How to - Enable/Set-up secure boot on Arch-based distributions

Introduction/Information

I dual-boot Windows with Garuda GNU/Linux (the KDE-Lite flavor). At present, no Arch-based distribution supports secure boot out-of-the-box, but Windows 11 wants secure boot enabled, so I went looking for a solution. I found one that integrates secure-boot support into my Arch-based GNU/Linux distribution on the CachyOS Wiki that uses the sbctl package, and it works flawlessly for me, with one caveat that your computer must have the ability to enteer set-up mode, or manage/delete PK keys in the EFI (BIOS) interface. A second caveat is that only dual-boot (Windows with a single GNU/Linux distribution) works at present, and I have not yet learned a way to use sbctl with non-Arch-based distributions, unless they have the package available in their repository. With that said, the best feature of sbctl is that it creates a post-build hook so when you get an updated kernel, the image gets automatically signed for you as part of the installation, so you don't have to do it manually.

The procedure of enabling secure boot is completed using your GNU/Linux distribution's terminal app. You'll use the nano terminal-based text editor to create a bash script that's needed for signing all required files. Don't wory, the content of the script will be included here so you can copy/paste it into nano in your terminal window. Remember to use Ctrl+Shift+z to paste into the terminal when you get to that point.

Enable secure boot using the sbctl package

Install the sbctl package:
    sudo pacman -S sbctl

Pre-setup:
    If using GRUB, enable secure boot support using CA Keys:
        sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=cachyos --modules="tpm" --disable-shim-lock

Set secure boot mode to setup mode in the EFI user interface, or delete PK keys:
Note: Since there are too many EFI user interfaces, I won't describe the steps here
    systemctl reboot --firmware-setup

Install and set up sbctl:
    sudo sbctl status # If setup mode is enabled we can proceed to the next step
    Installed: ✘ sbctl is not installed
    Setup Mode: ✘ Enabled
    Secure Boot ✘ Disabled

Create your custom secure boot keys
    sudo sbctl create-keys # Create your custom secure boot keys
    Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
    Creating secure boot keys...✔
    Secure boot keys created!

Enroll your custom secure boot keys with Microsoft's keys
    sudo sbctl enroll-keys -m # Enroll your keys with Microsoft's keys
    Enrolling keys to EFI variables...✔
    Enrolled keys to the EFI variables

Check sbctl's status
    sudo sbctl status # sbctl should now be installed and we can proceed to signing the kernel images and boot manager
    Installed: ✔ sbctl is installed
    Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
    Setup Mode: ✔ Disabled
    Secure Boot ✘ Disabled
    Vendor Keys: microsoft

Sign the Kernel Image and Boot Manager:
    Create the /usr/bin/sbctl-batch-sign script in a trminal window:
        sudo nano /usr/bin/sbctl-batch-sign

Copy/Paste the content of the script into the terminal window:
---------------------------------------------------------------
#!/bin/bash
# sbctl-batch-sign is a helper script designed to make it easier for users to sign files needed for secure boot support.
# The obvious case in which this script helps a lot is when dual booting Windows as there are a lot of files by Windows
# that need to be signed in EFI.
if [ "$(id -u)" -ne 0 ]; then
  echo "Error: This script must be run with root privileges."
  exit 1
fi
if [ "$#" -eq 0 ]; then
    for entries in $(sort -u -i <(sbctl verify | grep 'signed' | cut -d' ' -f2) -i <(find /boot -maxdepth 1 -type f | grep vmlinuz)); do
        sbctl sign -s $entries
    done
fi
---------------------------------------------------------------

Save the sbctl-batch-sign script you just created to disk:
    Press the Ctrl+X key combination,
    then the Y key,
    and press Enter to exit nano, saving your edit.

Make the sbctl-batch-sign script executable:
    sudo chmod +x /usr/bin/sbctl-batch-sign

Verify the file database and EFI images in /boot
    sudo sbctl verify
    Verifying file database and EFI images in /boot...
    ✘ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn4.0.fc40.x86_64/linux is not signed
    ✘ /boot/EFI/BOOT/BOOTX64.EFI is not signed
    ✘ /boot/EFI/systemd/systemd-bootx64.efi is not signed
    ✘ /boot/1c4b5246eef05ac3bc87339323cd5101/0-rescue/linux is not signed
    ✘ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn3.0.fc40.x86_64/linux is not signed

Execute sbctl-batch-sign to sign the required files found by sbctl's vericy command:
    sudo sbctl-batch-sign

Verify that the files have been signed:
    sudo sbctl verify
    Verifying file database and EFI images in /boot...
    ✔ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn4.0.fc40.x86_64/linux is signed
    ✔ /boot/EFI/BOOT/BOOTX64.EFI is signed
    ✔ /boot/EFI/systemd/systemd-bootx64.efi is signed
    ✔ /boot/1c4b5246eef05ac3bc87339323cd5101/0-rescue/linux is signed
    ✔ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn3.0.fc40.x86_64/linux is signed

Cautionary Note:
    On systems with a separate /boot and /boot/efi partition layout, sbctl may only scan for EFI binaries in /boot/efi.
    This causes kernel images that are in /boot to not be detected.
    sbctl-batch-sign works around this by always scanning /boot for vmlinuz-* files.

Reboot to the EFI user interface to enable secure boot, then reboot back to GNU/Linux:
    systemctl reboot --firmware-setup

Verify that Secure Boot is Enabled:
    sudo sbctl status
    Installed: ✓ sbctl is installed
    Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
    Setup Mode: ✓ Disabled
    Secure Boot: ✓ Enabled
    Vendor Keys: microsoft

If you were able to reboot into your GNU/Linux distribution with secure boot enabled, setup is successfully finished.

Ernie

Source:
    https://wiki.cachyos.org/configuration/secure_boot_setup/
    https://github.com/Foxboron/sbctl

Comments

Post a Comment

Popular posts from this blog

Here is what I do to remain safe on (and off) the Internet

I take my Internet safety and privacy very seriously. I live on a fairly limited fixed income, so I consider anything that has the potential to affect my available resources to be very important. Getting hacked, or having my identity stolen could have very serious consequences for me even though I don't have much to get got. Here are some of the steps I have taken to protect myself, online and off: I have enabled 2FA on all my Internet based accounts that support it. For those accounts that do not yet support 2FA, I have a few alternate email accounts (one for each Internet account that does not support 2FA, also with 2FA enabled) for the account's 'username'. I use Windows 11 with a 'password-less' Microsoft account (using the Microsoft Authenticator App on my mobile phone) and a Bio-metric scanner (backed up with a pin) for log in purposes. My Windows installation's security is hardened by enabling Ransomware protection, so even if some miscreant manages...
Read more

Common Debian App Commands With Descriptions

For any GNU/Linux users (Debian based distributions), here is a list of several common apt commands and their descriptions: apt command function of the command apt install Installs a package apt remove Removes a package apt purge Removes all traces of a configuration (including configuration) apt update Refreshes repository index apt upgrade Upgrades all upgradable packages apt autoremove Removes unwanted packages apt full-upgrade Upgrades packages with auto-handling of dependencies apt search Searches for the program apt show Shows package details apt list --upgradable Lists all upgradable packages apt list --installed Lists all i...
Read more

Upgrading PowerShell to version 7.2.5 from WindowsPowerShell 5.1 (Windows default)

I have subscribed to US-CERT Security Advisories, and several other related security advisory mailing lists for more years than I can count. Today, I received an Advisory from US-CERT titled ‘Keeping PowerShell: Measures to Use and Embrace, with a link to a PDF document of the same title, at ‘ Keeping PowerShell: Measures to Use and Embrace | CISA ’. In and of itself, this document is probably not of much interest to most home Windows 10 or 11 users, but reading it informed me that there is a newer and possibly more secure version of PowerShell available to the general public. The document linked above was not very clear about that, but the suggestion was there. I make it a policy to keep all the software on my computers as up to date as possible, based on the information I have at any given point in time, so when I learned that there is a newer version of PowerShell available, of course, I had to get it. WindowsPowerShell 5.1 comes preinstalled in Windows 10 and 11. Since it is needed...
Read more