctl.spec @@ -0,0 +1,97 @@ +# +# spec file for package sbctl +# +# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: sbctl +Version: 0.18 +Release: 0 +Summary: Secure Boot key manager +License: MIT +Group: System/Boot +URL: https://github.com/Foxboron/sbctl +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}-rpmlintrc +Requires: binutils +%if 0%{?suse_version} +Requires: util-linux-systemd +%endif +%if 0%{?ubuntu} +Requires: util-linux +%endif +BuildRequires: asciidoc +BuildRequires: binutils +%if 0%{?suse_version} +BuildRequires: go >= 1.22.0 +BuildRequires: golang-packaging +BuildRequires: pcsc-lite-devel +BuildRequires: pkgconfig(openssl) > 3.0.0 +%endif +%if 0%{?ubuntu} +BuildRequires: golang >= 1.22.0 +BuildRequires: libpcsclite-dev +BuildRequires: libssl-dev > 3.0.0 +%endif + +%description +sbctl intends to be a user-friendly secure boot key manager capable of setting +up secure boot, offer key management capabilities, and keep track of files that +needs to be signed in the boot chain. + +%prep +%autosetup -a 1 + +%build +# Remove toolchain directive as we can't download it from external and we lack a corresponding +# macro package for deb (golang-packaging) +%if 0%{?ubuntu} +sed -i '/^toolchain.*/d' go.mod +%endif + +# Remove upstream version set. +sed -i 's|VERSION =.*||' Makefile +VERSION="%{version}" %make_build all + +%install +%make_install BINDIR="%{_sbindir}" PREFIX="%{_prefix}" + +# Fix potential-bashisms rpmlint error by using bash shebang +sed -i 's|bin/sh|bin/bash|' %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl.install + +%files +%doc README.md +%license LICENSE + +%dir %{_prefix}/lib/kernel/ +%dir %{_prefix}/lib/kernel/install.d/ +%dir %{_prefix}/lib/kernel/postinst.d/ +%dir %{_datadir}/fish/ +%dir %{_datadir}/fish/vendor_completions.d/ +%dir %{_datadir}/zsh/ +%dir %{_datadir}/zsh/site-functions/ + +%{_prefix}/lib/kernel/install.d/91-sbctl.install +%{_prefix}/lib/kernel/postinst.d/91-sbctl.install +%{_mandir}/man8/sbctl.8* +%{_mandir}/man5/sbctl.conf.5* +%{_datadir}/bash-completion/completions/sbctl +%{_datadir}/fish/vendor_completions.d/sbctl.fish +%{_datadir}/zsh/site-functions/_sbctl +%{_sbindir}/sbctl + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..2533351 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:54914d6d77ce7eb2e2b54f7e2a5df5eae26a1e9c0c391a7f7db7b70480149a60 +size 5336378 -- 2.51.1 From f08c042844041d36ea5966884f53032bf9d5a84295eaed797b2b7b2af00d2fb7 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 17 Nov 2025 10:25:53 +0000 Subject: [PATCH 5/5] bsc#1251399, CVE-2025-47911 and bsc#1251609, CVE-2025-58190 OBS-URL: https://build.opensuse.org/package/show/utilities/sbctl?expand=0&rev=21 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 20 ++++ _servicedata | 6 ++ sbctl-0.17.tar.gz | 3 + sbctl-0.18.tar.gz | 3 + sbctl-rpmlintrc | 2 + sbctl.changes | 239 ++++++++++++++++++++++++++++++++++++++++++++++ sbctl.spec | 96 +++++++++++++++++++ vendor.tar.gz | 3 + 10 files changed, 396 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 sbctl-0.17.tar.gz create mode 100644 sbctl-0.18.tar.gz create mode 100644 sbctl-rpmlintrc create mode 100644 sbctl.changes create mode 100644 sbctl.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..3ed56db --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/Foxboron/sbctl.git + git + .git + @PARENT_TAG@ + @PARENT_TAG@ + + + sbctl + + + *.tar + gz + + + github.com/ulikunitz/xz=github.com/ulikunitz/xz@v0.5.14 + golang.org/x/net=golang.org/x/net@v0.46.0 + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..2e049b3 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://github.com/Foxboron/sbctl.git + b7e1302c440f24b24d4cea5bb17aa4b703f46c87 + + \ No newline at end of file diff --git a/sbctl-0.17.tar.gz b/sbctl-0.17.tar.gz new file mode 100644 index 0000000..1c6d40d --- /dev/null +++ b/sbctl-0.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf1c9d1b1555faed642deda0257905fb65b67ee84a296969aa5fb5b388c67d37 +size 17956488 diff --git a/sbctl-0.18.tar.gz b/sbctl-0.18.tar.gz new file mode 100644 index 0000000..9e5bba1 --- /dev/null +++ b/sbctl-0.18.