contrib/sbctl
2024-08-05 21:32:26 +02:00
..
.footprint
.signature sbctl: 0.15.3 -> 0.15.4 2024-08-05 21:32:26 +02:00
Pkgfile sbctl: 0.15.3 -> 0.15.4 2024-08-05 21:32:26 +02:00
README.md

Secure Boot with sbctl

Oriented along Unified Extensible Firmware Interface/Secure Boot - ArchWiki

From a system that did not yet use secure boot:

# sbctl status
Installed:      ✗ sbctl is not installed
Setup Mode:     ✓ Disabled
Secure Boot:    ✗ Disabled
Vendor Keys:    microsoft

Reboot to BIOS. Enable/execute the following steps:

  • Enable Secure Boot
  • Reset Secure Boot to Setup Mode

Reboot to OS. From a root shell, run:

# sbctl status
Installed:      ✗ sbctl is not installed
Setup Mode:     ✗ Enabled
Secure Boot:    ✗ Disabled
Vendor Keys:    microsoft
# grub-install --target=x86_64-efi --efi-directory=<your-efi-location> --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
# sbctl create-keys
# sbctl enroll-keys -m ## this step might need you to run first: chattr -i /sys/firmware/efi/efivars/*
# sbctl sign -s <your-efi-location>/EFI/grub/grubx64.efi
# sbctl sign -s /boot/vmlinuz-6.9.0-rc3
# grub-mkconfig -o /boot/grub/grub.cfg

Reboot and confirm that your system booted correctly:

# sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     <some-owner-guid>
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    microsoft