Migrate to sbkeysync

[gdamjan]

https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_sbkeysync

sbkeysync, part of sbsigntools, is a tool to enroll the keys automatically. Alas, it assumes its own directory structure for the keys and certificates a bit different than what I did with this tool. While this tools creates all the files in /etc/secure-boot, it expects a hierarchy /etc/secureboot/keys/{db,dbx,KEK,PK}

[maximbaz]

Cool idea! As a heads-up, only .auth files need to go to /etc/secureboot/keys/ folder, the tool will complain if you put anything else there... 🤦‍♂️

I just went through getting rid of efitools dependency altogether in favor of tools in sbsigntools, might be useful for you as a reference: maximbaz/arch-secure-boot@485b6cf

[gdamjan]

did you test sbkeysync?
it didn't work for me in a VM. I still haven't tried it on a real-metal machine.

[maximbaz]

Yes, I tested everything end-to-end on my laptop, it works well 👍

[gdamjan]

or
systemd/systemd#18716