Move the kernels somewhere else #114

New issue

Closed

opened 2023-02-21 20:06:08 +00:00 by dasJ · 2 comments

dasJ commented

2023-02-21 20:06:08 +00:00

(Migrated from github.com)

Since we don't sign them anymore but still place them where sbctl expects them, they get marked as unsigned:

Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/Linux/nixos-generation-553.efi is signed
✓ /boot/EFI/Linux/nixos-generation-554.efi is signed
✓ /boot/EFI/Linux/nixos-generation-555.efi is signed
✓ /boot/EFI/Linux/nixos-generation-556.efi is signed
✓ /boot/EFI/Linux/nixos-generation-557.efi is signed
✓ /boot/EFI/Linux/nixos-generation-558.efi is signed
✓ /boot/EFI/Linux/nixos-generation-559.efi is signed
✓ /boot/EFI/Linux/nixos-generation-560.efi is signed
✓ /boot/EFI/Linux/nixos-generation-561.efi is signed
✓ /boot/EFI/Linux/nixos-generation-562.efi is signed
✓ /boot/EFI/Linux/nixos-generation-563.efi is signed
✓ /boot/EFI/nixos/fwupdx64.efi is signed
✗ /boot/EFI/nixos/mh3za9ksj2lhpybfvv03ysxb5bwq7gv4-linux-5.15.93-bzImage.efi is not signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed

We should probably put them where they don't get found by sbctl so users aren't alarmed by the red cross in their shells. (cc @blitz we talked about this)

Since we don't sign them anymore but still place them where `sbctl` expects them, they get marked as unsigned: ``` Verifying file database and EFI images in /boot... ✓ /boot/EFI/BOOT/BOOTX64.EFI is signed ✓ /boot/EFI/Linux/nixos-generation-553.efi is signed ✓ /boot/EFI/Linux/nixos-generation-554.efi is signed ✓ /boot/EFI/Linux/nixos-generation-555.efi is signed ✓ /boot/EFI/Linux/nixos-generation-556.efi is signed ✓ /boot/EFI/Linux/nixos-generation-557.efi is signed ✓ /boot/EFI/Linux/nixos-generation-558.efi is signed ✓ /boot/EFI/Linux/nixos-generation-559.efi is signed ✓ /boot/EFI/Linux/nixos-generation-560.efi is signed ✓ /boot/EFI/Linux/nixos-generation-561.efi is signed ✓ /boot/EFI/Linux/nixos-generation-562.efi is signed ✓ /boot/EFI/Linux/nixos-generation-563.efi is signed ✓ /boot/EFI/nixos/fwupdx64.efi is signed ✗ /boot/EFI/nixos/mh3za9ksj2lhpybfvv03ysxb5bwq7gv4-linux-5.15.93-bzImage.efi is not signed ✓ /boot/EFI/systemd/systemd-bootx64.efi is signed ``` We should probably put them where they don't get found by `sbctl` so users aren't alarmed by the red cross in their shells. (cc @blitz we talked about this)

👍 1

blitz commented

2023-02-23 08:45:41 +00:00

(Migrated from github.com)

This would be very nice from a documentation perspective. @nikstur Do you think this makes sense?

nikstur commented

2023-02-23 21:18:36 +00:00

(Migrated from github.com)

From the man page:

Looks for EFI binaries with the mime type application/x-dosexec in the ESP partition, and looks at the file database. Checks if they have been signed with the Signature Database Key.

I don't think we can escape sbctl. There is ~~not much~~ nothing we can do about it. sbctl checks if a file on the ESP contains the string MZ as the first two bytes and then checks if it is signed. See https://github.com/Foxboron/sbctl/blob/master/cmd/sbctl/verify.go#L34

From the man page: > Looks for EFI binaries with the mime type application/x-dosexec in the ESP partition, and looks at the file database. Checks if they have been signed with the Signature Database Key. I don't think we can escape `sbctl`. There is ~not much~ nothing we can do about it. sbctl checks if a file on the ESP contains the string `MZ` as the first two bytes and then checks if it is signed. See https://github.com/Foxboron/sbctl/blob/master/cmd/sbctl/verify.go#L34