Sign systemd-boot executables automatically

From bootctl(1): bootctl install and update will look for a systemd-boot file ending with the ".efi.signed" suffix first, and copy that instead of the normal ".efi" file. This also works with systemd-boot-update.service.
andreyv · May 13, 2022 · 785bcd1 · 785bcd1
1 parent 4fe32db
commit 785bcd1
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 10 deletions.
diff --git a/Makefile b/Makefile
@@ -13,6 +13,6 @@ install:
 	$(INSTALL) -D -m 0644 -t "$(DESTDIR)/etc" sbupdate.conf
 	$(INSTALL) -o root -g root -m 0700 -d "$(DESTDIR)/etc/efi-keys"
 	$(INSTALL) -D -m 0644 -t "$(DESTDIR)/usr/share/libalpm/hooks" \
-      $(addprefix hooks/,95-sbupdate.hook 50-sbupdate-remove.hook 50-fwupd-sign.hook)
+      $(addprefix hooks/,95-sbupdate.hook 50-sbupdate-remove.hook 50-efi-sign.hook)
 	$(INSTALL) -D -m 0644 -t \
       "$(DESTDIR)$(or $(DOCDIR),/usr/share/doc/sbupdate)" README.md
diff --git a/README.md b/README.md
@@ -68,13 +68,17 @@ format is
     efi   /EFI/Arch/<NAME>-signed.efi
 
 You also need to sign your boot manager's own UEFI executables with your
-custom keys. Add corresponding filenames to the `EXTRA_SIGN` array in
-`/etc/sbupdate.conf`, for example (systemd-boot):
+custom keys. For systemd-boot, this is handled automatically on update. For
+first-time setup, run
 
-    EXTRA_SIGN=('/boot/EFI/BOOT/BOOTX64.EFI' '/boot/EFI/systemd/systemd-bootx64.efi')
+```shell
+echo /usr/lib/systemd/boot/efi/systemd-boot*.efi | sudo sbupdate -f
+sudo bootctl update
+```
 
-and re-run the tool if needed. You should remember to run the tool every time
-you update your boot manager's files (e. g., after `sudo bootctl update`).
+For other boot managers, add corresponding ESP executables to the `EXTRA_SIGN`
+array in `/etc/sbupdate.conf` and re-run the tool if needed. You should
+remember to run the tool every time you update your boot manager's files.
 
 ⚠️ **Note**: When booting with Secure Boot disabled, options passed from an EFI shell
 (_even empty_) may override the built-in command line in the combined image, and
@@ -91,9 +95,9 @@ contain signed images which cannot be tampered with.
 
 See [Configuration](#configuration) to change the ESP directory.
 
-Note that if you use a boot manager such as systemd-boot, then its files still
-need to be on the ESP before they are signed. It is customary to sign these
-files right after they have been installed on the ESP. Direct booting is
+Note that if you use a boot manager other than systemd-boot, then its files
+still need to be on the ESP before they are signed. It is customary to sign
+these files right after they have been installed on the ESP. Direct booting is
 recommended for increased security.
 
 ## Related resources

diff --git a/hooks/50-fwupd-sign.hook → hooks/50-efi-sign.hook b/hooks/50-fwupd-sign.hook → hooks/50-efi-sign.hook
@@ -3,9 +3,10 @@ Operation = Install
 Operation = Upgrade
 Type = Path
 Target = usr/lib/fwupd/efi/fwupd*.efi
+Target = usr/lib/systemd/boot/efi/systemd-boot*.efi
 
 [Action]
-Description = Signing fwupd UEFI executable...
+Description = Signing UEFI executables...
 When = PostTransaction
 Exec = /usr/bin/sbupdate -f
 Depends = sbsigntools