Improving the Secure Boot landscape: sbctl & go-uefi

Main Stage,

Taking advantage of Secure Boot should be simple! But convoluted tooling and poor documentation makes this extremely hard for people to navigate viable options, opting them to disable Secure Boot unless they are using the shim provided by larger distributions.

In this talk I'll introduce the tooling improvements I have made in this space. go-uefi which is a userspace library for dealing with efivarfs with high-level abstractions and support for the most common operations towards secure boot on Linux.

Built on-top of this is the secure boot key manager, sbctl. This aims to be a user-friendly way of setting up and interacting with secure boot for the common user. We will take a look at why secure boot is hard to grasp for users, the current challenges facing the existing tools and how sbctl solves these.

Lastly, we will introduce some solutions to deal with the largest hurdle that stands in the way of independent key management: Option ROM.

Resources: