Skip to content
This repository has been archived by the owner on Aug 11, 2023. It is now read-only.

Latest commit

 

History

History
116 lines (85 loc) · 4.85 KB

README.md

File metadata and controls

116 lines (85 loc) · 4.85 KB

sbupdate

This tool allows you to sign Arch Linux kernels using your own Secure Boot keys.

Installation

You should be familiar with the process of creating, installing and using custom Secure Boot keys. See:

After you have generated your custom keys, proceed with setup:

  • Install sbupdate-git from AUR
  • Place your custom keys in /etc/efi-keys
  • Configure /etc/sbupdate.conf (see Configuration)
  • Run sudo sbupdate for first-time image generation

For each installed Arch kernel, a signed UEFI image will be generated, by default in /boot/EFI/Arch/<NAME>-signed.efi. Multiple images can be generated with advanced configuration. Now you can add these images to your UEFI firmware or boot manager configuration.

After the initial setup, signed images will be (re)generated automatically when you install or update kernels using Pacman.

Note that the kernel command line, initramfs and boot splash will be embedded in the signed UEFI image.

Configuration

Edit the file /etc/sbupdate.conf. Set your default kernel command line in the CMDLINE_DEFAULT variable. If the file /etc/kernel/cmdline exists, it is read into CMDLINE_DEFAULT automatically.

The following optional settings are available:

  • Command line, initramfs and output name for each kernel config (each kernel can have multiple configs)
  • A list of additional boot files to sign
  • Locations of the key, ESP and output directories
  • Boot splash image

💡 Hint: Intel and AMD microcode updates are handled automatically.

💡 Hint: Disable boot splash to keep the UEFI boot logo. Oppositely, to keep the boot splash image during boot, add the quiet video=efifb:nobgrt parameters to the kernel command line.

Direct booting vs. boot manager

The generated images are UEFI executables and can be directly booted by UEFI firmware. Therefore, a separate boot manager such as systemd-boot is technically not required. This is similar to Linux EFISTUB.

Booting directly from firmware is arguably more secure, but may also be harder to set up and use. See Using UEFI directly in the above article, with the exception that the kernel command line does not need to be specified in this case.


Alternatively, you can use a boot manager. In this case you need to add the generated UEFI images to the boot manager configuration. For systemd-boot, the basic entry format is

title Arch Linux <NAME>
efi   /EFI/Arch/<NAME>-signed.efi

You also need to sign your boot manager's own UEFI executables with your custom keys. For systemd-boot, this is handled automatically on update. For first-time setup, run

echo /usr/lib/systemd/boot/efi/systemd-boot*.efi | sudo sbupdate -f
sudo bootctl update

For other boot managers, add corresponding ESP executables to the EXTRA_SIGN array in /etc/sbupdate.conf and re-run the tool if needed. You should remember to run the tool every time you update your boot manager's files.

⚠️ Note: When booting with Secure Boot disabled, options passed from an EFI shell (even empty) may override the built-in command line in the combined image, and the boot may fail. See #4.

ESP mount point

Typically ESP is mounted on /boot and contains also the original, unsigned files such as the Linux kernel image and initramfs. These files are susceptible to offline tampering.

It is recommended to mount ESP on a different directory, such as /efi, and keep /boot itself on the secure root file system. This way ESP will only contain signed images which cannot be tampered with.

See Configuration to change the ESP directory.

Note that if you use a boot manager other than systemd-boot, then its files still need to be on the ESP before they are signed. It is customary to sign these files right after they have been installed on the ESP. Direct booting is recommended for increased security.

Related resources