Is there an easy way to avoid signing the kernel?

[hariganti]

When sbctl is run as a post hook from initramfs or UKI generation, the kernel ends up being passed as a parameter. Because I am making a signed UKI, I don't want the kernel to be signed, but the kernel is not saved in the list of files to be signed (sbctl list-files), so I cannot remove it from there to prevent signing it.

While I believe it should be the responsibility of the generation tool to provide the correct files for signing, I don't think it will be easy to change the behavior of mkinitcpio, but perhaps there's a way to avoid having the kernel be signed by sbctl that I am missing?

[Foxboron]

The mkinitcpio hook should only sign the kernel or the UKI image. Why are you getting two things signed?

[hariganti]

I retain the fallback initramfs image so I can manually boot, if needed, but doing so requires me to disable secure boot, and thus the UEFI admin password. In the first profile, the UKI is the only item that gets signed, but for the second profile (fallback), the kernel is being signed.

I want this to require me to disable secure boot so the kernel can't be manually booted with an untrusted image while secure boot is enabled

[Foxboron]

There is no functionality to support this in mkinitcpio.

[hariganti]

To the best of my knowledge, that is correct, and it is what I am trying to work around.

For example, if ukify is used to generate UKIs, then mkinitcpio attempts to first use the user-configured configuration before falling back to the defaults. I don't think such functionality exists for sbctl (with profiles or configurations), but I wasn't sure if there was a way to have a similar behavior defined.

If a config file exists
  Then ignore the supplied arguments and run the config
Else
  Sign based on the supplied arguments