Skip to main content

Secure Boot

Prerequities

Use a UKI for security and ease of use.

Using a Unified Kernel Image (UKI)

Generate a unified kernel image as described here for mkinitcpio.

  1. Write kernel cmdline to /etc/kernel/cmdline
  2. Update all preset files for mkinitcpio as specified in docs
  3. regenerate mkinitcpio

When creating the UKI, consider using a splash image (tg.bmp in common repo). Add via (for default preset):

default_options="--splash /usr/share/systemd/bootctl/tg.bmp"

Implementing secure boot

Follow Arch Wiki.

  • Follow guide for sbctl after putting firmware in setup mode

Manual signing

Follow the guide for UKI as above. Now also sign systemd-boot:

sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi

bootctl install will now automatically use the signed one.

For a pacman hook, see here.

Using sbupdate-git (deprecated)

Install prerequisites:

pacman -S sbsigntools efitools python
yay -S sbupdate-git

Create keys:

mkdir /etc/efi-keys
cd !$
curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
chmod +x mkkeys.sh
./mkkeys.sh

Configure sbupdate as described here.

sbupdate

Now update the bootloader (e.g. systemd-boot) to boot one of the signed EFI binaries. You may also want to add an entry using efibootmgr.

Finally enroll the keys in the firmware.

If unsupported

Consider using a shim, a signed bootloader, as described here. A bit worse in terms of security. Use keys instead of hashes.