Setup SecureBoot using sbctl â
@ref: https://lunaryorn.com/secure-boot-on-arch-linux-with-sbctl-and-dracut
Prerequisite â
Make sure to delete ONLY PK and KEK From SecureBoot BIOS.
Install â
Install sbctl
...
$ sbctl status
Installed: â sbctl is installed
Owner GUID: ca979846-5383-4b10-8d0e-3c67031c11d1
Setup Mode: â Enabled
Secure Boot: â Disabled
Init and enroll keys
sbctl create-keys
# change permission so we can modify EFI_VARS
chattr -i /sys/firmware/efi/efivars/*
# enroll keys
sbctl enroll-keys --yes-this-might-brick-my-machine
WARNING
--yes-this-might-brick-my-machine
is needed otherwise it will complaint Could not find any TPM Eventlog in the system. This means we do not know if there is any OptionROM present on the system.
Check sbctl status
and setup mode should be Disabled
after.
$ sbctl status
Installed: â sbctl is installed
Owner GUID: ca979846-5383-4b10-8d0e-3c67031c11d1
Setup Mode: â Disabled
Secure Boot: â Disabled
See which EFI is not signed
$ sbctl list-files
/boot/efi/EFI/Linux/linux-4.15.0-187-generic-2ef383c8f01247b3a7927f2661a8f719.efi
Signed: â Not Signed
Sign all EFI using the new key
sbctl sign-all
Sign files
sbctl sign -s <efi file>
INFO
The -s
flag stores these paths in an internal sbctl database which keeps track of files sbsign signed; sbctl uses this database in sbctl sign-all to refresh the signatures of all files it ever signed. This helps with boot loader updates:
Verify that it is signed
$ sbctl list-files
/boot/efi/EFI/Linux/linux-4.15.0-187-generic-2ef383c8f01247b3a7927f2661a8f719.efi
Signed: â Signed
Then reboot to firmware mode and check KEK first.
systemctl reboot --firmware-setup
KEK should show the same GUID from sbctl status
.
If pass, then enable Secure Boot
Re-enroll Unified kernel image if necessary.
From here onwards, you can easily sign efi using sbctl sign-all
or to sign individual EFI file
# sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI