Secureboot in Gardenhouse

If given appropriate secureboot signing keys, Florist will automtically sign every built UKI, as well as any optionally further specified efi executable.

Setting up secureboot

First generate secureboot keys:

root#sbctl create-keys

This will create keys in /var/lib/sbctl/keys. Florist only cares about the db key and certificate in /var/lib/sbctl/keys/db. They may be copied into a more appropriate location, or kept at that location.

Florist simply reuses the SECUREBOOT_SIGN_{CERT,KEY} variables from Gentoo with one main difference:

In Gentoo the paths in this Environment are relative to the rootfs, however Florist supports reading keys from the host as well. To solve this, Florist assumes that the paths defined inside profiles/<profile_name>/make.defaults are relative to the host system and paths defined in etc/portage/make.conf

So, to have Florist use the generated Keys, set the following variables in the profile make.defaults:

Config <overlay>/profiles/<profile>/make.defaults Secureboot key configuration

SECUREBOOT_SIGN_CERT="/var/lib/sbctl/keys/db/db.pem"
SECUREBOOT_SIGN_KEY="/var/lib/sbctl/keys/db/db.key"