sbctl

Show the current secure boot status

$ sbctl status

$ sbctl create-keys

$ sbctl enroll-keys [[-m|--microsoft]]

$ sbctl setup --setup

$ sbctl sign [[-s|--save]] [path/to/efi_binary]

$ sbctl sign-all

$ sbctl verify

sbctl [OPTIONS] COMMAND [ARGUMENTS...]
sbctl status
sbctl create-keys
sbctl enroll-keys [--microsoft]
sbctl sign [--save] <file>

status
    Checks the current Secure Boot status and key enrollment.

create-keys
    Generates a new Secure Boot key hierarchy (Platform Key, Key Exchange Key, Signature Database).

enroll-keys
    Enrolls the generated Secure Boot keys into the UEFI firmware. Can include --microsoft to enroll Microsoft keys.

sign <file>
    Signs an EFI binary, kernel image, or initramfs with the generated Secure Boot keys.

validate <file>
    Validates the Secure Boot signature of a specified EFI binary.

list-enrolled
    Lists all Secure Boot keys currently enrolled in the UEFI firmware.

verify-files
    Verifies the signatures of all files configured to be signed by sbctl.

help [command]
    Displays general help information or specific help for a given sbctl subcommand.

--force
    Forces an operation to proceed, overriding certain safety checks or warnings.

--verbose
    Enables verbose output, providing more detailed information about sbctl's operations.

sbctl is a command-line utility designed to simplify the management of Secure Boot on Linux systems.
It allows users to generate, enroll, and manage Secure Boot keys (PK, KEK, DB) and to sign EFI binaries, kernel images, and bootloaders.
This tool is crucial for users who want to enable Secure Boot while using custom kernels, bootloaders, or third-party EFI applications, as it provides a straightforward way to create trusted signatures that the UEFI firmware can verify.
By using sbctl, users can ensure the integrity of their boot process, preventing unauthorized code from executing before the operating system loads.
It typically interacts with the UEFI firmware to enroll keys and with the file system to sign files, making the Secure Boot setup process more accessible for a wider range of Linux users.

Requires UEFI firmware with Secure Boot support enabled in the BIOS/UEFI settings.
Incorrect key management can lead to an unbootable system, requiring manual intervention or Secure Boot disablement.
Typically requires root privileges (sudo) to interact with UEFI variables and system files.
Relies on underlying utilities like efivarfs for UEFI variable access.

sbctl manages the standard Secure Boot key hierarchy: Platform Key (PK), Key Exchange Key (KEK), and Signature Database (DB).
The PK signs the KEK, and the KEK signs the DB.
UEFI firmware verifies boot components against the keys present in the DB.

sbctl signs files by embedding a cryptographic signature directly into the Portable Executable (PE/COFF) header of EFI executables (e.g., kernels, bootloaders).
When the UEFI firmware attempts to load a signed EFI executable, it verifies this embedded signature against the enrolled keys in its Signature Database (DB). If the signature is valid, the executable is allowed to run; otherwise, it is blocked.

sbctl is a relatively modern tool, gaining traction with the increased adoption of Secure Boot on Linux distributions. It was developed to simplify the often complex process of managing Secure Boot keys and signing binaries, which previously required more manual steps involving disparate utilities.
Its development aimed to provide a unified, user-friendly interface for setting up Secure Boot, particularly for systems utilizing systemd-boot or other minimalistic bootloaders.
It emerged as a response to the growing need for a streamlined approach to Secure Boot on personal Linux systems, bridging the gap between hardware security features and user-friendliness.

efibootmgr(8), shim(8), mokutil(1), keyctl(1), openssl(1ssl)