When /boot is encrypted, Secure Boot could be enabled to establish chain of trust.

Custom key

.key

PEM format private keys for EFI binary and EFI signature list signing.

.crt

PEM format certificates for sbsign(1), sbvarsign(1) and sign-efi-sig-list(1).

.cer

DER format certificates for firmware.

.esl

Certificates in an EFI Signature List for sbvarsign(1), efi-updatevar(1), KeyTool and firmware.

.auth

Certificates in an EFI Signature List with an authentication header (i.e. a signed certificate update file) for efi-updatevar(1), sbkeysync, KeyTool and firmware.

Create and enroll custom keys. Then sign .efi with the key.

Check Secure Boot status:

od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot*
#    6   0   0   0   0 # disabled

Install tools:

pacman -S --noconfirm efitools sbsigntools

Backup variables:

mkdir -p /etc/secureboot/keys/backup
chmod 700 /etc/secureboot/
cd /etc/secureboot/keys/
for i in {PK,KEK,db,dbx}; do efi-readvar -v $i -o backup/$i.esl; done

Create keys:

curl -LO https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
chmod +x mkkeys.sh
# replace with GUID=`uuidgen`
./mkkeys.sh
# Enter a Common Name

Copy certs to EFI system partition:

mkdir /boot/efi/sbcerts
cp *.cer *.esl *.auth /boot/efi/sbcerts/

Sign /boot/efi/EFI/*/*.efi:

for i in /boot/efi/EFI/*/*.efi; do
sbsign --key /etc/secureboot/keys/DB.key \
--cert /etc/secureboot/keys/DB.crt --output $i $i; done

Reboot, launch UEFI firmware, enroll certs and enable Secure Boot.

This process might differ on your computer. Be sure to follow device-specific Secure Boot customization instructions wherever possible, such as HP, Dell or Lenovo.

Motherboard might be bricked if certs are not enrolled the right way. You have been warned.

Alternatively, trust Micro$oft keys and use singed preloader + Machine Owner Key.

Set UEFI firmware password to protect the settings.

After reboot, add service to monitor change in /boot/efi/EFI/arch/ and sign bootloader automatically:

tee /etc/systemd/system/secureboot-sign.path << EOF
[Unit]
Description=Monitor bootloader update

[Path]
PathChanged=/boot/efi/EFI/arch/grubx64.efi
#PathChanged=/boot/efi/EFI/BOOT/BOOTX64.efi

[Install]
WantedBy=multi-user.target
EOF

tee /etc/systemd/system/secureboot-sign.service << EOF
[Unit]
Description=Sign bootloader for Secure Boot

[Service]
Type=oneshot
ExecStart=/usr/bin/sbsign --key /etc/secureboot/keys/DB.key --cert /etc/secureboot/keys/DB.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/grubx64.efi
#ExecStart=/usr/bin/sbsign --key /etc/secureboot/keys/DB.key --cert /etc/secureboot/keys/DB.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/BOOT/BOOTX64.efi
EOF

systemctl enable --now secureboot-sign.path

Microsoft signed preloader

shim (MOK, does not work)

See [1]. Incompatible with GRUB, see [2].

.key

PEM format private key for EFI binary signing.

.crt

PEM format certificate for sbsign.

.cer

DER format certificate for MokManager.

pacman -S --noconfirm --needed sbsigntools base-devel git
git clone https://aur.archlinux.org/shim-signed.git
cd shim-signed
makepkg -sri

mkdir -p /etc/secureboot/keys
chmod 700 /etc/secureboot/
cd /etc/secureboot/keys/

openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt
openssl x509 -outform DER -in MOK.crt -out MOK.cer
for i in /boot/vmlinuz-*; do
  sbsign --key MOK.key --cert MOK.crt --output $i $i
done
sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/grubx64.efi
cp /usr/share/shim-signed/* /boot/efi/EFI/arch/
cp MOK.cer /boot/efi/EFI/arch/

Boot from

/EFI/arch/shimx64.efi

On first boot shim will fail to verify grubx64, enter MokManager and enroll MOK.cer.

PreLoader (hash)

pacman -S --noconfirm --needed sbsigntools base-devel git
git clone https://aur.archlinux.org/preloader-signed.git
cd preloader-signed
makepkg -sri

mkdir -p /etc/secureboot/keys
chmod 700 /etc/secureboot/
cd /etc/secureboot/keys/

cp /usr/share/preloader-signed/* /boot/efi/EFI/arch/
cp MOK.cer /boot/efi/EFI/arch/

PreLoader.efi only recognizes MOK unsigned loader.efi

cp /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/loader.efi

Boot from

/EFI/arch/PreLoader.efi