#1030845 RFP: sbctl -- Secure Boot Manager

#1030845#5
Date:
2023-02-08 10:32:50 UTC
From:
To:
* Package name    : sbctl
  Version         : 0.10
  Upstream Contact: Morten Linderud <morten@linderud.pw>
* URL             : https://github.com/Foxboron/sbctl/
* License         : MIT
  Programming Lang: Go
  Description     : Secure Boot Manager

sbctl is a user-friendly secure boot key manager capable of setting up
secure boot, offer key management capabilities, and keep track of files
that needs to be signed in the boot chain.

sbctl has a *much* easier to use interface than mokutil (just look at
the screenshots!), but since I am not familiar with Go I hope that
somebody else who is more qualified will package it.

#1030845#10
Date:
2024-01-26 12:45:09 UTC
From:
To:
https://salsa.debian.org/go-team/packages/sbctl
as well as the missing dependency:
https://salsa.debian.org/go-team/packages/golang-github-foxboron-go-uefi

Note that there are two debian/patches for sbctl:
1) First, to use FHS paths, diverging from upstream's locations (which
is non-ideal). Upstream issue #57 is open upstream:
https://github.com/Foxboron/sbctl/issues/57

2) Second, to disable TPM support. It requires a long dependency chain
for Go-Attestation that it felt too overwhelming for me. YMMV :)

This package builds and works for me. I'm not up for maintaining it in
the long-run though, so I'm leaving this as an RFP and *not* uploading
it to unstable. Hopefully this initial packaging work is useful to
whoever decides to pick it up.

If anyone else is up for it, I may be available to sponsor the uploads
and/or provide code reviews.

Best,
Faidon

#1030845#15
Date:
2025-02-06 09:59:58 UTC
From:
To:
Hi

I have updated/finished packaging of the go-uefi dependency and uploaded
it to NEW:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095271

I hope to upload 'sbctl' as well eventually, but latest 0.16 release
requires landlock+libcap, see errors below.  I put a pipeline of 'sbctl'
here:

https://salsa.debian.org/jas/sbctl/-/pipelines/

I looked into landlock+libcap but it looked a bit messy: 'libcap2' is in
Debian but without the golang-*-dev package, and maybe this should be a
separate source package if the Go wrapper has little to do with the C
library.  Hopefully I will resume on that or someone else beats me to
it.

/Simon


src/github.com/foxboron/sbctl/config/config.go:11:2: cannot find package "github.com/landlock-lsm/go-landlock/landlock" in any of:
	/usr/lib/go-1.23/src/github.com/landlock-lsm/go-landlock/landlock (from $GOROOT)
	/build/sbctl-0.16/_build/src/github.com/landlock-lsm/go-landlock/landlock (from $GOPATH)
src/github.com/foxboron/sbctl/lsm/lsm.go:10:2: cannot find package "github.com/landlock-lsm/go-landlock/landlock/syscall" in any of:
	/usr/lib/go-1.23/src/github.com/landlock-lsm/go-landlock/landlock/syscall (from $GOROOT)
	/build/sbctl-0.16/_build/src/github.com/landlock-lsm/go-landlock/landlock/syscall (from $GOPATH)

#1030845#20
Date:
2025-02-06 10:54:18 UTC
From:
To:
About libcap2, I also stumbled on this while packaging docker-buildx, I
don't think that adding a new source package makes sense, but their Go
build script seems a bit complicated.

By the way, building the go packages will resolve #1064065 [1].

[1]:
https://sources.debian.org/src/libcap2/1%3A2.66-5/go/Makefile/#L171-L181

#1030845#25
Date:
2025-02-16 14:12:03 UTC
From:
To:
Thank you for finishing up my packaging, uploading it and offering to
maintain it in the long run, much appreciated!

Best,
Faidon

#1030845#30
Date:
2025-02-16 23:28:19 UTC
From:
To:
Faidon Liambotis <paravoid@debian.org> writes:

Thanks for doing most of the work!  I'm happy that I think we are
getting closer to getting libcap's golang packages into Debian right
now, which will allow 'sbctl' to finally be uploaded too.

