Skip to main content

Secure Boot

Packages

pacman -S efitools sbsigntools sbctl

Preparations

Prepare commandline parameters (e.g. for LVM on LUKS):

NOTE: cryptlvm is used as an example here. Use whatever you like.

ATTENTION: /dev/sda1 is used as an example here. Supply the device file to your LUKS container here! Failing to do so will result in an unbootable system!

echo cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda1):crypt_lvmcryptlvm root=/dev/mapper/vg0-lv_root resume=/dev/mapper/vg0-lv_swap rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline 

Generating keys

Generate keys (PK, KEK, db)

sbctl create-keys

Keys will be stored under /usr/share/secureboot/keys/

Downloading and preparing Microsoft's keys

  1. Download Microsoft’s KEK (if desired), and convert it to PEM and ESL format (with Microsoft’s GUID)
    cd /usr/share/secureboot/keys/KEK
    
    curl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185'
    openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl
    
  2. Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID)
    cd /usr/share/secureboot/keys
    
    curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
    curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
    
    openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem
    openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem
    
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl
    
    mkdir -p /efi/keys/{db,KEK}
    
    cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /usr/share/secureboot/keys/db/microsoft_db.esl
    
  3. Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag -a
    sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
        -k /usr/share/secureboot/keys/PK/PK.key \
        -c /usr/share/secureboot/keys/PK/PK.pem \
        KEK /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl \
        /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth
    
    sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
        -k /usr/share/secureboot/keys/KEK/KEK.key \
        -c /usr/share/secureboot/keys/KEK/KEK.pem \
        db /usr/share/secureboot/keys/db/microsoft_db.esl \
        /efi/keys/db/microsoft_db.auth
    

Automate unifying and resigning kernel images on update

  1. Install sbupdate from AUR
    1. via yay
      yay -S sbupdate
      
    2. Manually
      cd
      mkdir git && cd git
      git clone https://aur.archlinux.org/sbupdate-git.git
      cd sbupdate-git
      makepkg -si
      
  2. Edit /etc/sbupdate.conf and set parameters
    KEY_DIR="/usr/share/secureboot/keys/db"
    ESP_DIR="/efi"
    SPLASH="/dev/null"
    CMDLINE_DEFAULT="YOUR KERNEL CMDLINE PARAMETERS"
    
  3. Create symlink for sbupdate
    ln -s /usr/share/secureboot/keys/db/db.pem /usr/share/secureboot/keys/db/db.crt
    
  4. Reinstall kernel to trigger sbupdate hook to create unified and signed kernel image
    pacman -S linux
    

Enroll keys in firmware

Own keys

sbctl enroll-keys

Microsoft keys

Via Firmware or KeyTool.efi

Using KeyTool.efi

  1. Prepare directory

    mkdir /efi/EFI/KeyTool
    
  2. Copy a signed version of KeyTool.efi to ESP

    sbsign --key /usr/share/secureboot/keys/db/db.key \
           --cert /usr/share/secureboot/keys/db/db.pem \
           --output /efi/EFI/KeyTool/KeyTool-signed.efi \
           /usr/share/efitools/efi/KeyTool.efi
    
  3. Boot KeyTool-signed.efi via Firmware or EFI Shell

    NOTE: if using EFI Shell, verify that fs0:\ is the ESP you copied KeyTool-signed.efi and the keys to!

    fs0:\EFI\KeyTool\KeyTool-signed.efi
    
  4. Add Microsoft keys to firmware