User Controlled Secure Boot

[jackpot51]

DONE:

• Installing unified kernels (linux, command line, and initramfs in one EFI file) if the configuration option unified_kernel is true
• Signing unified kernel with key in /etc/kernelstub/mok.key and certificate in /etc/kernelstub/mok.crt, if these exist
• Backing up old kernel the same way
• Set up loader.conf file

NEED SUGGESTIONS:

• Better names for systemd-boot entries

OUT OF SCOPE:

• Generation and enrollment of Secure Boot keys. You can try this out by running the following:

sudo openssl req \
    -newkey rsa:4096 \
    -nodes \
    -keyout /etc/kernelstub/mok.key \
    -new \
    -x509 \
    -sha256 \
    -days 3650 \
    -subj "/CN=Machine Owner Key/" \
    -out /etc/kernelstub/mok.crt

See also pop-os/fwupd#9, which signs the fwupd EFI executables with the kernelstub machine owner key.

[n3m0-22]

Unified kernel causes the space used in /boot/efi to almost double.

Before:

Size	Used	Avail	Use%
1020M	258M	763M	26%

After:

Size	Used	Avail	Use%
1020M	513M	508M	51%

This is with a single kernel starting from pop-os_22.04_amd64_nvidia_17.iso

This will cause the entire partition to be filled on any older installs where the default size is 498M.

After fully updating the install there is only a small increase in size after the kernel is updated.

However even though sudo kernelstub -p shows the kernel being updated to 6.2.6 the output of uname -r is 6.0.6-76060006-generic.

kernelstub.Config    : INFO     Looking for configuration...
kernelstub           : INFO     System information: 

    OS:..................Pop!_OS 22.04
    Root partition:....../dev/dm-1
    Root FS UUID:........1bede042-8f55-450a-a516-2045c95d74a4
    ESP Path:............/boot/efi
    ESP Partition:......./dev/nvme0n1p1
    ESP Partition #:.....1
    NVRAM entry #:.......-1
    Boot Variable #:.....0000
    Kernel Boot Options:.quiet loglevel=0 systemd.show_status=false i8042.nomux splash
    Kernel Image Path:.../boot/vmlinuz-6.2.6-76060206-generic
    Initrd Image Path:.../boot/initrd.img-6.2.6-76060206-generic
    Force-overwrite:.....False

kernelstub           : INFO     Configuration details: 

   ESP Location:................../boot/efi
   Management Mode:...............True
   Install Loader configuration:..True
   Unified kernel:................True
   Configuration version:.........4

Depending on the order in which things are installed the boot menu will be different.

Case 1:

1. Fresh install
2. Install the updates from this PR
3. Run sudo kernelstub --unified
4. Update the kernel

From here neither the previous or current entries will boot. Only the entry Pop!_OS will. Booting that entry boots to the previous kernel.

At this point a refresh of the OS will boot into the current 6.2.6 kernel.

Case 2:

1. Fresh install
2. Update the kernel
3. Install the updates from this PR
4. Run sudo kernelstub --unified

From here the entries pop_os-current.conf and pop_os-oldkern.conf work. The others do not.