Secure Boot Setup
sbctl
sbctl
is a a user-friendly secure boot key manager capable of setting up secure boot,
offers key management capabilities and keeps track of files that needs to be signed in the boot chain.
Installing sbctl
Pre-setup
GRUB Boot Manager
If you are using GRUB, run the following command to enable secure boot support on GRUB using CA Keys.
Entering Setup Mode in UEFI
Firstly, we need to go to firmware settings and set secure boot mode to “Setup Mode”. You can reboot from an already running system to firmware settings with following command.
This is how the BIOS looks like on a Lenovo Ideapad 5 Pro. Reset to setup mode or restore factory keys and reboot back to the system
Setting Up sbctl
Signing the Kernel Image and Boot Manager
CachyOS provides a script sbctl-batch-sign
that takes the list of files needed to be signed from sudo sbctl verify
and signs them all.
Now that all the files are signed, we can reboot back to UEFI settings and enable secure boot.
Note that this is a one-time process as signing files with -s
flag will save those files to sbctl
’s database.
sbctl
ships with a pacman hook meaning it will automatically
sign all new files upon a kernel or boot manager update.
systemd-boot
CachyOS uses systemd-boot-update.service
provided by systemd to update the boot manager on reboot. This means that the sbctl
pacman hook will not sign the updated EFI binaries. As a workaround, we can sign the boot manager directly
Verify that Secure Boot is Enabled
To check that secure boot is indeed enabled. You can run one of the following commands
Links and Credits
- The Arch Wiki laid the groundwork for this guide. Most of the stuff here was taken from there
- sbctl - This easy guide to enable secure boot support wouldn’t have been possible if it weren’t for the amazing work done to create this piece of software.
- Improving the Secure Boot Experience by Morten linderud - Blog post by Morten
“Foxboron” Linderud on how the secure boot experience was complicated before
sbctl