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f244890d1676bc9e7761ebbbdc7e94e516b47642ef37efd0b7b60e5223fcaaa5 +size 17960022 diff --git a/sbctl-rpmlintrc b/sbctl-rpmlintrc new file mode 100644 index 0000000..7206721 --- /dev/null +++ b/sbctl-rpmlintrc @@ -0,0 +1,2 @@ +# providing deb packages from this spec requires the tag to be hard coded +addFilter("W: hardcoded-packager-tag"); diff --git a/sbctl.changes b/sbctl.changes new file mode 100644 index 0000000..895b188 --- /dev/null +++ b/sbctl.changes @@ -0,0 +1,239 @@ +------------------------------------------------------------------- +Wed Nov 12 07:29:18 UTC 2025 - Fridrich Strba + +- Upgrade the embedded golang.org/x/net to 0.46.0 + * Fixes: bsc#1251399, CVE-2025-47911: various algorithms with + quadratic complexity when parsing HTML documents + * Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption + by 'html.ParseFragment' when processing specially crafted input + +------------------------------------------------------------------- +Mon Oct 13 09:06:05 UTC 2025 - Jan Loeser + +- Update to version 0.18: + * logging: fixup new go vet warning + * workflows: add cc for cross compile + * workflow: add sudo to apt + * workflow: add pcsclite to ci + * workflow: try enable cgo + * go.mod: update golang.org/x/ dependencies + * fix: avoid adding bogus Country attribute to subject DNs + * sbctl: only store file if we did actually sign the file + * installkernel: add post install hook for Debian's traditional installkernel + * CI: missing libpcsclite pkg + * workflows: add missing depends and new pattern keyword + * Add yubikey example for create keys to the README + * Initial yubikey backend keytype support + * verify: ensure we pass args in correct order + +------------------------------------------------------------------- +Mon Sep 1 09:34:54 UTC 2025 - Michael Vetter + +- bsc#1248949 (CVE-2025-58058): + Bump xz to 0.5.14 + +------------------------------------------------------------------- +Mon May 5 11:24:29 UTC 2025 - Jan Loeser + +- Update to version 0.17: + * Ensure we don't wrongly compare input/output files when signing + * Added --json supprt to sbctl verify + * Ensure sbctl setup with no arguments returns a helpful output + * Import latest Microsoft keys for KEK and db databases + * Ensure we print the path of the file when encountering an invalid PE file + * Misc fixups in tests + * Misc typo fixes in prints + +------------------------------------------------------------------- +Tue Oct 22 03:56:54 UTC 2024 - Joshua Smith + +- Disable tests that fail due to gh/foxboron/sbctl#343 +- Update to version 0.16: + * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is + present + * Fixed a bug where sbctl would abort if the TPM eventlog + contains the same byte multiple times + * Fixed a landlock bug where enroll-keys --export did not work + * Fixed a bug where an ESP mounted to multiple paths would not be + detected + * Exporting keys without efivars present work again + * sbctl sign will now use the saved output path if the signed + file is enrolled + * enroll-keys --append will now work without --force. +- Updates from version 0.15.4: + * Fixed an issue where sign-all did not report a non-zero exit + code when something failed + * Fixed and issue where we couldn't write to a file with landlock + * Fixed an issue where --json would print the human readable + output and the json + * Fixes landlock for UKI/bundles by disabling the sandbox feature + * Some doc fixups that mentioned /usr/share/ + +------------------------------------------------------------------- +Wed Jul 31 23:55:22 UTC 2024 - Joshua Smith + +- Update to version 0.15.3: + * Fixed a mistake where the db_additions setting in sbctl.conf + was not wired up to sbctl setup. + * Relaxed the check for an existing install in sbctl setup form + looking after /var/lib/sbctl to check for /var/lib/sbctl/keys. + * Fixed a bug where dmi information was not read for quirk + detection when landlock was enabled. + * Fixed a bug where sbctl create-keys did not have access to + /var/lib under landlock. + * Fixed a bug where sbctl setup didn't have access to /usr/share. + +------------------------------------------------------------------- +Wed Jul 31 14:13:47 UTC 2024 - Joshua Smith + +- Added minimum go required version +- Update to version 0.15.2: + * Fixed a bug where sbctl setup aborts early because + /var/lib/sbctl already exists. +- Updates from version 0.15.1: + * Fixed an issue where sbctl migrate did not work without + --disable-landlock. + * Fixed an issue where bundles.db would