Skip to main content

Secure Boot

Packages

pacman -S efitools sbsigntools sbctl

Preparations

Prepare commandline parameters (e.g. for LVM on LUKS):

NOTE: cryptlvm is used as an example here. Use whatever you like.

WARNING: /dev/sda1 is used as an example here. Supply the device file pointingpath to the root file system inside your unlockedencrypted LUKS container here

for
    CRYPT_UUID. LVM on LUKS: The mapper name of the LVM logical volume, e.g. 
    /dev/mapper/vg0-lv_root
    LUKS on LVM: The filesystem of the unlocked LUKS container inside the LVM logical volume, e.g. 
    /dev/mapper/crypt_root

    Failing to do so will result in an unbootable system! 

    export CRYPT_UUID=$(blkid -s UUID -o value /dev/sda1)
export CRYPT_NAME=crypt_root
export ROOT=/dev/mapper/vg0-lv_root
export RESUME=/dev/mapper/vg0-lv_swap
export CMDL=rw quiet splash add_efi_memmap
export ROOTFLAGS=subvol=@

echo cryptdevice=UUID=$CRYPT_UUID:$CRYPT_NAME root=$ROOT resume=$RESUME $CMDL rootflags=$ROOTFLAGS > /etc/kernel/cmdline

    systemd-based:

    export CRYPT_UUID=$(blkid -s UUID -o value /dev/sda1)
export CRYPT_NAME=crypt_root
export ROOT=/dev/mapper/crypt_root
export CMDL=rw quiet splash add_efi_memmap
export ROOTFLAGS=subvol=@

echo rd.luks.name=$CRYPT_UUID=$CRYPT_NAME root=$ROOT $CMDL rootflags=$ROOTFLAGS > /etc/kernel/cmdline

    Generating keys

    Generate keys (PK, KEK, db)

    sbctl create-keys

    Keys will be stored under /usr/share/secureboot/keys/

    Downloading and preparing Microsoft's keys

    1. Download Microsoft’s KEK (if desired), and convert it to PEM and ESL format (with Microsoft’s GUID) 
      cd /usr/share/secureboot/keys/KEK

curl -L -o MicCorKEKCA2011_2011-06-24.crt 'https://go.microsoft.com/fwlink/?LinkId=321185'
openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.pem
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.pem MicCorKEKCA2011_2011-06-24.esl
    2. Download Microsoft’s DB certificates, convert to PEM and ESL (with Microsoft’s GUID) 
      cd /usr/share/secureboot/keys

curl -OL https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
curl -OL https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt

openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.pem
openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.pem

cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl

mkdir -p /efi/keys/{db,KEK}

cat MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > /usr/share/secureboot/keys/db/microsoft_db.esl
    3. Sign Microsoft’s keys with your PK and KEK respectively. Again, note the use of the append flag -a 
      sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
    -k /usr/share/secureboot/keys/PK/PK.key \
    -c /usr/share/secureboot/keys/PK/PK.pem \
    KEK /usr/share/secureboot/keys/KEK/MicCorKEKCA2011_2011-06-24.esl \
    /efi/keys/KEK/MicCorKEKCA2011_2011-06-24.auth

sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b \
    -k /usr/share/secureboot/keys/KEK/KEK.key \
    -c /usr/share/secureboot/keys/KEK/KEK.pem \
    db /usr/share/secureboot/keys/db/microsoft_db.esl \
    /efi/keys/db/microsoft_db.auth

    Automate unifying and resigning kernel images on update

    1. Install sbupdate from AUR
      1. via yay 
        yay -S sbupdate
      2. Manually 
        cd
mkdir git && cd git
git clone https://aur.archlinux.org/sbupdate-git.git
cd sbupdate-git
makepkg -si
    2. Edit /etc/sbupdate.conf and set parameters 
      KEY_DIR="/usr/share/secureboot/keys/db"
ESP_DIR="/efi"
SPLASH="/dev/null"
CMDLINE_DEFAULT="$(< /etc/kernel/cmdline)"
    3. Create symlink for sbupdate 
      cd /usr/share/secureboot/keys/db/
ln -s db.pem db.crt
    4. Reinstall kernel to trigger sbupdate hook to create unified and signed kernel image 
      pacman -S linux

    Enroll keys in firmware

    ATTENTION: Make sure your firmware's Secure Boot mode is set to setup mode! You can do this by going into your firmware settings and wiping the factory default keys.

    WARNING: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the UEFI/BIOS settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft's key.

    Own keys

    sbctl enroll-keys

    Microsoft keys

    Via Firmware or KeyTool.efi

    Using KeyTool.efi

    1. Prepare directory

      mkdir /efi/EFI/KeyTool

    2. Copy a signed version of KeyTool.efi to ESP

      sbsign --key /usr/share/secureboot/keys/db/db.key \
       --cert /usr/share/secureboot/keys/db/db.pem \
       --output /efi/EFI/KeyTool/KeyTool-signed.efi \
       /usr/share/efitools/efi/KeyTool.efi

    3. Boot KeyTool-signed.efi via Firmware or EFI Shell

      NOTE: if using EFI Shell, verify that fs0:\ is the ESP you copied KeyTool-signed.efi and the keys to!

      fs0:\EFI\KeyTool\KeyTool-signed.efi

    4. Add Microsoft keys to firmware

    Back to top