Skip to content

Secure Boot

Setting up secure-boot

Its great that we have an encrypted root partition. But our boot partition which contains the EFI stub kernel is unencrypted. We don't want the bios launching a possibly modified kernel. Therefore we need to configure secure-boot functionality in UEFI that permits only running binaries that are signed with our keys. For this we have to enrol our own public keys into the firmware.

After setting up secure-boot in your motherboard uefi, you need to boot back into your system and check that its in setup mode.

sudo sbctl status

This is how it appears before entering setup mode:

vector@ArchLinuxVS ~ $ sudo sbctl status
[sudo] password for vector:
Installed:      ✗ sbctl is not installed
Setup Mode:     ✓ Disabled
Secure Boot:    ✗ Disabled
Vendor Keys:    microsoft

Resetting the secure boot keys will make it enter setup mode. After secure boot was enabled and keys were deleted, this is how it appears:

vector@ArchLinuxVS ~ $ sudo sbctl status
[sudo] password for vector:
Installed:      ✗ sbctl is not installed
Setup Mode:     ✗ Enabled
Secure Boot:    ✗ Disabled
Vendor Keys:    none

Create keys:

# sbctl create-keys

Enrol keys:

[root@ArchLinuxVS vector]# sbctl enroll-keys -m
Enrolling keys to EFI variables...
With vendor keys from microsoft...✓
Enrolled keys to the EFI variables!

Status after enrolling keys

[root@ArchLinuxVS vector]# sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     8g3zd782-fn29-8365-rv78-261fgh673159
Setup Mode:     ✓ Disabled
Secure Boot:    ✗ Disabled
Vendor Keys:    microsoft

Run sbctl verify to find out the files that have to be signed:

[root@ArchLinuxVS vector]# sbctl verify
Verifying file database and EFI images in /boot...
✗ /boot/EFI/Linux/arch-linux-zen-fallback.efi is not signed
✗ /boot/EFI/Linux/arch-linux-zen.efi is not signed
✗ /boot/vmlinuz-linux-zen is not signed

Sign them

sbctl sign -s /boot/EFI/Linux/arch-linux-zen-fallback.efi
sbctl sign -s /boot/EFI/Linux/arch-linux-zen.efi
sbctl sign -s /boot/vmlinuz-linux-zen

Verify they're signed:

[root@ArchLinuxVS vector]# sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/vmlinuz-linux-zen is signed
✓ /boot/EFI/Linux/arch-linux-zen-fallback.efi is signed
✓ /boot/EFI/Linux/arch-linux-zen.efi is signed

Reboot and check sbctl status:

vector@ArchLinuxVS ~ $ sudo sbctl status
[sudo] password for vector:
Installed:      ✓ sbctl is installed
Owner GUID:     8g3zd782-fn29-8365-rv78-261fgh673159
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    microsoft

Comments