Get Gentoo!
Development Guide
  1. Master index
  2. Eclass reference

SECUREBOOT.ECLASS

Section: eclass-manpages (5)
Updated: Mar 2025
Index Return to Main Contents

NAME

secureboot.eclass - A small eclass to sign efi files for Secure Boot

DESCRIPTION

Eclass for packages that install .efi files. A use flag and two user variables allow signing these .efi files for use on systems with Secure Boot enabled.

Signing the files during emerge ensures that any tooling that actually installs the bootloaders and kernels to ESP always uses a signed version. This prevents Secure Boot from accidentally breaking when upgrading the kernel or the bootloader.

Example use src_install() {         default
        secureboot_sign_efi_file in.efi out.efi.signed
}

Or src_install() {         default
        secureboot_auto_sign
}

Some tools will automatically detect and use EFI executables with the .signed suffix. For tools that do not do this the --in-place argument for secureboot_auto_sign can be used to ensure that the signed version is used.

SUPPORTED EAPIS

7 8

FUNCTIONS

secureboot_pkg_setup
Checks if required user variables are set before starting the build
secureboot_sign_efi_file <input file> [<output file>]
Sign a file using sbsign and the requested key/certificate. If the file is already signed with our key then the file is skipped. If no output file is specified the output file will be the same as the input file, i.e. the file will be overwritten.
secureboot_auto_sign [--in-place]
Automatically discover and sign efi files in the image directory.

By default signed files gain the .signed suffix. If the --in-place argument is given the efi files are replaced with a signed version in place.

ECLASS VARIABLES

SECUREBOOT_SIGN_KEY (USER VARIABLE)
Used with USE=secureboot. Should be set to the path of the private key in PEM format to use, or a PKCS#11 URI. If unspecified the following locations are tried in order: - /etc/portage/secureboot.pem - /var/lib/sbctl/keys/db/db.{key,pem} (from app-crypt/sbctl) - the MODULES_SIGN_KEY (and MODULES_SIGN_CERT if set) - the contents of CONFIG_MODULE_SIG_KEY in the current kernel If none of these exist, a new key will be generated at /etc/portage/secureboot.pem.
SECUREBOOT_SIGN_CERT (USER VARIABLE)
Used with USE=secureboot. Should be set to the path of the public key certificate in PEM format to use. If unspecified the SECUREBOOT_SIGN_KEY is assumed to also contain the certificate belonging to it.

AUTHORS

Author: Nowa Ammerlaan <nowa@gentoo.org>

MAINTAINERS

Nowa Ammerlaan <nowa@gentoo.org>

REPORTING BUGS

Please report bugs via https://bugs.gentoo.org/

FILES

secureboot.eclass

SEE ALSO

ebuild(5)
https://gitweb.gentoo.org/repo/gentoo.git/log/eclass/secureboot.eclass

Index

NAME
DESCRIPTION
SUPPORTED EAPIS
FUNCTIONS
ECLASS VARIABLES
AUTHORS
MAINTAINERS
REPORTING BUGS
FILES
SEE ALSO
This document was created by man2html, using the manual pages.
Time: 03:27:01 GMT, March 13, 2025