diff --git a/SecureBoot/README.md b/SecureBoot/README.md new file mode 100644 index 0000000..e054ca9 --- /dev/null +++ b/SecureBoot/README.md @@ -0,0 +1,64 @@ +# Secure Boot + +This is just a dump of a reddit post on how to easily set up Secure Boot on Arch with GRUB. + +This is just for future reference, but feel free to follow it if it's relevant to your setup. + +## Setup + +[Disclaimer: This method does not work with "Secured-core" PCs] + +Re-install GRUB to utilize Microsoft's CA certificates (as opposed to shim) -- replace 'esp' with your EFI system partition: + +`sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock` + +Regenerate your grub configuration: + +`sudo grub-mkconfig -o /boot/grub/grub.cfg` + +Install the sbctl tool: + +`sudo pacman -S sbctl` + +As a pre-requisite, in your UEFI settings, set your secure boot mode to setup mode. + +Upon re-booting, verify that you are in setup mode: + +`sbctl status` + +Create your custom secure boot keys: + +`sudo sbctl create-keys` + +Enroll your custom keys (note -m is required to include Microsoft's CA certificates) + +`sudo sbctl enroll-keys -m` + +Verify that your keys have successfully been enrolled: + +`sbctl status` + +Check which files need to be signed for secure boot to work: + +`sudo sbctl verify` + +Sign all unsigned files (below is what I needed to sign, adjust according to your needs): + +`sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi` + +You may get an error because of an issue with certain files being immutable. To make those files mutable, run the following command for each file then re-sign afterwards: + +`sudo chattr -i /sys/firmware/efi/efivars/` + +Verify that everything has been signed: + +`sudo sbctl verify` + +Finally, in your UEFI settings, enable secure boot, and reboot. + +Verify that secure boot is enabled: + +`sbctl status` + +Note that sbctl comes with a pacman hook for automatic signing, so you don't need to worry when you update your system. +