User:M0p/Secure Boot
When /boot
is encrypted, Secure Boot could be enabled to establish chain of trust.
Custom key
- .key
- PEM format private keys for EFI binary and EFI signature list signing.
- .crt
- PEM format certificates for sbsign(1), sbvarsign(1) and sign-efi-sig-list(1).
- .cer
- DER format certificates for firmware.
- .esl
- Certificates in an EFI Signature List for sbvarsign(1), efi-updatevar(1), KeyTool and firmware.
- .auth
- Certificates in an EFI Signature List with an authentication header (i.e. a signed certificate update file) for efi-updatevar(1), sbkeysync, KeyTool and firmware.
Create and enroll custom keys. Then sign .efi
with the key.
Check Secure Boot status:
od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot* # 6 0 0 0 0 # disabled
Install tools:
pacman -S --noconfirm efitools sbsigntools
Backup variables:
mkdir -p /etc/secureboot/keys/backup chmod 700 /etc/secureboot/ cd /etc/secureboot/keys/ for i in {PK,KEK,db,dbx}; do efi-readvar -v $i -o backup/$i.esl; done
Create keys:
curl -LO https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh chmod +x mkkeys.sh # replace with GUID=`uuidgen` ./mkkeys.sh # Enter a Common Name
Copy certs to EFI system partition:
mkdir /boot/efi/sbcerts cp *.cer *.esl *.auth /boot/efi/sbcerts/
Sign /boot/efi/EFI/*/*.efi:
for i in /boot/efi/EFI/*/*.efi; do sbsign --key /etc/secureboot/keys/DB.key \ --cert /etc/secureboot/keys/DB.crt --output $i $i; done
Reboot, launch UEFI firmware, enroll certs and enable Secure Boot.
This process might differ on your computer. Be sure to follow device-specific Secure Boot customization instructions wherever possible, such as HP, Dell or Lenovo.
Motherboard might be bricked if certs are not enrolled the right way. You have been warned.
Alternatively, trust Micro$oft keys and use singed preloader + Machine Owner Key.
Set UEFI firmware password to protect the settings.
After reboot, add service to monitor change in /boot/efi/EFI/arch/ and sign bootloader automatically:
tee /etc/systemd/system/secureboot-sign.path << EOF [Unit] Description=Monitor bootloader update [Path] PathChanged=/boot/efi/EFI/arch/grubx64.efi #PathChanged=/boot/efi/EFI/BOOT/BOOTX64.efi [Install] WantedBy=multi-user.target EOF tee /etc/systemd/system/secureboot-sign.service << EOF [Unit] Description=Sign bootloader for Secure Boot [Service] Type=oneshot ExecStart=/usr/bin/sbsign --key /etc/secureboot/keys/DB.key --cert /etc/secureboot/keys/DB.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/grubx64.efi #ExecStart=/usr/bin/sbsign --key /etc/secureboot/keys/DB.key --cert /etc/secureboot/keys/DB.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/BOOT/BOOTX64.efi EOF systemctl enable --now secureboot-sign.path
Microsoft signed preloader
shim (MOK, does not work)
See [1]. Incompatible with GRUB, see [2].
- .key
- PEM format private key for EFI binary signing.
- .crt
- PEM format certificate for sbsign.
- .cer
- DER format certificate for MokManager.
pacman -S --noconfirm --needed sbsigntools base-devel git git clone https://aur.archlinux.org/shim-signed.git cd shim-signed makepkg -sri
mkdir -p /etc/secureboot/keys chmod 700 /etc/secureboot/ cd /etc/secureboot/keys/
openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt openssl x509 -outform DER -in MOK.crt -out MOK.cer for i in /boot/vmlinuz-*; do sbsign --key MOK.key --cert MOK.crt --output $i $i done sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/grubx64.efi cp /usr/share/shim-signed/* /boot/efi/EFI/arch/ cp MOK.cer /boot/efi/EFI/arch/
Boot from
/EFI/arch/shimx64.efi
On first boot shim will fail to verify grubx64, enter MokManager and enroll MOK.cer.
PreLoader (hash)
pacman -S --noconfirm --needed sbsigntools base-devel git git clone https://aur.archlinux.org/preloader-signed.git cd preloader-signed makepkg -sri
mkdir -p /etc/secureboot/keys chmod 700 /etc/secureboot/ cd /etc/secureboot/keys/
cp /usr/share/preloader-signed/* /boot/efi/EFI/arch/ cp MOK.cer /boot/efi/EFI/arch/
PreLoader.efi only recognizes MOK unsigned loader.efi
cp /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/loader.efi
Boot from
/EFI/arch/PreLoader.efi