Updated Secure boot section

2023-08-17 10:54:11 +02:00 · 2023-08-17 10:54:11 +02:00 · 579aefa00d
commit 579aefa00d
parent 4f9c1d9728
4 changed files with 9 additions and 110 deletions
--- a/docs/void-desktop-setup/Secure-boot.md
+++ b/docs/void-desktop-setup/Secure-boot.md
@ -1,7 +1,5 @@
 Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.

-### Linux secureboot
-
 For linux to work with secureboot it's necessary to enroll keys using sbctl.

 ```
@ -26,32 +24,10 @@ Then to check if it worked.
 # sbctl verify
 ```

-The kernels will now automatically be signed after an update thanks to the `sbsigntool` package.
+The kernels can automatically be signed after an update thanks to the `sbsigntool` package. Configure it `/etc/default/sbsigntool-kernel-hook` and change the options:
+
+```
+SBSIGN_EFI_KERNEL=1
+```

 > Don't forget to turn on secureboot in your bios!
-
-### Linux Windows dual boot
-
-To obtain secure boot for a device with both linux and windows partitions (dual boot), the `sbctl` package is required. It may be installed with.
-
-```
-# xbps-install -Sy sbctl sbsigntool
-```
-
-Then to create keys, enroll them and sign the executables with it.
-
-```
-# sbctl create-keys
-# sbctl enroll-keys --microsoft
-# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
-# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
-# sbctl sign -s /boot/vmlinuz-<version>
-```
-
-Then to check if it worked.
-
-```
-# sbctl verify
-```
-
-After every linux kernel update the new executables should be signed.
--- a/site/search/search_index.json
+++ b/site/search/search_index.json
--- a/site/sitemap.xml.gz
+++ b/site/sitemap.xml.gz
--- a/site/void-desktop-setup/Secure-boot/index.html
+++ b/site/void-desktop-setup/Secure-boot/index.html
@ -60,11 +60,6 @@
    <label class="md-overlay" for="__drawer"></label>
    <div data-md-component="skip">
      
-        
-        <a href="#linux-secureboot" class="md-skip">
-          Skip to content
-        </a>
-      
    </div>
    <div data-md-component="announce">
      
@ -639,46 +634,10 @@
      
      
      
-        <label class="md-nav__link md-nav__link--active" for="__toc">
-          Secure boot
-          <span class="md-nav__icon md-icon"></span>
-        </label>
-      
      <a href="./" class="md-nav__link md-nav__link--active">
        Secure boot
      </a>
      
-        
-
-<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
-  
-  
-  
-  
-    <label class="md-nav__title" for="__toc">
-      <span class="md-nav__icon md-icon"></span>
-      Table of contents
-    </label>
-    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
-      
-        <li class="md-nav__item">
-  <a href="#linux-secureboot" class="md-nav__link">
-    Linux secureboot
-  </a>
-  
-</li>
-      
-        <li class="md-nav__item">
-  <a href="#linux-windows-dual-boot" class="md-nav__link">
-    Linux Windows dual boot
-  </a>
-  
-</li>
-      
-    </ul>
-  
-</nav>
-      
    </li>
  

@ -1161,28 +1120,6 @@
  
  
  
-    <label class="md-nav__title" for="__toc">
-      <span class="md-nav__icon md-icon"></span>
-      Table of contents
-    </label>
-    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
-      
-        <li class="md-nav__item">
-  <a href="#linux-secureboot" class="md-nav__link">
-    Linux secureboot
-  </a>
-  
-</li>
-      
-        <li class="md-nav__item">
-  <a href="#linux-windows-dual-boot" class="md-nav__link">
-    Linux Windows dual boot
-  </a>
-  
-</li>
-      
-    </ul>
-  
 </nav>
                  </div>
                </div>
@ -1199,7 +1136,6 @@
  <h1>Secure boot</h1>

 <p>Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.</p>
-<h3 id="linux-secureboot">Linux secureboot</h3>
 <p>For linux to work with secureboot it's necessary to enroll keys using sbctl.</p>
 <pre><code>xbps-install -Sy sbctl sbsigntool
 </code></pre>
@ -1214,25 +1150,12 @@
 <p>Then to check if it worked.</p>
 <pre><code># sbctl verify
 </code></pre>
-<p>The kernels will now automatically be signed after an update thanks to the <code>sbsigntool</code> package.</p>
+<p>The kernels can automatically be signed after an update thanks to the <code>sbsigntool</code> package. Configure it <code>/etc/default/sbsigntool-kernel-hook</code> and change the options:</p>
+<pre><code>SBSIGN_EFI_KERNEL=1
+</code></pre>
 <blockquote>
 <p>Don't forget to turn on secureboot in your bios!</p>
 </blockquote>
-<h3 id="linux-windows-dual-boot">Linux Windows dual boot</h3>
-<p>To obtain secure boot for a device with both linux and windows partitions (dual boot), the <code>sbctl</code> package is required. It may be installed with.</p>
-<pre><code># xbps-install -Sy sbctl sbsigntool
-</code></pre>
-<p>Then to create keys, enroll them and sign the executables with it.</p>
-<pre><code># sbctl create-keys
-# sbctl enroll-keys --microsoft
-# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
-# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
-# sbctl sign -s /boot/vmlinuz-&lt;version&gt;
-</code></pre>
-<p>Then to check if it worked.</p>
-<pre><code># sbctl verify
-</code></pre>
-<p>After every linux kernel update the new executables should be signed.</p>