Secure Boot CachyOS Limine - ryzendew/Linux-Tips-and-Tricks GitHub Wiki

Secure Boot for CachyOS with Limine Loader

Table of Contents

  1. Introduction
  2. Installation Steps
  3. Troubleshooting
  1. Additional Resources
  2. Summary

Introduction

This guide will help you set up Secure Boot on CachyOS using sbctl (Secure Boot Control Tool) with the Limine bootloader. This guide is specifically tailored for CachyOS users who want to enable Secure Boot for enhanced system security while using Limine as their bootloader.

What is CachyOS?

  • CachyOS is an Arch-based Linux distribution optimized for performance
  • It uses the same package manager (pacman) and package names as Arch Linux
  • This guide works for CachyOS and can be adapted for other Arch-based distributions

What is Limine?

  • Limine is a modern, fast, and portable bootloader
  • It's designed to be simple and secure
  • CachyOS uses Limine as its default bootloader

What is Secure Boot?

Secure Boot is a security feature found in modern computers that ensures only trusted software can boot on your system. It works by:

  • Verifying that bootloaders and kernel images are signed with trusted keys
  • Preventing malicious software from running during the boot process
  • Providing protection against bootkits and rootkits

Why use sbctl?

  • Allows you to use Secure Boot on Linux systems
  • Enables you to sign your own kernel images and bootloaders
  • Provides control over Secure Boot keys
  • Can work with Microsoft's keys for compatibility

What you'll need:

  • CachyOS installed and running
  • Limine bootloader installed (default on CachyOS)
  • Administrator (root) access via sudo
  • UEFI firmware (not legacy BIOS)
  • Access to your system's firmware/UEFI settings

Note: While this guide is written for CachyOS, the general principles apply to other Arch-based distributions using Limine. However, some steps may vary.

Installation Steps

Step 1: Install sbctl

Open your terminal and run the following command to install sbctl:

sudo pacman -S sbctl

What each part means:

  • sudo: Runs the command with administrator privileges (needed to install software)
  • pacman: The package manager for Arch Linux and Arch-based distributions
  • -S: Synchronize/install packages (tells pacman to install the specified package)
  • sbctl: The Secure Boot Control Tool package

What this does: This installs the sbctl tool, which you'll use to manage Secure Boot keys and sign bootloaders and kernel images.

Step 1.1: Enter your password when prompted

The sudo command requires administrator privileges. You'll be asked to enter your user password. Note that when you type your password, nothing will appear on screen (this is normal for security reasons).

Example output:

[sudo] password for yourusername:

Type your password and press Enter.

Step 1.2: Confirm installation

Pacman will show you a list of packages to be installed and ask for confirmation. You'll see something like:

Packages (X) to install:
  sbctl
  ... (dependencies will be listed here)

Proceed with installation? [Y/n]

Type Y and press Enter to proceed with the installation.

Step 2: Reboot into Firmware Setup

After installing sbctl, you need to access your system's firmware/UEFI settings to configure Secure Boot.

Reboot into firmware setup:

sudo systemctl reboot --firmware-setup

What this does:

  • systemctl: System control command
  • reboot: Reboots the system
  • --firmware-setup: Boots directly into the firmware/UEFI setup menu instead of the normal boot process

What you'll see: Your computer will reboot and enter the UEFI/firmware setup screen (also called BIOS setup). This screen typically has a blue or gray background and shows various system settings.

Important: The exact method to access firmware settings varies by manufacturer:

  • Common keys: F2, F10, F12, Delete, or Esc (pressed during boot)
  • On some systems: You may need to hold Shift while clicking Restart in your operating system
  • Check your computer's manual if you're unsure

Step 3: Configure Secure Boot in Firmware

Once you're in the firmware/UEFI setup screen, you need to configure Secure Boot settings.

What to do:

  1. Navigate to Security or Boot settings:
  • Look for menus like "Security", "Boot", "Advanced", or "System Configuration"
  • Use arrow keys to navigate (mouse may or may not work)
  1. Find Secure Boot settings:
  • Look for "Secure Boot" option
  • It may be under "Security Features" or "Boot Options"
  1. Enable Setup Mode:
  • Set Secure Boot to "Setup Mode" or "Custom Mode"
  • This allows you to manage your own keys
  1. Disable Secure Boot (temporarily):
  • Set Secure Boot to "Disabled"
  • We'll enable it later after configuring keys
  1. Delete existing keys (if present):
  • Look for options like "Delete All Secure Boot Keys" or "Reset to Setup Mode"
  • This clears any existing keys so you can install your own
  1. Save and exit:
  • Press F10 (common) or look for "Save & Exit" option
  • Confirm to save changes and reboot

Important Notes:

  • The exact menu names and locations vary by manufacturer (Dell, HP, Lenovo, ASUS, etc.)
  • If you can't find these options, your system may not support Secure Boot
  • Some systems may require you to set an administrator password first
  • Write down or take photos of your current settings in case you need to revert

What this does:

  • Setup Mode allows you to install your own Secure Boot keys
  • Disabling Secure Boot temporarily lets us configure everything before enabling it
  • Deleting existing keys ensures a clean slate for your custom keys

Step 4: Verify Setup Mode

After rebooting back into your system, verify that Setup Mode is enabled:

sudo sbctl status

What this command does:

  • sbctl: The Secure Boot Control Tool
  • status: Shows the current Secure Boot status and configuration

Expected output (before creating keys):

Installed:      ✘ sbctl is not installed
Setup Mode:     ✔ Enabled
Secure Boot     ✘ Disabled

What each line means:

  • Installed: Shows if sbctl keys are installed ( means not yet)
  • Setup Mode: Should show Enabled (this is what we want)
  • Secure Boot: Should show Disabled (we'll enable it later)

If Setup Mode is enabled, we can proceed to the next step!

If Setup Mode shows Disabled:

  • You may need to go back into firmware settings
  • Make sure you saved the changes in Step 3
  • Some systems may require additional steps - check your manufacturer's documentation

Step 5: Create Secure Boot Keys

Now that Setup Mode is enabled, create your custom Secure Boot keys:

sudo sbctl create-keys

What this does:

  • Creates your own Secure Boot keys (Platform Key, Key Exchange Key, and Database keys)
  • These keys will be used to sign your bootloaders and kernel images
  • Generates a unique Owner UUID (Universally Unique Identifier) for your system

Expected output:

Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Creating secure boot keys...✔
Secure boot keys created!

What this means:

  • Your custom Secure Boot keys have been created
  • The Owner UUID is a unique identifier for your key set
  • These keys are stored in /usr/share/secureboot/keys/ (you don't need to access this directly)

Important: Keep these keys safe! If you lose them, you won't be able to boot with Secure Boot enabled unless you recreate them.

Step 6: Enroll Keys with Microsoft Keys

To ensure compatibility with hardware and some software, enroll your keys along with Microsoft's keys:

sudo sbctl enroll-keys --microsoft

What each part means:

  • enroll-keys: Installs the keys into your system's UEFI firmware
  • --microsoft: Also includes Microsoft's Secure Boot keys for compatibility
  • This allows you to boot Windows (if dual-booting)
  • Ensures compatibility with hardware that requires Microsoft keys
  • Allows booting some third-party software signed with Microsoft keys

What this does:

  • Enrolls your custom keys into the UEFI firmware
  • Also enrolls Microsoft's keys for compatibility
  • This writes the keys to your system's UEFI variables

Expected output:

Enrolling keys to EFI variables...✔
Enrolled keys to the EFI variables!

Alternative (without Microsoft keys): If you don't want Microsoft keys (for example, if you only use Linux and want maximum security):

sudo sbctl enroll-keys

Note: Without Microsoft keys, you won't be able to boot Windows or use some hardware/software that requires Microsoft-signed components.