/Simon

#1030845#35
Date:
2025-06-19 21:48:12 UTC
From:
To:
I've noticed that the package would no longer build with the updated
dependency:

$ dpkg-buildpackage -uc -us -b
dpkg-buildpackage: info: source package sbctl
dpkg-buildpackage: info: source version 0.13-1
dpkg-buildpackage: info: source distribution UNRELEASED
dpkg-buildpackage: info: source changed by Faidon Liambotis
<paravoid@debian.org>
dpkg-buildpackage: info: host architecture arm64
  dpkg-source --before-build .
  debian/rules clean
dh clean --builddirectory=_build --buildsystem=golang --with=golang
    dh_auto_clean -O--builddirectory=_build -O--buildsystem=golang
    debian/rules execute_after_dh_auto_clean
make[1]: Entering directory '/home/erebion/git/sbctl'
make clean
make[2]: Entering directory '/home/erebion/git/sbctl'
rm -f docs/sbctl.8
rm -f sbctl
make[2]: Leaving directory '/home/erebion/git/sbctl'
rm -rf contrib/completions/
make[1]: Leaving directory '/home/erebion/git/sbctl'
    dh_autoreconf_clean -O--builddirectory=_build -O--buildsystem=golang
    dh_clean -O--builddirectory=_build -O--buildsystem=golang
  debian/rules binary
dh binary --builddirectory=_build --buildsystem=golang --with=golang
    dh_update_autotools_config -O--builddirectory=_build
-O--buildsystem=golang
    dh_autoreconf -O--builddirectory=_build -O--buildsystem=golang
    dh_auto_configure -O--builddirectory=_build -O--buildsystem=golang
    dh_auto_build -O--builddirectory=_build -O--buildsystem=golang
         cd _build && go install -trimpath -v -p 8
github.com/foxboron/sbctl github.com/foxboron/sbctl/certs
github.com/foxboron/sbctl/cmd/sbctl github.com/foxboron/sbctl/dmi
github.com/foxboron/sbctl/fs github.com/foxboron/sbctl/hierarchy
github.com/foxboron/sbctl/logging github.com/foxboron/sbctl/quirks
github.com/foxboron/sbctl/stringset
src/github.com/foxboron/sbctl/keys.go:18:2: cannot find package
"github.com/foxboron/go-uefi/efi/pecoff" in any of:
         /usr/lib/go-1.24/src/github.com/foxboron/go-uefi/efi/pecoff
(from $GOROOT)
/home/erebion/git/sbctl/_build/src/github.com/foxboron/go-uefi/efi/pecoff
(from $GOPATH)
src/github.com/foxboron/sbctl/keys.go:19:2: cannot find package
"github.com/foxboron/go-uefi/efi/pkcs7" in any of:
         /usr/lib/go-1.24/src/github.com/foxboron/go-uefi/efi/pkcs7
(from $GOROOT)
/home/erebion/git/sbctl/_build/src/github.com/foxboron/go-uefi/efi/pkcs7
(from $GOPATH)
dh_auto_build: error: cd _build && go install -trimpath -v -p 8
github.com/foxboron/sbctl github.com/foxboron/sbctl/certs
github.com/foxboron/sbctl/cmd/sbctl github.com/foxboron/sbctl/dmi
github.com/foxboron/sbctl/fs github.com/foxboron/sbctl/hierarchy
github.com/foxboron/sbctl/logging github.com/foxboron/sbctl/quirks
github.com/foxboron/sbctl/stringset returned exit code 1
make: *** [debian/rules:10: binary] Error 1
dpkg-buildpackage: error: debian/rules binary subprocess returned exit
status 2

The newer version no longer includes the following folders:

efi/pecoff
efi/pkcs7

It did build fine with
golang-github-foxboron-go-uefi-dev_0.0~git20231219.b6c4a74-1_all.deb,
though. (Which I've build from the Salsa repo before it was uploaded.)

The build process still looks for something which clearly it should no
longer be looking for.

I don't know go, but I thought this might be helpful. Have a nice day. :)

erebion

On Mon, 17 Feb 2025 00:28:19 +0100 Simon Josefsson <simon@josefsson.org>
wrote:
 > Faidon Liambotis <paravoid@debian.org> writes:
 >
 > > On Thu, Feb 06, 2025 at 10:59:58AM +0100, Simon Josefsson wrote:
 > >> I have updated/finished packaging of the go-uefi dependency and
uploaded
 > >> it to NEW:
 > >>
 > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095271
 > >>
 > >> I hope to upload 'sbctl' as well eventually, but latest 0.16 release
 > >> requires landlock+libcap, see errors below.
 > >> here:
 > >
 > > Thank you for finishing up my packaging, uploading it and offering to
 > > maintain it in the long run, much appreciated!
 >
 > Thanks for doing most of the work! I'm happy that I think we are
 > getting closer to getting libcap's golang packages into Debian right
 > now, which will allow 'sbctl' to finally be uploaded too.
 >
 > /Simon

#1030845#40
Date:
2025-10-20 08:42:48 UTC
From:
To:
Hi there.

