Skip to main content

Secure Boot

Packages

pacman -S binutilsefitools sbsigntools sbctl

UsagePreparations

Prepare commandline parameters (e.g. for LVM on LUKS):

echo cryptdevice=UUID=$(blkid -s UUID -o value /dev/vda2)sda1):crypt_lvm root=/dev/mapper/vg0-lv_root resume=/dev/mapper/vg0-lv_swap rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline

Generating keys

ConcatenateGenerate ucodekeys and(PK, initramfs:KEK, db)

catsbctl /boot/amd-ucode.img /boot/initramfs-linux.img > /boot/initramfs-ucode-linux.imgcreate-keys

UnifyKeys kernelwill image:be stored under /usr/share/secureboot/keys/

Downloading and preparing Microsoft's keys

    Download Microsoft’s KEK (if desired), and convert to PEM and ESL (with Microsoft’s GUID)
    objcopycurl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185'
openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem MicCorKEKCA2011_2011-06-24.esl
    Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID)
    curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt

openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem
openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem

cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl

cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /efi/keys/db/microsoft_db.esl
    Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag -a
    sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
    --add-sectionk .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000share/secureboot/keys/PK/PK.key \
    --add-sectionc .cmdline="/etc/kernel/cmdline"usr/share/secureboot/keys/PK/PK.pem \
    KEK /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.esl /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth

sign-efi-sig-list -a -change-section-vmag .cmdline=0x3000077fa9abd-0359-4d32-bd60-28f4e78f784b \
    --add-sectionk .linux="/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000usr/share/secureboot/keys/KEK/KEK.key \
    --add-sectionc .initrd="/boot/initramfs-ucode-linux.img" --change-section-vma .initrd=0x3000000usr/share/secureboot/keys/KEK/KEK.pem \
    db /efi/keys/db/microsoft_db.esl /efi/keys/db/microsoft_db.auth

    Signing the unified kernel image

    Before enrolling keys and rebooting we want to sign our unified kernel image, otherwise we won't be able to boot later on.

    Automate unifying and resigning kernel images on update

      Install sbupdate from AUR
      yay -S sbupdate
      Edit /etc/sbupdate.conf
      KEY_DIR="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"share/secureboot/keys/db"
ESP_DIR="linux./efi"
CMDLINE_DEFAULT="YOUR KERNEL CMDLINE PARAMETERS"
      Create symlink for sbupdate db.crt
      ln -s /usr/share/secureboot/keys/db/db.pem /usr/share/secureboot/keys/db/db.crt
      Reinstall kernel to trigger sbupdate hook
      pacman -S linux

      Enroll keys in firmware

      Own keys

      sbctl enroll-keys

      Microsoft keys

      Via Firmware or KeyTool.efi

      Back to top