be written to files.json + deleting list of files. +- Updates from version 0.15: + See the release for full changes. + https://github.com/Foxboron/sbctl/releases/tag/0.15 + * sbctl will try to sandbox all commands with landlock. Landlock + is a unpriviledged sandbox, similar to OpenBSD pledge, that + allows sbctl to declare the directories and files we are + reading/writing a head. This feature is enabled by default and + can be disabled by setting landlock: false in the new config + file, or by passing --disable-landlock flag. + * sbctl has moved from using /usr/share/secureboot to + /var/lib/sbctl. The useage of /usr was mostly for legacy + reasons but there wasn't any motivation to fix this until now. + To help with the migration sbctl migrate has been implemented. + It will move all the files from the old location to + /var/lib/sbctl and rename files accordingly. + * sbctl now support creation of TPM key files using + go-tpm-keyfiles. These keys are mostly compatible with how + other TPM2 TSS keyfiles are created. This key type can be used + by passing on of several keytype flags to create-keys or + rotate-keys, or by specifying the type in the new configuration + file. + +------------------------------------------------------------------- +Thu May 9 15:54:58 UTC 2024 - Joshua Smith + +- Enable tests +- Fix bashism error in 91-sbctl.install by using bash shebang +- Service to use manual instead of deprecated disabled and pattern + cleanup +- Update to version 0.14: + New commands + * export-enrolled-keys will export all enrolled keys on the + system to a directory + * list-enrolled-keys will list the enrolled keys on the system + New Things + * The test suite has now been rewritten to use the new vmtest + library. + Bugfixes + * sign-all won't abort when it encounters a file it can't sign. + * The kernel-install hook won't try to sign things if there are + no signing keys available. + * The kernel-install hook will now only remove things if they + actually did exist on the system. + * The mkinitcpio hook now only sign the built kernel/UKI instead + of all the sbctl files. + +------------------------------------------------------------------- +Wed Dec 27 08:21:25 UTC 2023 - Joshua Smith + +- Update to version 0.13: + * --export,-e and --database-path,-d now work properly and don't + overwrite the create-keys variables internally + * remove erronous dbx enrollment. Previous release implemented + support for dbx that doesn't really work as expected. It + would also fail to enroll keys for previously setup clients. + Implementation has been removed and will be iterated upon at a + later date. + * make: fix github artifact upload + * Change shebang + * Ensure file signing hook is run when initrd is rebuilt + * Fixed typo, removed mention enroll-keys enables Secure Boot + automatically + * Ignore Setup mode and immutable variables for export + * Specify file origin + always print signing message + * tests/utils/certs.go: drop keyUsage bitfield + * update manpage docs + * allow specifying keys and GUID paths + * Update README.md + * keys.go: drop the keyUsage bitfield + * Check and return Open errs + * Update documentation for custom dbx + +------------------------------------------------------------------- +Fri Oct 20 23:32:22 UTC 2023 - Joshua Smith + +- Update to version 0.12: + * sbctl bundle might be depreciated in the future. + * sbctl now allows you to enroll custom certificates into KEK + and db. + * sbctl now allows keys to be exported as EFI Signature Lists + (esl) or EFI Authenticated Variables (auth), which are pre-signed. + * sbctl can now enroll certificates found in dbxDefault, + dbDefault, KEKDefault and PKDefault. + * Before this release sbctl would enroll, reset and rotate the + entire key hierarchy when requested. With this release several + improvements have been made to have the ability to support + partial key hierarchies. This can be used through the --partial + flag in their respective commands. + * add documentation for the extra flags of enroll/rotate/reset + * feat: add option to remove specific certs from db instead of an entire reset + * feat: add append option to enroll-keys + * feat: force key flag + * Add support for OEM dbx enrollment + * feat(dbx): enroll/rotate/reset dbx keys + * feat(rotate): enable partial rotation and providing different