Skip to main content

Secure Boot

Packages

pacman -S efitools sbsigntools sbctl

Preparations

Prepare commandline parameters (e.g. for LVM on LUKS):

NOTE: cryptlvm is used as an example here. Use whatever you like.

ATTENTION: /dev/sda1 is used as an example here. Supply the device file to your LUKS container here! Failing to do so will result in an unbootable system!

echo cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda1):cryptlvm root=/dev/mapper/vg0-lv_root resume=/dev/mapper/vg0-lv_swap rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline 

systemd-based:

echo rd.luks.name=$(blkid -s UUID -o value /dev/sda1)=cryptlvm root=/dev/mapper/cryptlvm rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline 

Generating keys

Generate keys (PK, KEK, db)

sbctl create-keys

Keys will be stored under /usr/share/secureboot/keys/

Downloading and preparing Microsoft's keys

  1. Download Microsoft’s KEK (if desired), and convert it to PEM and ESL format (with Microsoft’s GUID)
    cd /usr/share/secureboot/keys/KEK
    
    curl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185'
    openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem MicCorKEKCA2011_2011-06-24.esl
    
  2. Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID)
    cd /usr/share/secureboot/keys
    
    curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
    curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
    
    openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem
    openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem
    
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
    cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl
    
    mkdir -p /efi/keys/{db,KEK}
    
    cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /usr/share/secureboot/keys/db/microsoft_db.esl
    
  3. Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag -a
    sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
        -k /usr/share/secureboot/keys/PK/PK.key \
        -c /usr/share/secureboot/keys/PK/PK.pem \
        KEK /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl \
        /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth
    
    sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
        -k /usr/share/secureboot/keys/KEK/KEK.key \
        -c /usr/share/secureboot/keys/KEK/KEK.pem \
        db /usr/share/secureboot/keys/db/microsoft_db.esl \
        /efi/keys/db/microsoft_db.auth
    

Automate unifying and resigning kernel images on update

  1. Install sbupdate from AUR
    1. via yay
      yay -S sbupdate
      
    2. Manually
      cd
      mkdir git && cd git
      git clone https://aur.archlinux.org/sbupdate-git.git
      cd sbupdate-git
      makepkg -si
      
  2. Edit /etc/sbupdate.conf and set parameters
    KEY_DIR="/usr/share/secureboot/keys/db"
    ESP_DIR="/efi"
    SPLASH="/dev/null"
    CMDLINE_DEFAULT="$(< /etc/kernel/cmdline)"
    
  3. Create symlink for sbupdate
    ln -s /usr/share/secureboot/keys/db/db.pem /usr/share/secureboot/keys/db/db.crt
    
  4. Reinstall kernel to trigger sbupdate hook to create unified and signed kernel image
    pacman -S linux
    

Enroll keys in firmware

ATTENTION: Make sure your firmware's Secure Boot mode is set to setup mode! You can do this by going into your firmware settings and wiping the factory default keys.

WARNING: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the UEFI/BIOS settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft's key.

Own keys

sbctl enroll-keys

Microsoft keys

Via Firmware or KeyTool.efi

Using KeyTool.efi

  1. Prepare directory

    mkdir /efi/EFI/KeyTool
    
  2. Copy a signed version of KeyTool.efi to ESP

    sbsign --key /usr/share/secureboot/keys/db/db.key \
           --cert /usr/share/secureboot/keys/db/db.pem \
           --output /efi/EFI/KeyTool/KeyTool-signed.efi \
           /usr/share/efitools/efi/KeyTool.efi
    
  3. Boot KeyTool-signed.efi via Firmware or EFI Shell

    NOTE: if using EFI Shell, verify that fs0:\ is the ESP you copied KeyTool-signed.efi and the keys to!

    fs0:\EFI\KeyTool\KeyTool-signed.efi
    
  4. Add Microsoft keys to firmware