| .. | ||
| README.md | ||
Secure Boot
This is just a dump of a reddit post on how to easily set up Secure Boot on Arch with GRUB.
This is just for future reference, but feel free to follow it if it's relevant to your setup.
Setup
[Disclaimer: This method does not work with "Secured-core" PCs]
Re-install GRUB to utilize Microsoft's CA certificates (as opposed to shim) -- replace 'esp' with your EFI system partition:
sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
Regenerate your grub configuration:
sudo grub-mkconfig -o /boot/grub/grub.cfg
Install the sbctl tool:
sudo pacman -S sbctl
As a pre-requisite, in your UEFI settings, set your secure boot mode to setup mode.
Upon re-booting, verify that you are in setup mode:
sbctl status
Create your custom secure boot keys:
sudo sbctl create-keys
Enroll your custom keys (note -m is required to include Microsoft's CA certificates)
sudo sbctl enroll-keys -m
Verify that your keys have successfully been enrolled:
sbctl status
Check which files need to be signed for secure boot to work:
sudo sbctl verify
Sign all unsigned files (below is what I needed to sign, adjust according to your needs):
sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
You may get an error because of an issue with certain files being immutable. To make those files mutable, run the following command for each file then re-sign afterwards:
sudo chattr -i /sys/firmware/efi/efivars/<filename>
Verify that everything has been signed:
sudo sbctl verify
Finally, in your UEFI settings, enable secure boot, and reboot.
Verify that secure boot is enabled:
sbctl status
Note that sbctl comes with a pacman hook for automatic signing, so you don't need to worry when you update your system.