Setup SecureBoot using sbctl â
@ref: https://lunaryorn.com/secure-boot-on-arch-linux-with-sbctl-and-dracut
Prerequisite â
Make sure to delete ONLY PK and KEK From SecureBoot BIOS.
Install â
Install sbctl
...$ sbctl status
Installed: â sbctl is installed
Owner GUID: ca979846-5383-4b10-8d0e-3c67031c11d1
Setup Mode: â Enabled
Secure Boot: â DisabledInit and enroll keys
sbctl create-keys
# change permission so we can modify EFI_VARS
chattr -i /sys/firmware/efi/efivars/*
# enroll keys
sbctl enroll-keys --yes-this-might-brick-my-machineWARNING
--yes-this-might-brick-my-machine is needed otherwise it will complaint Could not find any TPM Eventlog in the system. This means we do not know if there is any OptionROM present on the system.
Check sbctl status and setup mode should be Disabled after.
$ sbctl status
Installed: â sbctl is installed
Owner GUID: ca979846-5383-4b10-8d0e-3c67031c11d1
Setup Mode: â Disabled
Secure Boot: â DisabledSee which EFI is not signed
$ sbctl list-files
/boot/efi/EFI/Linux/linux-4.15.0-187-generic-2ef383c8f01247b3a7927f2661a8f719.efi
Signed: â Not SignedSign all EFI using the new key
sbctl sign-allSign files
sbctl sign -s <efi file>INFO
The -s flag stores these paths in an internal sbctl database which keeps track of files sbsign signed; sbctl uses this database in sbctl sign-all to refresh the signatures of all files it ever signed. This helps with boot loader updates:
Verify that it is signed
$ sbctl list-files
/boot/efi/EFI/Linux/linux-4.15.0-187-generic-2ef383c8f01247b3a7927f2661a8f719.efi
Signed: â SignedThen reboot to firmware mode and check KEK first.
systemctl reboot --firmware-setupKEK should show the same GUID from sbctl status.
If pass, then enable Secure Boot
Re-enroll Unified kernel image if necessary.
From here onwards, you can easily sign efi using sbctl sign-all
or to sign individual EFI file
# sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI