Secure boot - uiriansan/dotfiles GitHub Wiki

Credits to Hunter512 and Foxboron.

Enable secure boot

  1. If you didn't install Grub with --efi-directory=<efi_partition> --modules="tpm" --disable-shim-lock, reinstall it:
# Mount the EFI partition
$ sudo mount /dev/<efi_partition> /boot/efi/

# Install Grub
$ sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi/ --bootloader-id=GRUB --modules="tpm" --disable-shim-lock

# Regenerate Grub config
$ sudo grub-mkconfig -o /boot/grub/grub.cfg
  1. Install sbctl:
$ sudo pacman -S sbctl
  1. Boot into your BIOS UEFI settings and set secure boot to setup mode.
    Can't help you here. RTFM.

  2. Check if setup mode is enabled:

$ sbctl status
  1. Create secure boot keys:
$ sudo sbctl create-keys
  1. Enroll your keys with Microsoft's CA certificate:
$ sudo sbctl enroll-keys -m
  1. Verify that your keys have successfully been enrolled:
$ sbctl status 
  1. Check which files need to be signed for secure boot to work:
$ sudo sbctl verify

There is no need to sign every Microsoft file. bootmgfw.efi, bootmgr.efi and memtest.efi should be enough. For the Linux ones, just sign everything. The command above may not show /boot/vmlinuz-linux, but you'll have to sign this one as well.

# These are the ones I needed to sign, adjust according to your needs
$ sudo sbctl sign -s /efi/EFI/Boot/bootx64.efi
$ sudo sbctl sign -s "/efi/EFI/Grub - Arch Linux/grubx64.efi"
$ sudo sbctl sign -s /efi/EFI/grub-uefi/grubx64.efi
$ sudo sbctl sign -s /boot/vmlinuz-linux
$ sudo sbctl sign -s /efi/EFI/Microsoft/Boot/bootmgfw.efi
$ sudo sbctl sign -s /efi/EFI/Microsoft/Boot/bootmgr.efi
$ sudo sbctl sign -s /efi/EFI/Microsoft/Boot/memtest.efi

You may get an error because of an issue with certain files being immutable. To make those files mutable, run the following command for each file then re-sign afterwards:

$ sudo chattr -i /sys/firmware/efi/efivars/<filename> 
  1. Verify that everything has been signed:
$ sudo sbctl verify
  1. Boot into your BIOS UEFI settings again, make sure secure boot is enabled and reboot.
$ sbctl status


You can now play Riot's games in the same computer Arch is installed (you really shouldn't, tho).


Prev: Extras

⚠️ **GitHub.com Fallback** ⚠️