sources + * feat(reset): enable partial resets of secureboot keys + * feat(enroll-keys): add partial enrollment of keys + * Implement full support for loading builtin firmware certificates + * Add support for loading certificates from dbDefault + +------------------------------------------------------------------- +Mon Mar 27 07:36:22 UTC 2023 - jan.loeser@posteo.de + +- Update to version 0.11: + * status: Warn about firmware quirks + * Add trailing newline to JSON output + * Improve wording + * Always include vendor keys in status output + * Move a few more functions to afero and fs.Fs + * Remove unused code + * Include fs module + * Implement fs package and remove all direct filesystem calls + * Updated dependencies + * status: Added e2e test + * enroll-keys: remove variable overriding for OEM key enrollment + * updated to go 1.20 + * Fix arbitrary sizes in UKI generation + * Update README.md + * enroll-keys: Enroll Microsoft KEK along with their other keys + * pacman: Add extramodules target to hook + * Fix POSIX sh comparison + * verify: Implement file verification + +------------------------------------------------------------------- +Thu Jan 19 12:29:01 UTC 2023 - Joshua Smith + +- Update to version 0.10: + * go.mod: Properly fetch new library version + * go.mod: update go-uefi and cleanup + * rotate-keys: Implement rotate-keys + * Add support for the uki layout + * Fix typos and some improve grammar a bit + * sbctl.8: Provide more precise setup mode instructions + * enroll-keys: Error if user has Setup Mode disabled + * update manpage to reflect defaults in bundle.go + * Fix crash when ESP is not mounted + * main: Always ensure we allow printing before json prints + +------------------------------------------------------------------- +Mon Nov 28 04:07:35 UTC 2022 - Joshua Smith + +- Initial package of sbctl 0.9.0 for openSUSE diff --git a/sbctl.spec b/sbctl.spec new file mode 100644 index 0000000..de79b3c --- /dev/null +++ b/sbctl.spec @@ -0,0 +1,96 @@ +# +# spec file for package sbctl +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: sbctl +Version: 0.18 +Release: 0 +Summary: Secure Boot key manager +License: MIT +Group: System/Boot +URL: https://github.com/Foxboron/sbctl +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}-rpmlintrc +Requires: binutils +%if 0%{?suse_version} +Requires: util-linux-systemd +%endif +%if 0%{?ubuntu} +Requires: util-linux +%endif +BuildRequires: asciidoc +BuildRequires: binutils +%if 0%{?suse_version} +BuildRequires: go >= 1.22.0 +BuildRequires: golang-packaging +BuildRequires: pcsc-lite-devel +BuildRequires: pkgconfig(openssl) > 3.0.0 +%endif +%if 0%{?ubuntu} +BuildRequires: golang >= 1.22.0 +BuildRequires: libpcsclite-dev +BuildRequires: libssl-dev > 3.0.0 +%endif + +%description +sbctl intends to be a user-friendly secure boot key manager capable of setting +up secure boot, offer key management capabilities, and keep track of files that +needs to be signed in the boot chain. + +%prep +%autosetup -a 1 + +%build +# Remove toolchain directive as we can't download it from external and we lack a corresponding +# macro package for deb (golang-packaging) +%if 0%{?ubuntu} +sed -i '/^toolchain.*/d' go.mod +%endif + +# Remove upstream version set. +sed -i 's|VERSION =.*||' Makefile +VERSION="%{version}" %make_build all + +%install +%make_install BINDIR="%{_sbindir}" PREFIX="%{_prefix}" + +# Fix potential-bashisms rpmlint error by using bash shebang +sed -i 's|bin/sh|bin/bash|' %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl.install + +%files +%doc README.md +%license LICENSE + +%dir %{_prefix}/lib/kernel/ +%dir %{_prefix}/lib/kernel/install.d/ +%dir %{_prefix}/lib/kernel/postinst.d/ +%dir %{_datadir}/fish/ +%dir %{_datadir}/fish/vendor_completions.d/ +%dir %{_datadir}/zsh/ +%dir %{_datadir}/zsh/site-functions/ + +%{_prefix}/lib/kernel/install.d/91-sbctl.install +%{_prefix}/lib/kernel/postinst.d/91-sbctl.install +%{_mandir}/man8/sbctl.8* +%{_mandir}/man5/sbctl.conf.5* +%{_datadir}/bash-completion/completions/sbctl +%{_datadir}/fish/vendor_completions.d/sbctl.fish +%{_datadir}/zsh/site-functions/_sbctl +%{_sbindir}/sbctl + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..f70c919 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2fc644ddb2b233faec1f29dd1199748667ff2a50640a8b5107920fef6ca1fa2 +size 5068731 -- 2.51.1