use mkinitcpio to build uefi executables

[Lunarequest]

With this archlinux/mkinitcpio#53 mkinitcpio now has support for building uefi executables. It would be ideal is sbupdate used this as well.

[Maryse47]

Note there is no stable mkinitcpio release with aforementioned change to date.

[khaveesh]

mkinitcpio v31 has been released with support for building UEFI executables

[andreyv]

Thanks for the heads-up.

This mkinitcpio feature implements most of what sbupdate does, except the signing process itself. In particular, see the new example.preset, where the user is expected to enable UEFI image generation — this is similar to sbupdate.conf and replaces it.

So there is almost nothing left for sbupdate to do if mkinitcpio is used. Instead, it is reasonable for sbupdate to be an alternative solution and/or for mkinitcpio itself to add support or callbacks for signing.

[Lunarequest]

I don't really use arch anymore but it would be nice if sbupdated was both, by default it would use mkinitcpio to build UEFI image generation, and should someone wish handle everything internally instead of calling mkinitcpio

[Maryse47]

What would be the point of that? Right now you may use sbupdate or mkinitcpio. Using mkinitcpio through sbupdate sound pretty redundant.

[Lunarequest]

What would be the point of that? Right now you may use sbupdate or mkinitcpio. Using mkinitcpio through sbupdate sound pretty redundant.

Signing uefi executables

[nwildner]

What would be the point of that? Right now you may use sbupdate or mkinitcpio. Using mkinitcpio through sbupdate sound pretty redundant.

It will be useful to sing your UEFI executables for your own enrolled secureboot keys.
Please check this and this one.

As you can see, the second one i'm using dracut, but it would be nice if mkinitcpio also had a mechanism where you could specify your signing key+cert tuple to sign your binaries as part of a kernel update:

Homonym configuration for dracut to automate signing process:

uefi_secureboot_cert=/etc/efi-keys/db.crt
uefi_secureboot_key=/etc/efi-keys/db.key

Manually signing after mkinitcpio UEFI binary generation is enough with :

sbsign --key /etc/efi-keys/DB.key --cert /etc/efi-keys/DB.crt --output /efi/BOOT/Arch/linux-signed.efi /efi/BOOT/Arch/linux-signed.efi

I'm currently using my own dracut module on my personal laptop, and I'll be willing to test if this become a feature on mkinitcpio :)

[Maryse47]

Well, this issue is for sbupdate project not mkinitpcio. The former already does build & sign efi images for secure boot and it doesn't need mknitcpio or dracut for that. If someone needs signing support in mkinitcpio then perhaps it's best to ask to add it there rather than asking sbupdate to use mkinitcpio which walks around the problem.

[nwildner]

Well, this issue is for sbupdate project not mkinitpcio. The former already does build & sign efi images for secure boot and it doesn't need mknitcpio or dracut for that. If someone needs signing support in mkinitcpio then perhaps it's best to ask to add it there rather than asking sbupdate to use mkinitcpio which walks around the problem.

Indeed, you are right.
I was following the mkinitcpio implementation for Unified EFI Binaries and saw this issue linked. Didn't notice that it changed repo. My bad....

Should be a feature to be implemented on mkinitcpio, sure.