1.3 KiB
1.3 KiB
Secure Boot with sbctl
Oriented along Unified Extensible Firmware Interface/Secure Boot - ArchWiki
From a system that did not yet use secure boot:
# sbctl status
Installed: ✗ sbctl is not installed
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
Reboot to BIOS. Enable/execute the following steps:
- Enable Secure Boot
- Reset Secure Boot to Setup Mode
Reboot to OS. From a root shell, run:
# sbctl status
Installed: ✗ sbctl is not installed
Setup Mode: ✗ Enabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
# grub-install --target=x86_64-efi --efi-directory=<your-efi-location> --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
# sbctl create-keys
# sbctl enroll-keys -m ## this step might need you to run first: chattr -i /sys/firmware/efi/efivars/*
# sbctl sign -s <your-efi-location>/EFI/grub/grubx64.efi
# sbctl sign -s /boot/vmlinuz-6.9.0-rc3
# grub-mkconfig -o /boot/grub/grub.cfg
Reboot and confirm that your system booted correctly:
# sbctl status
Installed: ✓ sbctl is installed
Owner GUID: <some-owner-guid>
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft