scboot is a small set of scripts and configuration to support Secure Boot signing workflows on Debian/Ubuntu systems.
It provides:
- A
scbootCLI entrypoint. - Helpers to re-sign GRUB and Linux kernel images using a local signing key.
- APT hooks that automatically run the signing helpers after package operations.
- DKMS framework configuration synchronization for automatic kernel module signing.
- A systemd path/service pair that updates the DKMS configuration when
scbootconfiguration changes.
Runtime dependencies (see Debian control file):
bash,coreutils,grep,sed,mawk(orgawk),findutilssbsigntool(providessbsign,sbverify,sbattach)grub-commonshim-scboot
scboot is intended to run with root privileges because it writes to /boot, the EFI system partition, and system configuration paths.
Install the built package (example):
sudo apt install ./scboot_*.debThis repository uses a simple Makefile that templates files into build/ and supports DESTDIR installs.
make
sudo make installTo uninstall:
sudo make uninstallMain locations:
-
CLI:
/usr/sbin/scboot(symlink) -
Library/scripts:
/usr/lib/scboot/ -
Helper symlinks:
/usr/libexec/scboot-resign-grub/usr/libexec/scboot-resign-kernel
-
Configuration:
/etc/scboot/scboot.conf -
APT hooks:
/etc/apt/apt.conf.d/99-apt-secureboot-grub-resign/etc/apt/apt.conf.d/99-apt-secureboot-kernel-resign
-
DKMS framework configuration:
/etc/dkms/framework.conf.d/99-scboot.conf -
systemd units:
/usr/lib/systemd/system/scboot-reload.service/usr/lib/systemd/system/scboot-reload.path
The main configuration file is:
/etc/scboot/scboot.conf
It is a simple key=value file. Comments starting with # or ; are ignored.
Default configuration template:
# ==== Key configuration ====
KEY=/etc/scboot/keys/DB.key
CRT=/etc/scboot/keys/DB.crt
DER=/etc/scboot/keys/DB.der
# ==== GRUB configuration ====
GRUB_SRC=/boot/efi/EFI/ubuntu/grubx64.efi
GRUB_DST=/boot/efi/EFI/scboot/grubx64.efi
GRUB_HASH=/var/lib/scboot/grub.sha256
# ==== Kernel configuration ====
KERNEL_DST_DIR=/boot
KERNEL_HASH_DIR=/var/lib/scboot/kernels
# ==== DKMS configuration file ====
DKMS_CONFIG_FILE=/etc/dkms/framework.conf.d/99-scboot.confYou must provide the signing key and certificate files referenced by KEY, CRT, and DER.
Recommended file permissions (example):
sudo chown -R root:root /etc/scboot
sudo chmod 0700 /etc/scboot/keys
sudo chmod 0600 /etc/scboot/keys/*scboot maintains a DKMS framework config file at:
/etc/dkms/framework.conf.d/99-scboot.conf
The script /usr/lib/scboot/sync-dkms.sh writes the configured key/certificate paths into that file. The systemd unit scboot-reload.path watches /etc/scboot/scboot.conf and triggers scboot-reload.service to run sync-dkms.sh whenever the configuration changes.
Two APT hooks are installed under /etc/apt/apt.conf.d/. They run after dpkg operations:
scboot-resign-grubre-signs the configured GRUB EFI binary when it changes.scboot-resign-kernelre-signs kernel images under/boot.
The scripts maintain hash files under /var/lib/scboot/ to avoid unnecessary re-signing.
Show help:
scboot --helpShow version:
scboot --versionManual signing:
sudo scboot sign all
sudo scboot sign grub
sudo scboot sign kernelForce re-signing even if artifacts appear unchanged:
sudo scboot --force sign allScripts log primarily to the system journal with tag scboot.
Follow logs:
sudo journalctl -t scboot -fCommon checks:
- Verify
KEY,CRT, andDERpaths exist and are readable by root. - Verify
GRUB_SRCexists andGRUB_DSTis on the EFI system partition. - Verify
/bootcontainsvmlinuz-*images. - Use
--forceto re-sign when debugging.
make buildtemplates files intobuild/usingsedreplacements.- CI builds a Debian package using
debcrafterand uploads viatea-pkg.
MIT License. See LICENSE.