Secureboot in Gardenhouse

If given appropriate secureboot signing keys, Gardenhouse will automtically sign every built UKI, as well as any optionally further specified efi executable.

Setting up secureboot

First generate secureboot keys:

root#sbctl create-keys

This will create keys in /var/lib/sbctl/keys. Gardenhouse only cares about the db key and certificate in /var/lib/sbctl/keys/db. They may be copied into a more appropriate location, or kept at that location.

Gardenhouse simply reuses the SECUREBOOT_SIGN_{CERT,KEY} variables from Gentoo with one main difference:

In Gentoo the paths in this Environment are relative to the rootfs, however Gardenhouse supports reading keys from the host as well. To solve this, Gardenhouse assumes that the paths defined inside profiles/<profile_name>/make.defaults are relative to the host system and paths defined in etc/portage/make.conf

So, to have Gardenhouse use the generated Keys, set the following variables in the profile make.defaults:

Config profiles/<profile>/make.defaults Secureboot key configuration

SECUREBOOT_SIGN_CERT="/var/lib/sbctl/keys/db/db.pem"
SECUREBOOT_SIGN_KEY="/var/lib/sbctl/keys/db/db.key"