Skip to main content

Secure Boot

Packages

pacman -S efitools sbsigntools sbctl

Preparations

Prepare commandline parameters (e.g. for LVM on LUKS):

echo cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda1):crypt_lvm root=/dev/mapper/vg0-lv_root resume=/dev/mapper/vg0-lv_swap rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline 

Generating keys

Generate keys (PK, KEK, db)

sbctl create-keys

Keys will be stored under /usr/share/secureboot/keys/

Downloading and preparing Microsoft's keys

  1. Download Microsoft’s KEK (if desired), and convert to PEM and ESL (with Microsoft’s GUID)
    curl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185'
    openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem MicCorKEKCA2011_2011-06-24.esl
    
  2. Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID)
    curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
    curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
    
    openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem
    openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem
    
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl
    
    mkdir -p /efi/keys/{db,KEK}
    
    cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /efi/keys/db/microsoft_db.esl
    
  3. Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag -a
    sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
        -k /usr/share/secureboot/keys/PK/PK.key \
        -c /usr/share/secureboot/keys/PK/PK.pem \
        KEK /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth
    
    sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
        -k /usr/share/secureboot/keys/KEK/KEK.key \
        -c /usr/share/secureboot/keys/KEK/KEK.pem \
        db /usr/share/secureboot/keys/db/microsoft_db.esl /efi/keys/db/microsoft_db.auth
    

Automate unifying and resigning kernel images on update

  1. Install sbupdate from AUR
    yay -S sbupdate
    
  2. Edit /etc/sbupdate.conf and set parameters
    KEY_DIR="/usr/share/secureboot/keys/db"
    ESP_DIR="/efi"
    CMDLINE_DEFAULT="YOUR KERNEL CMDLINE PARAMETERS"
    
  3. Create symlink for sbupdate db.crt
    ln -s /usr/share/secureboot/keys/db/db.pem /usr/share/secureboot/keys/db/db.crt
    
  4. Reinstall kernel to trigger sbupdate hook to create unified and signed kernel image
    pacman -S linux
    

Enroll keys in firmware

Own keys

sbctl enroll-keys

Microsoft keys

Via Firmware or KeyTool.efi

Using KeyTool.efi

  1. Prepare directory
    mkdir /efi/EFI/KeyTool
    
  2. Copy a signed version of KeyTool.efi to ESP
    sbsign --key /usr/share/secureboot/keys/db/db.key \
           --cert /usr/share/secureboot/keys/db/db.pem \
           --output /efi/EFI/KeyTool/KeyTool-signed.efi \
           /usr/share/efitools/efi/KeyTool.efi
    
  3. Boot KeyTool-signed.efi via Firmware or EFI Shell (if using EFI Shell, verify that fs0:\ is the ESP you copied KeyTool-signed.efi and keys to)
    fs0:\EFI\KeyTool\KeyTool-signed.efi
    
  4. Add Microsoft keys to firmware