Talk:Secure Boot

From ArchWiki
Jump to: navigation, search

Enroll hash file name

I am a bit confused regarding the following lines:

* In the HashTool main menu, select Enroll Hash, choose \loader.efi and confirm with Yes. Again, select Enroll Hash and archiso to enter the archiso directory, then select vmlinuz-efi and confirm with Yes. Then choose Exit to return to the boot device selection menu.

  • In the boot device selection menu choose Arch Linux archiso x86_64 UEFI CD

There is no file vmlinuz-efi in the said directory, there is only efiboot.img. Then, the USB stick actually wants to boot from arch/boot/x86_64/vmlinuz. I am not sure which file I actually had to enroll, it was either archiso.img in that directory or the vmlinuz kernel image. In either case the instruction is not accurate. --Johannes Rohr (talk) 09:03, 5 February 2015 (UTC)

Separate pre-signed and self-signed

Currently the article solely focuses on the pre-signed PreLoader method. It lacks instructions for signing bootloaders and kernels with your own keys [1]. The current article may lead one to believe that using PreLoader is the only or best option to use Secure Boot. I think that there should be a top heading for each method. –– nl6720talk 16:12, 5 May 2016 (UTC)

+1. A section on own key setup would be great. This BBS thread has references too, then there is the GKH way - which is too much for this article, but contains a section on key creation which is very useful here. --Indigo (talk) 17:26, 5 May 2016 (UTC)
We can write this using Rod Smith's Dealing with Secure Boot & Controlling Secure Boot for inspiration (i.e blatantly, shamelessly copying parts of them).
Better section names are needed, but here's my idea for the article structure:
  • Using a signed boot loader done
    • Booting archiso: (currently "Secure boot archiso") done
    • Set up PreLoader: (currently "Secure Boot in the installed system") done
    • Remove PreLoader: (currently "Remove Secure Boot from an installed system") done
  • Using your own keys:
    • Custom keys
      • Creating keys: done
      • Updating keys
    • Signing bootloader and kernel
      • Pacman hook for signing bootloader and kernel
    • Put firmware in "Setup Mode"
    • Enrol keys in firmware
      • Using firmware setup utility done
      • Using KeyTool
    • Yay! (maybe not needed?)
  • Disable Secure Boot (maybe move to top?) done
I have to confess that personally I failed at the "Enrol keys in firmware" step. –– nl6720talk 09:32, 6 May 2016 (UTC)
That reads like a good draft TOC! We cannot recycle Rod Smith's work. As far as I can see it is not licensed for it, though if someone asks him, I am sure he would be sympathetic for sharing parts - I've seen him help many users in the BBS. We can of course link to them for background info, which is fine as well, because he keeps his documentation very updated. So the latter is preferable in my view.
There are other references we can rely on as well though. Most universally applicable references appear to follow the tianocore method (see also [2], [3], [4]) to create a securebooted virtualmachine. I still have to try it with an Arch ISO as install medium and I can't really help much with the section before I tried. The steps to enroll keys should come naturally once the VM install secureboots and the section can be based at that point. --Indigo (talk) 12:41, 7 May 2016 (UTC)
The sections are now separated. Now someone only needs to write the instructions. –– nl6720talk 08:12, 9 May 2016 (UTC)
First bunch of modifications look very good! --nTia89 (talk) 10:13, 9 May 2016 (UTC)
–– nl6720talk 16:01, 10 May 2016 (UTC)
I got Secure Boot working in qemu and real hardware (guess wich one actually enforces security policy beyond first executable it runs). Next I'll add key creation commands, using efitools README as reference. –– nl6720talk 16:02, 10 May 2016 (UTC)
Most sections are created, still needs more content and maybe better style. –– nl6720talk 18:42, 10 May 2016 (UTC)
I wrote a small tool that deals with the "Signing bootloader and kernel" and "Pacman hook" sections. You can check it out at sbupdate-gitAUR and also on the GitHub page. There also seems to be one more related package: secure-bootAUR. -- Andreyv (talk) 16:15, 19 August 2016 (UTC)
This page is extremely helpful. Thanks to everyone who has worked on it. Regarding "Pacman hook for signing bootloader and kernel", this resource may be useful: Auxiliary documentation and scripts around "A Reasonably Safe Travel Burner Laptop" -- MountainX (talk) 05:53, 1 June 2016 (UTC)
I keep thinking that sign-efi-sig-list commands should be separated from Secure Boot#Creating keys to allow properly explaining what those commands do, but I don't know how to split it sanely. It's currently too much of a step-by-step guide. -- nl6720 (talk) 15:08, 9 December 2016 (UTC)
Current structure is good enough for now. -- nl6720 (talk) 11:29, 8 December 2017 (UTC)

Move to "Unified Extensible Firmware Interface/Secure Boot"

Secure Boot is a feature of UEFI, so the correct place for Secure Boot article would be under Unified Extensible Firmware Interface: Unified Extensible Firmware Interface/Secure Boot. –– nl6720talk 16:36, 14 August 2016 (UTC)

While it is true Secure Boot is a UEFI feature, the new name is too long. So I vote for just keep its current name. --Fengchao (talk) 05:09, 25 August 2016 (UTC)
The name length shouldn't really matter, we could use UEFI/Secure Boot (with redirect) to reference it in other articles. The point of the move is to put Secure Boot in its proper place. -- nl6720talk 11:30, 25 August 2016 (UTC)
Agree for better organization. --Franklin Yu (talk) 03:09, 24 May 2017 (UTC)


I couldn't add anything to MoKList on my real PC, but everything worked in qemu; it could use more testing. The instructions should theoretically work for rEFInd and GRUB. AFAIK systemd-boot doesn't support shim and trying to launch SYSLINUX resulted in "System is compromised. halting.".

The instruction are for a generic bootloader because I have no interest in installing GRUB, and adding instructions for rEFInd would be pointless since rEFInd has a really simple setup for shim refind-install --shim /usr/share/shim-signed/shim.efi for hash only and refind-install --shim /usr/share/shim-signed/shim.efi --localkeys for hash and keys. If anyone is willing to rewrite the instructions to use GRUB as the example bootloader, please do. -- nl6720 (talk) 13:02, 7 December 2016 (UTC)