I currently have two machines running Arch Linux with a unified kernel image (UKI), full disk encryption (FDE), and secure boot/TPM2 based unlocking. I would like to create a portable USB stick install (with UKI/FE/TPM2) that I can use on both of those machines. I am currently struggling to understand how to setup the secure boot (SB) keys.
On the two machines and the USB stick, I create the SB keys and sign the UKI
sbctl create-keys -e ./ -d ./
sbctl import-keys --directory ./
cp ./GUID /usr/share/secureboot/
sbctl sign -s ${uki}
This is obviously wrong since the machines do not know about the SB keys on the USB stick.
I have been trying to follow the Arch WiKi. First I turn the SB db keys on MachineA and the USB stick into EFI signature lists
cert-to-efi-sig-list -g "$(< ./SBKeysMachineA/GUID)" ./SBKeysMachineA/db/db.crt ./SBKeysMachineA/db/db.esl
cert-to-efi-sig-list -g "$(< ./SBKeysUSB/GUID)" ./SBKeysUSB/db/db.crt ./SBKeysUSB/db/db.esl
The WiKi then makes it sound like you then sign the EFI signature lists and append the USB key, but I am lost
sign-efi-sig-list -g "$(< ./SBKeysMachineA/GUID)" -k ./SBKeysMachineA/KEK/KEK.key -c ./SBKeysMachineA/KEK/KEK.pem db ./SBKeysMachineA/db/db.esl ./SBKeysMachineA/db/db.auth
sign-efi-sig-list -a -g "$(< ./SBKeysUSB/GUID)" -k ./SBKeysUSB/KEK/KEK.key -c ./SBKeysMachineA/KEK/KEK.pem db ./SBKeysUSB/db/db.esl ./SBKeysUSB/db/db.auth
It seems like I am appending the USB db EFI signature list to itself, which seems wrong.
Finally, I have been enrolling the SB keys on the two machines with
sbctl enroll-keys -m
Does that still work with EFI signature lists? If not, how should I enroll the keys?
