Add support for secure boot

[anatol]

Add a way to generate booster-based unified images that get signed with a key. Such final images could be used for machines configured with secure boot.

For the reference here is secure boot implementation from mkinitcpio project:
archlinux/mkinitcpio@f40bb42

[j0057]

It turned out to be pretty easy to do this with sbupdate; it takes care of generating the EFI Unified Kernel Image, with firmware included, and then signing it using sbsign.

This sbupdate.conf takes initrd images in /boot made with mkinitcpio as well as booster for both linux and linux-zen kernels, and puts everything in /efi:

KEY_DIR=/etc/efi-keys
ESP_DIR=/efi
OUT_DIR=
SPLASH=/dev/null
BACKUP=5
CMDLINE_DEFAULT='root=/dev/mapper/crypt_root resume=/dev/mapper/crypt_swap rw'

CONFIGS=(['linux']='archlinux archlinux-fallback archlinux-booster'
         ['linux-zen']='archlinux-zen archlinux-zen-fallback archlinux-zen-booster')

INITRD=(['archlinux']='/boot/initramfs-linux.img'
        ['archlinux-fallback']='/boot/initramfs-linux-fallback.img'
        ['archlinux-booster']='/boot/booster-linux.img'
        ['archlinux-zen']='/boot/initramfs-linux-zen.img'
        ['archlinux-zen-fallback']='/boot/initramfs-linux-zen-fallback.img'
        ['archlinux-zen-booster']='/boot/booster-linux-zen.img')

CMDLINE=(['archlinux-booster']='root=/dev/disk/by-label/luks_root resume=/dev/disk/by-label/luks_swap rw'
         ['archlinux-zen-booster']='root=/dev/disk/by-label/luks_root resume=/dev/disk/by-label/luks_swap rw')

EXTRA_SIGN=('/efi/shellx64-signed.efi')

[anatol]

These are great news @j0057. I like the way this EFI generation decoupled from initramfs generation. Does sbupdate hook take care of ordering i.e. it waits for booster-initrmafs.img generated first and only then EFI binary is built/signed?

Are there any sbupdate equivalents at Arch community repo? If not should sbupdate be moved to [community] so people would be able to use it with less efforts?

[j0057]

I think pacman hooks are run alphabetically, so 90-booster-install.hook and 90-mkinitcpio-install.hook run before 95-sbupdate.hook. All of these trigger when /usr/lib/*/vmlinuz is installed or upgraded.

There is foxboron/sbctl which is already in [community], that also does key management tasks, sbupdate just assumes you generated and enrolled the keys some other way. The hook file is installed as 99-sbctl.hook.

[dkwo]

Has sbctl been successfully used with booster and grub?

[dkwo]

Ok, perhaps it is simpler to just drop grub here..

[c3Ls1US]

I'm against this in favor letting external tools do it instead as currently, sbctl and systemd-ukify are able to create unified kernel images.

For instance, we could just have a shell script similar to regenerate_images that generates the bundle/UKI.

[dkwo]

unified kernel image is considered second class citizen in sbctl. imho it'd be useful if booster could create a unified image, then one can use sbctl or similar to sign it.