First merge, first post!

First merge, first post!

A small but exciting win to start off this site - my first merged PR to an open source project!

sbctl: update to 0.17. by Lacedaemon · Pull Request #55322 · void-linux/void-packages
This update adds the Microsoft 2023 Secure Boot Certificates. The current 2011 certificates are set to expire next year. Testing the changes I tested the changes in this PR: briefly
GitHubvoid-linux
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index e5bf3cadfe0fde..d8de0e25a1bb8b 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,7 +1,7 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.16
-revision=2
+version=0.17
+revision=1
 build_style=go
 build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
@@ -14,7 +14,7 @@ maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=ca6d810b1b6e63318ba34320043e8b95d8b40df6e140f5170c4a673ed0954ee1
+checksum=c42dee85939944fdf8b504b7d891569c6b33c9ea1bdfcfb36d9a5302db375e98
 make_dirs="/var/lib/sbctl 0700 root root"
 export GOFLAGS="-buildmode=pie"

The need for this came about when it was time to update my multiboot system from Windows 11 23H2 to 24H2 - I wasn't getting it in Windows Update because I had bypassed the Secure Boot checks to accommodate OpenCore and GRUB. Given that the 2011 Microsoft certs were expiring in just a year, it didn't make sense to embark on the project without first gaining access to the 2023 Microsoft certs.

Once the updated sbctl was built and installed, it was a matter of following a combination of these two guides:

Guide: Setting up Secure Boot
by u/quirktheory in voidlinux
Enable BIOS Secure Boot with OpenCore
💻 Latest macOS on Huawei Matebook X Pro 2018. Contribute to profzei/Matebook-X-Pro-2018 development by creating an account on GitHub.
GitHubprofzei

Once I enabled Secure Boot in BIOS setup, Void Linux/GRUB had one issue - Verification requested but nobody cares. I must have forgotten to sign something because repeating the process with a fine-tooth comb got it working.

Where I really got stuck was nailing down the right sequence for signing OpenCore for UEFI Secure Boot and signing it for OpenCore vaulting. I kept having to undo the changes during each attempt:

  1. Boot into Linux
  2. # rm -rf /boot/efi/EFI/OC/vault.*
  3. # cp /path/to/downloaded/OC/OpenCore.efi /boot/efi/EFI/OC
  4. In config.plist:
    1. Vault -> Optional
    2. SecureBootModel -> Disabled
  5. Disable Secure Boot in BIOS setup
    1. Otherwise OpenCore would throw "LoadImage: Access Denied"

I also had a non-zero ApECID set for "Full Security", which worked after bless --personalize, but ended up unsetting this while troubleshooting the "LoadImage: Access Denied" issue. Re-running bless without --personalize seems to have helped facilitate that. I may re-enable this in the future, but for now I'll stick with "Medium Security".

The correct procedure ended up being exactly as outlined in OpenCore's Configuration.pdf:

  1. Vault OpenCore with sign.command
    1. Important: ensure all config.plist changes (e.g. Vault > Secure) are made before running sign.command!
  2. Reboot to Linux
  3. Sign OpenCore.efi, OpenRuntime.efi with sbctl

Now all three of my OSes (Win11, macOS, Void Linux) are booting with Secure Boot!

The one caveat left is that while macOS sees OTA updates with RestrictEvents, it will not install them without first disabling UEFI Secure Boot and Apple Secure Boot. Apparently this is a known issue, so I am leaving it for now...