65 lines
1.8 KiB
Markdown
65 lines
1.8 KiB
Markdown
|
# Secure Boot
|
||
|
|
||
|
This is just a dump of a reddit post on how to easily set up Secure Boot on Arch with GRUB.
|
||
|
|
||
|
This is just for future reference, but feel free to follow it if it's relevant to your setup.
|
||
|
|
||
|
## Setup
|
||
|
|
||
|
[Disclaimer: This method does not work with "Secured-core" PCs]
|
||
|
|
||
|
Re-install GRUB to utilize Microsoft's CA certificates (as opposed to shim) -- replace 'esp' with your EFI system partition:
|
||
|
|
||
|
`sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock`
|
||
|
|
||
|
Regenerate your grub configuration:
|
||
|
|
||
|
`sudo grub-mkconfig -o /boot/grub/grub.cfg`
|
||
|
|
||
|
Install the sbctl tool:
|
||
|
|
||
|
`sudo pacman -S sbctl`
|
||
|
|
||
|
As a pre-requisite, in your UEFI settings, set your secure boot mode to setup mode.
|
||
|
|
||
|
Upon re-booting, verify that you are in setup mode:
|
||
|
|
||
|
`sbctl status`
|
||
|
|
||
|
Create your custom secure boot keys:
|
||
|
|
||
|
`sudo sbctl create-keys`
|
||
|
|
||
|
Enroll your custom keys (note -m is required to include Microsoft's CA certificates)
|
||
|
|
||
|
`sudo sbctl enroll-keys -m`
|
||
|
|
||
|
Verify that your keys have successfully been enrolled:
|
||
|
|
||
|
`sbctl status`
|
||
|
|
||
|
Check which files need to be signed for secure boot to work:
|
||
|
|
||
|
`sudo sbctl verify`
|
||
|
|
||
|
Sign all unsigned files (below is what I needed to sign, adjust according to your needs):
|
||
|
|
||
|
`sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi`
|
||
|
|
||
|
You may get an error because of an issue with certain files being immutable. To make those files mutable, run the following command for each file then re-sign afterwards:
|
||
|
|
||
|
`sudo chattr -i /sys/firmware/efi/efivars/<filename>`
|
||
|
|
||
|
Verify that everything has been signed:
|
||
|
|
||
|
`sudo sbctl verify`
|
||
|
|
||
|
Finally, in your UEFI settings, enable secure boot, and reboot.
|
||
|
|
||
|
Verify that secure boot is enabled:
|
||
|
|
||
|
`sbctl status`
|
||
|
|
||
|
Note that sbctl comes with a pacman hook for automatic signing, so you don't need to worry when you update your system.
|
||
|
|