User:M0p/Secure Boot

From ArchWiki

When /boot is encrypted, Secure Boot could be enabled to establish chain of trust.

Custom key

PEM format private keys for EFI binary and EFI signature list signing.
PEM format certificates for sbsign(1), sbvarsign(1) and sign-efi-sig-list(1).
DER format certificates for firmware.
Certificates in an EFI Signature List for sbvarsign(1), efi-updatevar(1), KeyTool and firmware.
Certificates in an EFI Signature List with an authentication header (i.e. a signed certificate update file) for efi-updatevar(1), sbkeysync, KeyTool and firmware.

Create and enroll custom keys. Then sign .efi with the key.

Check Secure Boot status:

od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot*
#    6   0   0   0   0 # disabled

Install tools:

pacman -S --noconfirm efitools sbsigntools

Backup variables:

mkdir -p /etc/secureboot/keys/backup
chmod 700 /etc/secureboot/
cd /etc/secureboot/keys/
for i in {PK,KEK,db,dbx}; do efi-readvar -v $i -o backup/$i.esl; done

Create keys:

curl -LO
chmod +x
# replace with GUID=`uuidgen`
# Enter a Common Name

Copy certs to EFI system partition:

mkdir /boot/efi/sbcerts
cp *.cer *.esl *.auth /boot/efi/sbcerts/

Sign /boot/efi/EFI/*/*.efi:

for i in /boot/efi/EFI/*/*.efi; do
sbsign --key /etc/secureboot/keys/DB.key \
--cert /etc/secureboot/keys/DB.crt --output $i $i; done

Reboot, launch UEFI firmware, enroll certs and enable Secure Boot.

This process might differ on your computer. Be sure to follow device-specific Secure Boot customization instructions wherever possible, such as HP, Dell or Lenovo.

Motherboard might be bricked if certs are not enrolled the right way. You have been warned.

Alternatively, trust Micro$oft keys and use singed preloader + Machine Owner Key.

Set UEFI firmware password to protect the settings.

After reboot, add service to monitor change in /boot/efi/EFI/arch/ and sign bootloader automatically:

tee /etc/systemd/system/secureboot-sign.path << EOF
Description=Monitor bootloader update



tee /etc/systemd/system/secureboot-sign.service << EOF
Description=Sign bootloader for Secure Boot

ExecStart=/usr/bin/sbsign --key /etc/secureboot/keys/DB.key --cert /etc/secureboot/keys/DB.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/grubx64.efi
#ExecStart=/usr/bin/sbsign --key /etc/secureboot/keys/DB.key --cert /etc/secureboot/keys/DB.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/BOOT/BOOTX64.efi

systemctl enable --now secureboot-sign.path

Microsoft signed preloader

shim (MOK, does not work)

See [1]. Incompatible with GRUB, see [2].

PEM format private key for EFI binary signing.
PEM format certificate for sbsign.
DER format certificate for MokManager.
pacman -S --noconfirm --needed sbsigntools base-devel git
git clone
cd shim-signed
makepkg -sri
mkdir -p /etc/secureboot/keys
chmod 700 /etc/secureboot/
cd /etc/secureboot/keys/
openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt
openssl x509 -outform DER -in MOK.crt -out MOK.cer
for i in /boot/vmlinuz-*; do
  sbsign --key MOK.key --cert MOK.crt --output $i $i
sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/grubx64.efi
cp /usr/share/shim-signed/* /boot/efi/EFI/arch/
cp MOK.cer /boot/efi/EFI/arch/

Boot from


On first boot shim will fail to verify grubx64, enter MokManager and enroll MOK.cer.

PreLoader (hash)

pacman -S --noconfirm --needed sbsigntools base-devel git
git clone
cd preloader-signed
makepkg -sri
mkdir -p /etc/secureboot/keys
chmod 700 /etc/secureboot/
cd /etc/secureboot/keys/
cp /usr/share/preloader-signed/* /boot/efi/EFI/arch/
cp MOK.cer /boot/efi/EFI/arch/

PreLoader.efi only recognizes MOK unsigned loader.efi

cp /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/loader.efi

Boot from