Secure Boot
Prerequities
Use a UKI for security and ease of use.
Using a Unified Kernel Image (UKI)
Generate a unified kernel image as described here for mkinitcpio.
- Write kernel cmdline to
/etc/kernel/cmdline - Update all preset files for mkinitcpio as specified in docs
- regenerate mkinitcpio
When creating the UKI, consider using a splash image (tg.bmp in common repo). Add via (for default preset):
default_options="--splash /usr/share/systemd/bootctl/tg.bmp"
Implementing secure boot
Follow Arch Wiki.
- Follow guide for
sbctlafter putting firmware in setup mode
Manual signing
Follow the guide for UKI as above. Now also sign systemd-boot:
sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
bootctl install will now automatically use the signed one.
For a pacman hook, see here.
Using sbupdate-git (deprecated)
Install prerequisites:
pacman -S sbsigntools efitools python
yay -S sbupdate-git
Create keys:
mkdir /etc/efi-keys
cd !$
curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
chmod +x mkkeys.sh
./mkkeys.sh
Configure sbupdate as described here.
sbupdate
Now update the bootloader (e.g. systemd-boot) to boot one of the signed EFI binaries. You may also want to add an entry using efibootmgr.
Finally enroll the keys in the firmware.
If unsupported
Consider using a shim, a signed bootloader, as described here. A bit worse in terms of security. Use keys instead of hashes.