Feature Request: verify does not indicate an update when .signed output and EFI source differ #488
Description
Hello,
first of all, thank you for creating sbctl! It makes Secure Boot on Linux a much more approachable topic! Now about the feature request:
When using sbctl sign -s -o <file>.signed <file> to create an explicit .signed output, sbctl verify only checks whether the .signed file contains a valid signature. It does not detect whether the source EFI binary has changed since the .signed file was created. When *.efi files get updated via system updates (e.g. /usr/lib/systemd/boot/efi/systemd-bootx64.efi or /usr/lib/fwupd/efi/fwupdx64.efi), zz-sbctl.hook triggers sbctl sign-all -g, which updates the .signed output. But when .efi files change outside this loop and the .signed doesn't get updated, I would like sbctl verify to indicate there has been an update.
Environment:
OS: Arch Linux
Package Version: sbctl 0.18-1
Steps to reproduce:
- Copy a valid
.efifile, sign it, save the output as .signed, keep track of it in the database:
cd ~/Desktop
sudo cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi ./x64.efi
sudo sbctl sign -s -o x64.efi.signed x64.efi
- Verify:
sudo sbctl verify
Verifying file database and EFI images in /efi...
✓ /home/tolga/Desktop/x64.efi.signed is signed
- Now replace the
.efifile with something else, simulating a modification/update/change and verify again:
sudo cp /usr/lib/fwupd/efi/fwupdx64.efi ./x64.efi
sudo sbctl verify
Verifying file database and EFI images in /efi...
✓ /home/tolga/Desktop/x64.efi.signed is signed
The sbctl already records the relationship between an input file and its Output File (for entries which use them):
sudo sbctl list-files
/boot/vmlinuz-linux-lts
Signed: ✓ Signed
/home/tolga/Desktop/x64.efi
Signed: ✓ Signed
Output File: /home/tolga/Desktop/x64.efi.signed
It also looks like sbctl sign-all can decide when an output needs to be regenerated. Entries which contain Output File could be checked by the same logic in sbctl verify and the output of it could report something like:
✓ /home/tolga/Desktop/x64.efi.signed is signed, but differs from /home/tolga/Desktop/x64.efi
This is not critical, but it would be a helpful quality-of-life improvement to catch cases where .efi files are modified outside the normal update path (e.g. recovery from a live ISO or .efi file updates which don't trigger zz-sbctl.hook) and notify/warn the user about it.
Thank you for your time! Let me know, what you think about it.
Cheers,
Tolga