Secure Boot
Packages
pacman -S efitools sbsigntools sbctl
Preparations
Prepare commandline parameters (e.g. for LVM on LUKS):
NOTE: cryptlvm
is used as an example here. Use whatever you like.
ATTENTION: /dev/sda1
is used as an example here. Supply the device file to your LUKS container here! Failing to do so will result in an unbootable system!
echo cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda1):crypt_lvmcryptlvm root=/dev/mapper/vg0-lv_root resume=/dev/mapper/vg0-lv_swap rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline
Generating keys
Generate keys (PK, KEK, db)
sbctl create-keys
Keys will be stored under /usr/share/secureboot/keys/
Downloading and preparing Microsoft's keys
- Download Microsoft’s KEK (if desired), and convert it to PEM and ESL format (with Microsoft’s GUID)
cd /usr/share/secureboot/keys/KEK curl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185' openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem
/usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl - Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID)
cd /usr/share/secureboot/keys curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl mkdir -p /efi/keys/{db,KEK} cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /usr/share/secureboot/keys/db/microsoft_db.esl
- Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag
-a
sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \ -k /usr/share/secureboot/keys/PK/PK.key \ -c /usr/share/secureboot/keys/PK/PK.pem \ KEK /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl \ /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \ -k /usr/share/secureboot/keys/KEK/KEK.key \ -c /usr/share/secureboot/keys/KEK/KEK.pem \ db /usr/share/secureboot/keys/db/microsoft_db.esl \ /efi/keys/db/microsoft_db.auth
Automate unifying and resigning kernel images on update
- Install
sbupdate
from AUR- via
yay
yay -S sbupdate
- Manually
cd mkdir git && cd git git clone https://aur.archlinux.org/sbupdate-git.git cd sbupdate-git makepkg -si
- via
- Edit
/etc/sbupdate.conf
and set parametersKEY_DIR="/usr/share/secureboot/keys/db" ESP_DIR="/efi" SPLASH="/dev/null" CMDLINE_DEFAULT="YOUR KERNEL CMDLINE PARAMETERS"
- Create symlink for
sbupdate
ln -s /usr/share/secureboot/keys/db/db.pem /usr/share/secureboot/keys/db/db.crt
- Reinstall kernel to trigger
sbupdate
hook to create unified and signed kernel imagepacman -S linux
Enroll keys in firmware
Own keys
sbctl enroll-keys
Microsoft keys
Via Firmware or KeyTool.efi
Using KeyTool.efi
-
Prepare directory
mkdir /efi/EFI/KeyTool
-
Copy a signed version of
KeyTool.efi
to ESPsbsign --key /usr/share/secureboot/keys/db/db.key \ --cert /usr/share/secureboot/keys/db/db.pem \ --output /efi/EFI/KeyTool/KeyTool-signed.efi \ /usr/share/efitools/efi/KeyTool.efi
-
Boot
KeyTool-signed.efi
via Firmware or EFI ShellNOTE: if using EFI Shell, verify that
fs0:\
is the ESP you copiedKeyTool-signed.efi
and the keys to!fs0:\EFI\KeyTool\KeyTool-signed.efi
-
Add Microsoft keys to firmware