Enroll hash file name
I am a bit confused regarding the following lines:
* In the HashTool main menu, select
Enroll Hash, choose
\loader.efi and confirm with
Yes. Again, select
Enroll Hash and
archiso to enter the archiso directory, then select
vmlinuz-efi and confirm with
Yes. Then choose
Exit to return to the boot device selection menu.
- In the boot device selection menu choose
Arch Linux archiso x86_64 UEFI CD
There is no file vmlinuz-efi in the said directory, there is only efiboot.img. Then, the USB stick actually wants to boot from arch/boot/x86_64/vmlinuz. I am not sure which file I actually had to enroll, it was either archiso.img in that directory or the vmlinuz kernel image. In either case the instruction is not accurate. --Johannes Rohr (talk) 09:03, 5 February 2015 (UTC)
Separate pre-signed and self-signed
Currently the article solely focuses on the pre-signed PreLoader method. It lacks instructions for signing bootloaders and kernels with your own keys . The current article may lead one to believe that using PreLoader is the only or best option to use Secure Boot. I think that there should be a top heading for each method. –– nl6720 talk 16:12, 5 May 2016 (UTC)
- +1. A section on own key setup would be great. This BBS thread has references too, then there is the GKH way - which is too much for this article, but contains a section on key creation which is very useful here. --Indigo (talk) 17:26, 5 May 2016 (UTC)
- We can write this using Rod Smith's Dealing with Secure Boot & Controlling Secure Boot for inspiration (i.e blatantly, shamelessly copying parts of them).
- Better section names are needed, but here's my idea for the article structure:
Using a signed boot loaderdone Booting archiso: (currently "Secure boot archiso")done Set up PreLoader: (currently "Secure Boot in the installed system")done Remove PreLoader: (currently "Remove Secure Boot from an installed system")done
- Using your own keys:
- Custom keys
- Updating keys
- Signing bootloader and kernel
- Pacman hook for signing bootloader and kernel
- Put firmware in "Setup Mode"
- Enrol keys in firmware
Using firmware setup utilitydone
- Using KeyTool
- Yay! (maybe not needed?)
- Custom keys
Disable Secure Boot (maybe move to top?)done
- I have to confess that personally I failed at the "Enrol keys in firmware" step. –– nl6720 talk 09:32, 6 May 2016 (UTC)
- That reads like a good draft TOC! We cannot recycle Rod Smith's work. As far as I can see it is not licensed for it, though if someone asks him, I am sure he would be sympathetic for sharing parts - I've seen him help many users in the BBS. We can of course link to them for background info, which is fine as well, because he keeps his documentation very updated. So the latter is preferable in my view.
- There are other references we can rely on as well though. Most universally applicable references appear to follow the tianocore method (see also , , ) to create a securebooted virtualmachine. I still have to try it with an Arch ISO as install medium and I can't really help much with the section before I tried. The steps to enroll keys should come naturally once the VM install secureboots and the section can be based at that point. --Indigo (talk) 12:41, 7 May 2016 (UTC)
- This page is extremely helpful. Thanks to everyone who has worked on it. Regarding "Pacman hook for signing bootloader and kernel", this resource may be useful: Auxiliary documentation and scripts around "A Reasonably Safe Travel Burner Laptop" -- MountainX (talk) 05:53, 1 June 2016 (UTC)
Move to "Unified Extensible Firmware Interface/Secure Boot"
Secure Boot is a feature of UEFI, so the correct place for Secure Boot article would be under Unified Extensible Firmware Interface: Unified Extensible Firmware Interface/Secure Boot. –– nl6720 talk 16:36, 14 August 2016 (UTC)
- While it is true Secure Boot is a UEFI feature, the new name is too long. So I vote for just keep its current name. --Fengchao (talk) 05:09, 25 August 2016 (UTC)
I couldn't add anything to MoKList on my real PC, but everything worked in qemu; it could use more testing. The instructions should theoretically work for rEFInd and GRUB. AFAIK systemd-boot doesn't support shim and trying to launch SYSLINUX resulted in "System is compromised. halting.".
The instruction are for a generic bootloader because I have no interest in installing GRUB, and adding instructions for rEFInd would be pointless since rEFInd has a really simple setup for shim
refind-install --shim /usr/share/shim-signed/shim.efi for hash only and
refind-install --shim /usr/share/shim-signed/shim.efi --localkeys for hash and keys. If anyone is willing to rewrite the instructions to use GRUB as the example bootloader, please do. -- nl6720 (talk) 13:02, 7 December 2016 (UTC)