Secure Boot

Packages

pacman -S efitools sbsigntools sbctl

Preparations

Prepare commandline parameters (e.g. for LVM on LUKS):

echo cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda1):crypt_lvm root=/dev/mapper/vg0-lv_root resume=/dev/mapper/vg0-lv_swap rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline 

Generating keys

Generate keys (PK, KEK, db)

sbctl create-keys

Keys will be stored under /usr/share/secureboot/keys/

Downloading and preparing Microsoft's keys

1. Download Microsoft’s KEK (if desired), and convert to PEM and ESL (with Microsoft’s GUID)

   curl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185'
   openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem
   cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem MicCorKEKCA2011_2011-06-24.esl
   

2. Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID)

   curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
   curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
   
   openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem
   openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem
   
   cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
   cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl
   
   mkdir -p /efi/keys/{db,KEK}
   
   cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /efi/keys/db/microsoft_db.esl
   

3. Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag -a

   sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
       -k /usr/share/secureboot/keys/PK/PK.key \
       -c /usr/share/secureboot/keys/PK/PK.pem \
       KEK /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth
   
   sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
       -k /usr/share/secureboot/keys/KEK/KEK.key \
       -c /usr/share/secureboot/keys/KEK/KEK.pem \
       db /usr/share/secureboot/keys/db/microsoft_db.esl /efi/keys/db/microsoft_db.auth
   

Signing the unified kernel image

Before enrolling keys and rebooting we want to sign our unified kernel image, otherwise we won't be able to boot later on.

Automate unifying and resigning kernel images on update

1. Install sbupdate from AUR

   yay -S sbupdate
   

2. Edit /etc/sbupdate.conf

   KEY_DIR="/usr/share/secureboot/keys/db"
   ESP_DIR="/efi"
   CMDLINE_DEFAULT="YOUR KERNEL CMDLINE PARAMETERS"
   

3. Create symlink for sbupdate db.crt

   ln -s /usr/share/secureboot/keys/db/db.pem /usr/share/secureboot/keys/db/db.crt
   

4. Reinstall kernel to trigger sbupdate hook

   pacman -S linux
   

Enroll keys in firmware

Own keys

sbctl enroll-keys

Microsoft keys

Via Firmware or KeyTool.efi