What is the status of sbctl right now?

I see all the dependencies are in Debian (there is only
golang-github-go-piv-piv-go-dev (>= 2.0) in experimental for now), that's
great, guys!

As I use sbctl myself I've made an update for your package:
1. new upstream version
2. bootctl integration to cover the situation, when systemd-boot-efi got
   updated.
3. New installation auto setup.
4. Use upstream git tags in gbp.

I do not like current bootctl integration a lot, because it has 2 problems:
* writing signed files to /usr/lib/systemd/boot/efi
* calling bootctl update directly instead of triggering systemd-boot-signed
Both moments could be discussed with systemd maintainers.

Also there is tests/ dir in upstream sources, that contains plenty of
pre-compiled binaries. May be we should exclude them from sources as I'm not
sure all of them are DFSG-compatible.

Feel free to use my work from https://salsa.debian.org/gq/sbctl
And do not hesitate to contact me if any help is needed.

#1030845#45
Date:
2025-10-20 13:57:14 UTC
From:
To:
Alexander GQ Gerasiov <gq@debian.org> writes:

What are the main changes compared to:

https://salsa.debian.org/go-team/packages/sbctl

?

I'll take a look, but last time we where waiting on dependencies, but if
I managed to get them all into unstable now, let's revisit 'sbctl'
itself!

/Simon

#1030845#50
Date:
2025-10-20 15:48:19 UTC
From:
To:
Alexander GQ Gerasiov <gq@debian.org> writes:

We should try to get that one into unstable, I think yubikey-agent and
golang-github-smallstep-certificates needs attention and I've been
working on the later one recently so this may be fixed by now.

Thank you!  I have merged some of these fixes now, into:

https://salsa.debian.org/go-team/packages/sbctl/

with pipeline here:

https://salsa.debian.org/jas/sbctl/-/pipelines/959775

The failures are mostly because of the experimental dependency.

I didn't merge this, as I can't evaluate it.  What do you think about
having 'sbctl' as a package for the binary only, and a new separate
package 'sbctl-setup' as a package that 'Depends: sbctl' and includes
your postinst/prerm scripts?  That would make me more comfortable, and
allows simpler testing.

Is there some advantage with that?  I thought the Debian practice was to
add a signed upstream/0.18 tag, to have some way to track if upchange is
moving their tags around.

Sure, and having this in 'sbctl-setup' make things easier to discuss, I
think.

We could try asking upstream to remove them, but we may not succeed.
co-maintain this.

/Simon

#1030845#55
Date:
2025-10-20 15:54:11 UTC
From:
To:
To avoid inventing a new naming scheme, you could have `sbctl-bin`
and `sbctl`. This would match the scheme used by grub and others.

Chris

#1030845#60
Date:
2025-10-20 16:00:35 UTC
From:
To:
Chris Hofstaedtler <zeha@debian.org> writes:

Great suggestion, thank you.  Alas there is some examples of using
*-tools or *-utils or even *-util, I think, but at least your idea is
better than my approach.

Alexander, feel free to push this change if you want, alas I don't have
more time to work on this today.

/Simon

#1030845#65
Date:
2025-10-24 07:37:12 UTC
From:
To:
Hi.  I have uploaded 7ff5b54618a566b450d18023fce48cb649fb691b to NEW
using the 'sbctl' and 'sbctl-bin' naming, to get the NEW processing
started.  I have not dared to test the postinst/prerm 'sbctl' scripts on
my machine, but I also don't think that is critical: we can sort out
bugs in those scripts later on.  Having this in experimental will allow
more people to test it.

https://salsa.debian.org/go-team/packages/sbctl/
https://salsa.debian.org/jas/sbctl/-/pipelines/961822

We can work out how to migrate golang-github-go-piv-piv-go (and then
sbctl) to unstable eventually, the blocker for this is the
'yubikey-agent' package which is stuck on v1.x but sbctl requires v2.x.
If the following upstream bug report doesn't see action, I suppose we
could introduce a golang-github-go-piv-piv-go-v1-dev package to keep
yubikey-agent happy, and let the golang-github-go-piv-piv-go package
move forward and use v2 for upstream source.

https://github.com/FiloSottile/yubikey-agent/issues/161

/Simon