Configuration Guide for Secure Boot ArchLinux.

Update Bios

fwupdmgr refresh
fwupdmgr refresh
fwupdmgr get-updates
fwupdmgr update

sbctl status
***
*Setup Mode:     X Disabled
*Secure Boot:    X Disabled
***

In BIOS delete your PlatformKeys to get into setupMode.

sbctl status
***
*Setup Mode:     ✓ Enabled
*Secure Boot:    X Disabled
***

@slexi  sudo sbctl create-keys Created Owner UUID 636e0dc7-096e-4e10-8f7f-831dfa8b5b97 ✓ Secure boot keys created!

@slexi  sudo sbctl enroll-keys ‼ File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c ‼ File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f You need to chattr -i files in efivarfs

Current Kernel Versions (since 10 years or so) protect the efi variables with a immutable flag, because accidently rm -rf /them, would brick your device and the mainboard has to be replaced.

sudo chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f

Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates.

sbctl let’s you onroll your own keys along microsofts keys and the firmware builting.

@slexi  sbctl enroll-keys -help unknown shorthand flag: ’e’ in -elp Usage: sbctl enroll-keys [flags]

Flags: -a, –append append the key to the existing ones -c, –custom include custom db and KEK –custom-bytes string path to the bytefile to be enrolled to efivar –export [esl,auth] export the EFI database values to current directory instead of enrolling -f, –firmware-builtin[=db,KEK] include keys indicated by the firmware as being part of the default database -h, –help help for enroll-keys -i, –ignore-immutable ignore checking for immutable efivarfs files -m, –microsoft include microsoft keys into key enrollment -p, –partial [PK,KEK,db] enroll a partial set of keys -t, –tpm-eventlog include TPM eventlog checksums into the db database –yes-this-might-brick-my-machine ignore any errors and enroll keys

Global Flags: –config string Path to configuration file –debug Enable verbose debug logging –disable-landlock Disable landlock sandboxing –json Output as json –quiet Mute info from logging

sbctl enroll-keys -m -f

archyt14s# sbctl verify Verifying file database and EFI images in /boot… x /boot/EFI/Linux/arch-linux.efi is signed x /boot/EFI/systemd/fwupdx64.efi is signed x /boot/EFI/systemd/systemd-bootx64.efi is signed x /boot/vmlinuz-linux is signed x /boot/vmlinuz-linux-lts is signed x /boot/EFI/BOOT/BOOTX64.EFI is signed

Sign them sbctl verify | sed ’s/✗ /sbctl sign -s /e'

sbctl verify @slexi  sudo -s
Please touch the FIDO authenticator. archyt14s# sbctl verify Verifying file database and EFI images in /boot… ✓ /boot/EFI/Linux/arch-linux.efi is signed ✓ /boot/EFI/systemd/fwupdx64.efi is signed ✓ /boot/EFI/systemd/systemd-bootx64.efi is signed ✓ /boot/vmlinuz-linux is signed ✓ /boot/vmlinuz-linux-lts is signed ✓ /boot/EFI/BOOT/BOOTX64.EFI is signed

Reboot System, enable Secure Boot

archyt14s# sbctl status Installed: ✓ sbctl is installed Owner GUID: 636e0dc7-096e-4e10-8f7f-831dfa8b5b97 Setup Mode: ✓ Disabled Secure Boot: ✓ Enabled Vendor Keys: microsoft