Skip to content

Secure Boot Setup

sbctl

sbctl is a a user-friendly secure boot key manager capable of setting up secure boot, offers key management capabilities and keeps track of files that needs to be signed in the boot chain.

Installing sbctl

Terminal window
sudo pacman -S sbctl

Pre-setup

GRUB Boot Manager

If you are using GRUB, run the following command to enable secure boot support on GRUB using CA Keys.

Terminal window
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=cachyos --modules="tpm" --disable-shim-lock

Entering Setup Mode in UEFI

Firstly, we need to go to firmware settings and set secure boot mode to “Setup Mode”. You can reboot from an already running system to firmware settings with following command.

Terminal window
systemctl reboot --firmware-setup

This is how the BIOS looks like on a Lenovo Ideapad 5 Pro. Reset to setup mode or restore factory keys and reboot back to the system

Setting Up sbctl

Terminal window
sudo sbctl status # If setup mode is enabled we can proceed to the next step
Installed: sbctl is not installed
Setup Mode: Enabled
Secure Boot Disabled
sudo sbctl create-keys # Create your custom secure boot keys
Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Creating secure boot keys...✔
Secure boot keys created!
sudo sbctl enroll-keys -m # Enroll your keys with Microsoft's keys
Enrolling keys to EFI variables...✔
Enrolled keys to the EFI variables!
sudo sbctl status
# sbctl should now be installed and we can proceed to signing the kernel images and boot manager
Installed: sbctl is installed
Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode: Disabled
Secure Boot Disabled
Vendor Keys: microsoft

Signing the Kernel Image and Boot Manager

CachyOS provides a script sbctl-batch-sign that takes the list of files needed to be signed from sudo sbctl verify and signs them all.

Terminal window
sudo sbctl verify
Verifying file database and EFI images in /boot...
/boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn4.0.fc40.x86_64/linux is not signed
/boot/EFI/BOOT/BOOTX64.EFI is not signed
/boot/EFI/systemd/systemd-bootx64.efi is not signed
/boot/1c4b5246eef05ac3bc87339323cd5101/0-rescue/linux is not signed
/boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn3.0.fc40.x86_64/linux is not signed
sudo sbctl-batch-sign
sudo sbctl verify
Verifying file database and EFI images in /boot...
/boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn4.0.fc40.x86_64/linux is signed
/boot/EFI/BOOT/BOOTX64.EFI is signed
/boot/EFI/systemd/systemd-bootx64.efi is signed
/boot/1c4b5246eef05ac3bc87339323cd5101/0-rescue/linux is signed
/boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn3.0.fc40.x86_64/linux is signed

Now that all the files are signed, we can reboot back to UEFI settings and enable secure boot. Note that this is a one-time process as signing files with -s flag will save those files to sbctl’s database. sbctl ships with a pacman hook meaning it will automatically sign all new files upon a kernel or boot manager update.

systemd-boot

CachyOS uses systemd-boot-update.service provided by systemd to update the boot manager on reboot. This means that the sbctl pacman hook will not sign the updated EFI binaries. As a workaround, we can sign the boot manager directly

Terminal window
sudo sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi

Verify that Secure Boot is Enabled

To check that secure boot is indeed enabled. You can run one of the following commands

Terminal window
sudo sbctl status
Installed: sbctl is installed
Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode: Disabled
Secure Boot: Enabled
Vendor Keys: microsoft
bootctl
System:
Firmware: UEFI 2.80 (INSYDE Corp. 28724.16435)
Firmware Arch: x64
Secure Boot: enabled (user)
TPM2 Support: yes
Measured UKI: no
Boot into FW: supported
  • The Arch Wiki laid the groundwork for this guide. Most of the stuff here was taken from there
  • sbctl - This easy guide to enable secure boot support wouldn’t have been possible if it weren’t for the amazing work done to create this piece of software.
  • Improving the Secure Boot Experience by Morten linderud - Blog post by Morten “Foxboron” Linderud on how the secure boot experience was complicated before sbctl