Abstract
A few years back, I made a tutorial on how to configure Secure Boot on Arch Linux manually.
It was a long and tedious process, and it’s also not really nice to look at.
Now that I reckon it, there’s a tool that makes the process much easier: sbctl.
Let’s just dive straight into it and not waste more time. Y’all pretty much know what Secure Boot is at this point.
Preparations
First, let’s boot into our current Arch Linux installation and backup our current enrolled keys for, you know, safety.
In order to do that, we need to install efitools package. If you haven’t installed it yet, do so now. (In case you’re
new and wondering what the commands are, it’s sudo pacman -S efitools or whatever AUR helper you’re using.)
mkdir -p ~/.secure-boot-backup && cd ~/.secure-boot-backup
for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; doneThis will create a directory called .secure-boot-backup in your home directory and save the keys in there.
Installation
Now, let’s pop pacman into action and install sbctl:
sudo pacman -S sbctlIt shouldn’t take long unless you have 1 KB/s internet speed. In that case, I’m sorry.
Getting Into User Mode
Now, let’s get our secure boot into user mode. This is necessary for sbctl to work properly.
Please reboot to your UEFI settings and enable secure boot but DO NOT boot into system yet.
Instead, go to the secure boot related settings and switch it to user mode by erasing all enrolled keys (don’t worry,
we have a backup and the restore to factory settings option repopulates it back anyways).
Disable the secure boot again and boot into your system.
Configuration
This is what you’ve been waiting for. Let’s configure Secure Boot with sbctl.
So first off, let’s check for the secure boot status:
sbctl statusIt should say disabled and user mode if you’ve followed the steps correctly.
Creating and Enrolling Keys
Let’s create a new key pair and enroll it:
sudo sbctl create-keys
sudo sbctl enroll-keys -mThat -m flag is to also enroll Microsoft keys. Some systems require it and it would brick without it.
So better safe than sorry.
Right, let’s check the status again:
sbctl statussbctl should be installed now, tho secure boot won’t work until you pretty much sign your kernel and bootloader.
Reinstalling GRUB for Secure Boot
Yeah, I admit it, shim-lock is a pain in the ass. So let’s just reinstall GRUB to use CA keys instead (you can totally ignore this step if you don’t use GRUB):
sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
sudo grub-mkconfig -o /boot/grub/grub.cfgSigning Kernel and Bootloader
You can check what files needed to be signed with:
sudo sbctl verifyYou will need to sign the files relative to your system’s layout, kernel, and bootloader.
For example, if you’re using GRUB, you will need to sign /boot/EFI/grub/grubx64.efi and /boot/vmlinuz-linux.
Altho, sometimes there’s too many files to sign and it’s a hassle. So, let’s just sign everything:
sudo sbctl verify | sudo sed 's/✗ /sbctl sign -s /e'This command will sign all the files that need to be signed. You can also sign them one by one if you want to. Oh yeah,
for your information, sbctl has hooks set for pacman and some other stuffs so that you don’t have to
sign again when you update your kernel or bootloader.
Enabling Secure Boot
You know the drill. Reboot to UEFI settings and enable secure boot. Boot into your system and check the status again:
sbctl statusIt should just say enabled now. You’re done! You’ve successfully configured Secure Boot on Arch Linux with sbctl.
Conclusion
I hope this tutorial was helpful and easier than the last time. If you have any questions or issues, feel free to ask in the comments below. I’ll try to help you as much as I can. Have a great day!