Talk:Secure Boot

From ArchWiki
Jump to: navigation, search

Enroll hash file name

I am a bit confused regarding the following lines:

* In the HashTool main menu, select Enroll Hash, choose \loader.efi and confirm with Yes. Again, select Enroll Hash and archiso to enter the archiso directory, then select vmlinuz-efi and confirm with Yes. Then choose Exit to return to the boot device selection menu.

  • In the boot device selection menu choose Arch Linux archiso x86_64 UEFI CD

There is no file vmlinuz-efi in the said directory, there is only efiboot.img. Then, the USB stick actually wants to boot from arch/boot/x86_64/vmlinuz. I am not sure which file I actually had to enroll, it was either archiso.img in that directory or the vmlinuz kernel image. In either case the instruction is not accurate. --Johannes Rohr (talk) 09:03, 5 February 2015 (UTC)

Indeed the instructions are not accurate, and are only meant as an outline. The thing is that their accuracy depends on the approach chosen. For example, the article suggests, among other approaches, to disable secure boot altogether. I think one is expected to integrate the outline in booting archiso with one of the approaches suggested by the rest of the article. For example, the Set up PreLoader section explicitly states the usefulness of PreLoader.efi and HashTool.efi in efitools is limited. But it also suggest how to get along with PreLoader.efi and HashTool.efi from preloader-signedAUR or to download them manually without using the AUR. Regid (talk) 02:05, 18 December 2018 (UTC)
The comment you're replying to is from a time when the Archiso supported Secure Boot. -- nl6720 (talk) 09:34, 18 December 2018 (UTC)
  1. Why, and when, support for secure boot removed from Archiso?
  2. I find the article confusing. Most of it assumes users are able to install software on the machine, and copy files from anyplace to anywhere on the HD. As if they have a running archlinux installation, and only need to convert the boot process into secure boot. But installation is different. I think the booting archiso section should be moved to the section that is prior to see also; emphasize that there is a need to create files and than place them on the EFI system partition; point to archiso and Remastering the Install ISO; and reworked in general.
Regid (talk) 10:59, 18 December 2018 (UTC)
As it says in Secure Boot#Booting archiso, Secure Boot support was removed starting with archlinux-2016.06.01-dual.iso. It happened because an Arch developer replaced[1][2] the prebootloader package with the efitools package. Apparently it happened because both contain PreLoader.efi and HashTool.efi. The little detail that one had signed EFI binaries, but other unsigned was somehow missed and the change got into Archiso[3]. -- nl6720 (talk) 11:15, 18 December 2018 (UTC)
Regarding your "2." point. The simple method is to disable Secure Boot, install Arch Linux, setup and enable Secure Boot. The Template:Out of date is there because you can't boot the official install media with Secure Boot enabled. If you want to add instructions on remastering Archiso with Secure Boot support, go ahead. -- nl6720 (talk) 11:18, 18 December 2018 (UTC)
+1 to the simple method regarding section organization. @Regid: I get what you meant about the template and instruction-flow. Still, I find the current organization even more confusing. Now, the first link goes to Secure Boot#Put firmware in "Setup Mode", jumping over all the steps that must be understood/done. The last thing someone must do is to remove a platform key from the UEFI before there is an installable ISO. -- Indigo (talk) 20:31, 18 December 2018 (UTC)
I have edited the article to address Indigo comment. Regid (talk) 11:43, 19 December 2018 (UTC)
Thanks, IMO it's better like this for now. Something the article still needs is a little more intro how to proceed for either of the major sections. My suggestion for it is to do it in the [4] (better idea? change it). I realize that "Change the status" is not an ideal subsection title, but it should give an idea what's missing in my view. An alternative would be to put it into the article intro with 2-3 sentences. --Indigo (talk) 19:15, 20 December 2018 (UTC)

Move to "Unified Extensible Firmware Interface/Secure Boot"

Secure Boot is a feature of UEFI, so the correct place for Secure Boot article would be under Unified Extensible Firmware Interface: Unified Extensible Firmware Interface/Secure Boot. –– nl6720talk 16:36, 14 August 2016 (UTC)

While it is true Secure Boot is a UEFI feature, the new name is too long. So I vote for just keep its current name. --Fengchao (talk) 05:09, 25 August 2016 (UTC)
The name length shouldn't really matter, we could use UEFI/Secure Boot (with redirect) to reference it in other articles. The point of the move is to put Secure Boot in its proper place. -- nl6720talk 11:30, 25 August 2016 (UTC)
Agree for better organization. --Franklin Yu (talk) 03:09, 24 May 2017 (UTC)

shim

I couldn't add anything to MoKList on my real PC, but everything worked in qemu; it could use more testing. The instructions should theoretically work for rEFInd and GRUB. AFAIK systemd-boot doesn't support shim and trying to launch SYSLINUX resulted in "System is compromised. halting.".

The instruction are for a generic bootloader because I have no interest in installing GRUB, and adding instructions for rEFInd would be pointless since rEFInd has a really simple setup for shim refind-install --shim /usr/share/shim-signed/shim.efi for hash only and refind-install --shim /usr/share/shim-signed/shim.efi --localkeys for hash and keys. If anyone is willing to rewrite the instructions to use GRUB as the example bootloader, please do. -- nl6720 (talk) 13:02, 7 December 2016 (UTC)

A commented but complete and brief working bash-script that runs a signed Arch-Kernel via refind.efi would be nice. UBF6 (talk) 14:40, 8 November 2018 (UTC)