Secure Boot
Packages
pacman -S efitools sbsigntools sbctl
Preparations
Prepare commandline parameters (e.g. for LVM on LUKS):
NOTE: cryptlvm
is used as an example here. Use whatever you like.
ATTENTION: /dev/sda1
is used as an example here. Supply the device file to your LUKS container here! Failing to do so will result in an unbootable system!
echo cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda1):cryptlvm root=/dev/mapper/vg0-lv_root resume=/dev/mapper/vg0-lv_swap rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline
systemd-based:
echo rd.luks.name=$(blkid -s UUID -o value /dev/sda1)=cryptlvm root=/dev/mapper/cryptlvm rw quiet splash add_efi_memmap rootflags=subvol=@ > /etc/kernel/cmdline
Generating keys
Generate keys (PK, KEK, db)
sbctl create-keys
Keys will be stored under /usr/share/secureboot/keys/
Downloading and preparing Microsoft's keys
- Download Microsoft’s KEK (if desired), and convert it to PEM and ESL format (with Microsoft’s GUID)
cd /usr/share/secureboot/keys/KEK curl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185' openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem MicCorKEKCA2011_2011-06-24.esl
- Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID)
cd /usr/share/secureboot/keys curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl mkdir -p /efi/keys/{db,KEK} cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /usr/share/secureboot/keys/db/microsoft_db.esl
- Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag
-a
sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \ -k /usr/share/secureboot/keys/PK/PK.key \ -c /usr/share/secureboot/keys/PK/PK.pem \ KEK /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl \ /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \ -k /usr/share/secureboot/keys/KEK/KEK.key \ -c /usr/share/secureboot/keys/KEK/KEK.pem \ db /usr/share/secureboot/keys/db/microsoft_db.esl \ /efi/keys/db/microsoft_db.auth
Automate unifying and resigning kernel images on update
- Install
sbupdate
from AUR- via
yay
yay -S sbupdate
- Manually
cd mkdir git && cd git git clone https://aur.archlinux.org/sbupdate-git.git cd sbupdate-git makepkg -si
- via
- Edit
/etc/sbupdate.conf
and set parametersKEY_DIR="/usr/share/secureboot/keys/db" ESP_DIR="/efi" SPLASH="/dev/null" CMDLINE_DEFAULT="$(< /etc/kernel/cmdline)"
- Create symlink for
sbupdate
ln -s /usr/share/secureboot/keys/db/db.pem /usr/share/secureboot/keys/db/db.crt
- Reinstall kernel to trigger
sbupdate
hook to create unified and signed kernel imagepacman -S linux
Enroll keys in firmware
ATTENTION: Make sure your firmware's Secure Boot mode is set to setup
mode! You can do this by going into your firmware settings and wiping the factory default keys.
WARNING: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the UEFI/BIOS settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft's key.
Own keys
sbctl enroll-keys
Microsoft keys
Via Firmware or KeyTool.efi
Using KeyTool.efi
-
Prepare directory
mkdir /efi/EFI/KeyTool
-
Copy a signed version of
KeyTool.efi
to ESPsbsign --key /usr/share/secureboot/keys/db/db.key \ --cert /usr/share/secureboot/keys/db/db.pem \ --output /efi/EFI/KeyTool/KeyTool-signed.efi \ /usr/share/efitools/efi/KeyTool.efi
-
Boot
KeyTool-signed.efi
via Firmware or EFI ShellNOTE: if using EFI Shell, verify that
fs0:\
is the ESP you copiedKeyTool-signed.efi
and the keys to!fs0:\EFI\KeyTool\KeyTool-signed.efi
-
Add Microsoft keys to firmware