Step 7: Verify Key Enrollment

After enrolling the keys, verify that everything is configured correctly:

sudo sbctl status

Expected output:

Installed:      ✔ sbctl is installed
Owner GUID:     a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode:     ✔ Disabled
Secure Boot     ✘ Disabled
Vendor Keys:    microsoft

What each line means:

  • Installed: means sbctl keys are now installed
  • Owner GUID: Your unique key identifier (matches what was created in Step 5)
  • Setup Mode: Disabled means Setup Mode is off (keys are enrolled)
  • Secure Boot: Disabled means Secure Boot is still off (we'll enable it later)
  • Vendor Keys: Shows "microsoft" if you used --microsoft flag

If you see this output, sbctl is properly installed and keys are enrolled!

Next steps: Now we need to:

  1. Sign your bootloader and kernel images
  2. Enable Secure Boot in firmware
  3. Test that everything works

Step 8: Backup Secure Boot Variables (Important!)

Before proceeding further, it's crucial to backup your Secure Boot variables. This allows you to restore them if something goes wrong.

Step 8.1: Install efitools

First, install the efitools package:

sudo pacman -S efitools

What this does:

  • -Sy: Synchronizes package database and installs the package
  • efitools: Provides utilities for managing UEFI variables, including backing up Secure Boot keys

Step 8.2: Backup Secure Boot Variables

Run the following command to backup all four principal Secure Boot variables:

for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done

What this command does:

  • for var in PK KEK db dbx: Loops through four Secure Boot variables
  • PK (Platform Key): The top-level key
  • KEK (Key Exchange Key): Used to update the database
  • db (Database): Contains trusted signing keys
  • dbx (Forbidden Signatures Database): Contains revoked keys
  • efi-readvar -v $var: Reads the UEFI variable
  • -o old_${var}.esl: Saves it to a file (e.g., old_PK.esl, old_KEK.esl, etc.)

What you'll get: Four backup files will be created in your current directory:

  • old_PK.esl - Platform Key backup
  • old_KEK.esl - Key Exchange Key backup
  • old_db.esl - Database backup
  • old_dbx.esl - Forbidden Signatures Database backup

Important: Store these backup files in a safe place! If something goes wrong, you can restore them.

To restore (if needed):

sudo efi-updatevar -f old_PK.esl PK
sudo efi-updatevar -f old_KEK.esl KEK
sudo efi-updatevar -f old_db.esl db
sudo efi-updatevar -f old_dbx.esl dbx

Step 9: Sign Limine Bootloader

Since CachyOS uses Limine as the default bootloader, you need to sign Limine's EFI binary so it can boot with Secure Boot enabled.

Sign Limine with limine-enroll-config

CachyOS provides a convenient tool for signing Limine:

sudo limine-enroll-config

What this does:

  • Uses sbctl under the hood to sign Limine's EFI binary
  • Automatically handles the signing process for Limine
  • This is the recommended and easiest method for CachyOS users
  • Signs Limine's EFI binary with your Secure Boot keys

Expected output: You should see confirmation that Limine has been signed. The output will indicate that Limine's EFI binary is now signed and ready for Secure Boot.

Important for CachyOS:

  • This command is specifically designed for Limine
  • It automatically finds and signs the correct Limine EFI binary
  • No manual file paths needed - it handles everything automatically

Reference: For more detailed Limine-specific instructions, see the CachyOS Secure Boot Setup Guide.

Step 10: Sign Kernel Images

You also need to sign your kernel images. sbctl can automatically handle this, but you may need to configure it.

Check if automatic signing is set up:

sudo sbctl status

Look for information about kernel signing.

Enable automatic kernel signing (if needed):

sudo sbctl enroll

What this does:

  • Sets up automatic signing of kernel images
  • Future kernel updates will be automatically signed
  • This is the recommended approach

Manually sign current kernel (if needed):

If you need to manually sign your current kernel:

sudo sbctl sign -s /boot/vmlinuz-linux

Replace /boot/vmlinuz-linux with your actual kernel path if different.

For Arch Linux with multiple kernels: You may need to sign each kernel variant:

  • /boot/vmlinuz-linux (standard kernel)
  • /boot/vmlinuz-linux-lts (LTS kernel, if installed)
  • /boot/vmlinuz-linux-zen (Zen kernel, if installed)

Step 11: Enable Secure Boot

After signing your bootloader and kernel, enable Secure Boot in your firmware settings.

