Secure Boot

Packages

pacman -S efitools sbsigntools sbctl

Preparations

Prepare commandline parameters (e.g. for LVM on LUKS):

echo cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda1):crypt_lvm root=/dev/mapper/vg0-lv_root resume=/dev/mapper/vg0-lv_swap rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline 

Generating keys

Generate keys (PK, KEK, db)

sbctl create-keys

Keys will be stored under /usr/share/secureboot/keys/

Downloading and preparing Microsoft's keys

1. Download Microsoft’s KEK (if desired), and convert to PEM and ESL (with Microsoft’s GUID)

   curl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185'
   openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem
   cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem MicCorKEKCA2011_2011-06-24.esl
   

2. Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID)

   curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
   curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
   
   openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem
   openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem
   
   cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
   cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl
   
   mkdir -p /efi/keys/{db,KEK}
   
   cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /efi/keys/db/microsoft_db.esl
   

3. Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag -a

   sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
       -k /usr/share/secureboot/keys/PK/PK.key \
       -c /usr/share/secureboot/keys/PK/PK.pem \
       KEK /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl \
       /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth
   
   sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
       -k /usr/share/secureboot/keys/KEK/KEK.key \
       -c /usr/share/secureboot/keys/KEK/KEK.pem \
       db /usr/share/secureboot/keys/db/microsoft_db.esl \
       /efi/keys/db/microsoft_db.auth
   

Automate unifying and resigning kernel images on update

1. Install sbupdate from AUR

   yay -S sbupdate
   

2. Edit /etc/sbupdate.conf and set parameters

   KEY_DIR="/usr/share/secureboot/keys/db"
   ESP_DIR="/efi"
   CMDLINE_DEFAULT="YOUR KERNEL CMDLINE PARAMETERS"
   

3. Create symlink for sbupdate

   ln -s /usr/share/secureboot/keys/db/db.pem /usr/share/secureboot/keys/db/db.crt
   

4. Reinstall kernel to trigger sbupdate hook to create unified and signed kernel image

   pacman -S linux
   

Enroll keys in firmware

Own keys

sbctl enroll-keys

Microsoft keys

Via Firmware or KeyTool.efi

Using KeyTool.efi

1. Prepare directory

   mkdir /efi/EFI/KeyTool
   

2. Copy a signed version of KeyTool.efi to ESP

   sbsign --key /usr/share/secureboot/keys/db/db.key \
          --cert /usr/share/secureboot/keys/db/db.pem \
          --output /efi/EFI/KeyTool/KeyTool-signed.efi \
          /usr/share/efitools/efi/KeyTool.efi
   

3. Boot KeyTool-signed.efi via Firmware or EFI Shell

   NOTE: if using EFI Shell, verify that fs0:\ is the ESP you copied KeyTool-signed.efi and the keys to!

   fs0:\EFI\KeyTool\KeyTool-signed.efi
   

4. Add Microsoft keys to firmware