LinuxInSchoolGuide/SecureBoot/README.md
2024-11-11 19:14:42 +01:00

64 lines
1.8 KiB
Markdown

# Secure Boot
This is just a dump of a reddit post on how to easily set up Secure Boot on Arch with GRUB.
This is just for future reference, but feel free to follow it if it's relevant to your setup.
## Setup
[Disclaimer: This method does not work with "Secured-core" PCs]
Re-install GRUB to utilize Microsoft's CA certificates (as opposed to shim) -- replace 'esp' with your EFI system partition:
`sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock`
Regenerate your grub configuration:
`sudo grub-mkconfig -o /boot/grub/grub.cfg`
Install the sbctl tool:
`sudo pacman -S sbctl`
As a pre-requisite, in your UEFI settings, set your secure boot mode to setup mode.
Upon re-booting, verify that you are in setup mode:
`sbctl status`
Create your custom secure boot keys:
`sudo sbctl create-keys`
Enroll your custom keys (note -m is required to include Microsoft's CA certificates)
`sudo sbctl enroll-keys -m`
Verify that your keys have successfully been enrolled:
`sbctl status`
Check which files need to be signed for secure boot to work:
`sudo sbctl verify`
Sign all unsigned files (below is what I needed to sign, adjust according to your needs):
`sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi`
You may get an error because of an issue with certain files being immutable. To make those files mutable, run the following command for each file then re-sign afterwards:
`sudo chattr -i /sys/firmware/efi/efivars/<filename>`
Verify that everything has been signed:
`sudo sbctl verify`
Finally, in your UEFI settings, enable secure boot, and reboot.
Verify that secure boot is enabled:
`sbctl status`
Note that sbctl comes with a pacman hook for automatic signing, so you don't need to worry when you update your system.