Reboot into firmware setup:

sudo systemctl reboot --firmware-setup

In firmware settings:

  1. Navigate to Secure Boot settings (same location as Step 3)
  2. Enable Secure Boot:
  • Set Secure Boot to "Enabled"
  • Some systems may have options like "Standard" or "Custom"
  1. Save and exit:
  • Press F10 or select "Save & Exit"
  • Your system will reboot

What to expect:

  • If everything is signed correctly, your system should boot normally
  • If something isn't signed, you may see a Secure Boot error
  • If you see an error, boot back into Setup Mode and check your signing

Step 12: Verify Secure Boot is Working

After enabling Secure Boot and rebooting, verify it's working:

sudo sbctl status

Expected output:

Installed:      ✔ sbctl is installed
Owner GUID:     a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode:     ✔ Disabled
Secure Boot     ✔ Enabled
Vendor Keys:    microsoft

Key indicators:

  • Secure Boot: Enabled - This confirms Secure Boot is active!
  • Setup Mode: Disabled - This is correct (Setup Mode should be off when Secure Boot is on)

Additional verification:

You can also check Secure Boot status with:

mokutil --sb-state

Or:

dmesg | grep -i secure

Troubleshooting

Issue: "Setup Mode: Disabled" when trying to create keys

Symptoms:

  • Cannot create keys because Setup Mode is not enabled

Solutions:

  1. Go back into firmware settings
  2. Make sure Secure Boot is set to "Setup Mode" or "Custom Mode"
  3. Some systems require you to delete existing keys first
  4. Save and reboot, then try again

Issue: System won't boot after enabling Secure Boot

Symptoms:

  • Secure Boot error screen appears
  • System won't boot into Linux

Solutions:

  1. Boot back into Setup Mode:
  • Access firmware settings
  • Disable Secure Boot or enable Setup Mode
  • Boot back into Linux
  1. Check what wasn't signed: 
    sudo sbctl status

Look for unsigned files

  1. Re-sign bootloader and kernel:
  • Follow Step 9 and Step 10 again
  • Make sure all boot files are signed
  1. Check bootloader configuration:
  • Verify your bootloader is pointing to signed files
  • For systemd-boot, check /boot/loader/entries/

Issue: Kernel updates break Secure Boot

Symptoms:

  • System works fine until kernel update
  • After update, Secure Boot errors appear

Solutions:

  1. Enable automatic signing: 
    sudo sbctl enroll

This should handle future updates automatically

  1. Manually sign new kernel: 
    sudo sbctl sign -s /boot/vmlinuz-linux

Replace with your actual kernel path

  1. Set up a pacman hook (advanced): Create a hook to automatically sign kernels after updates

Issue: Can't boot Windows after enabling Secure Boot

Symptoms:

  • Linux boots fine
  • Windows won't boot (if dual-booting)

Solutions:

  1. Make sure you enrolled Microsoft keys:

    sudo sbctl enroll-keys --microsoft

  2. Check Windows boot files:

  • Windows boot files should be signed by Microsoft
  • If you modified Windows boot files, they may need to be re-signed
  1. Verify in firmware:
  • Check that Microsoft keys are present in firmware settings

Additional Resources

Summary

This guide covered:

  1. Installing sbctl on CachyOS
  2. Accessing firmware/UEFI settings
  3. Configuring Secure Boot in Setup Mode
  4. Creating custom Secure Boot keys
  5. Enrolling keys (with Microsoft keys for compatibility)
  6. Backing up Secure Boot variables
  7. Signing Limine bootloader (CachyOS default)
  8. Signing kernel images
  9. Enabling Secure Boot
  10. Verifying Secure Boot is working
  11. Troubleshooting common issues

After completing these steps, you should have Secure Boot enabled on your CachyOS system with Limine bootloader, providing enhanced security while maintaining the ability to boot your system!

Important Reminders:

  • Keep your Secure Boot key backups safe
  • Enable automatic kernel signing to avoid issues after updates
  • Test Secure Boot thoroughly before relying on it
  • If dual-booting, ensure Microsoft keys are enrolled for Windows compatibility