I attempted to simplify the process and would appreciate any input. However, it is worth noting that some PC vendors use subpar UEFI and motherboard firmware, causing variations in settings and behavior. To accomplish this, I will be utilizing efibootmgr and a newly developed tool called sbctl, created by FoxBoron. Please keep in mind that all commands must be run with root privileges, which can be done by using sudo.
Prerequisites
- Secure Boot is turned off.
- No existing PK, KEK, DB or DBX certificates. Delete if present.
- UEFI is not password locked.
- Arch Linux is the only installed OS.
- Arch Linux is booted in UEFI mode. Run this in your terminal,
test -d /sys/firmware/efi && echo true || echo falseand if it returns ‘true’ then you’re good to go! - EFI Partition aka ESP is mounted to ‘/efi’. Run this in your terminal,
test -d /efi/EFI && echo true || echo falseand if it returns ‘true’ then you may proceed to Secure Boot Configuration. Otherwise, read the addendum.
Addendum
You shouldn’t mount ESP at /boot, or else it serves double-duty as the boot directory which can compromise Secure Boot. Mounting ESP to /boot/efi safer but discouraged.
NOTE: If ESP is mounted at /boot/efi, skip the 1st step, follow the 2nd, and ‘umount /boot/efi’ instead in the 3rd step.
First, remove all kernels, microcode images and initramfs images from /boot. Second, make the /efi directory. Third, unmount the /boot directory.
# rm /boot/{*img,vmlinuz*}
# mkdir /efi
# umount /boot
Fourth, edit /etc/fstab. Change the mountpoint of ESP to /efi. ESP is usually denoted by an 8 character UUID (.eg 1A2B-3C4D) or the first partition of a disk (.eg /dev/sda1)
# nano /etc/fstab
Fifth, remount ESP with the new /etc/fstab.
# systemctl daemon-reload
# mount -a
Sixth, repopulate the boot directory with the kernel and initramfs by reinstalling Linux kernel with pacman. Mkinitcpio will make a new initramfs automatically.
# pacman -S linux
END OF ADDENDUM
Arch Linux Secure Boot Configuration
Install CPU microcode, sbctl and efibootmgr.
NOTE: For AMD Processors, substitute intel-ucode with amd-ucode
# pacman -S intel-ucode sbctl efibootmgr
Copy the current kernel options to /etc/kernel/cmdline, and make it writable:
# cp /proc/cmdline /etc/kernel/cmdline
# chmod /etc/kernel/cmdline
Bundle your microcode, kernel, initramfs, kernel cmdline into a Unified Kernel Image.
NOTE: ONLY BUNDLE IN ONE MICROCODE. FOR AMD, REMOVE -i /boot/intel-ucode.img FOR INTEL, REMOVE -a /boot/amd-ucode.img
# sbctl bundle -s \
-a /boot/amd-ucode.img \
-i /boot/intel-ucode.img \
-k /boot/vmlinuz-linux \
-f /boot/initramfs-linux.img \
-c /etc/kernel/cmdline \
/efi/EFI/Linux/ArchBundle.efi
Create the keys, sign bundle, and enroll yours’ and Microsoft’s certificates into the UEFI:
# sbctl create-keys
# sbctl generate-bundles --sign
# sbctl enroll-keys --microsoft
Find the EFI Partition using lsblk. Check the NAME where MOUNTPOINT says ‘/efi’
# lsblk
Assuming that it is /dev/sda1 …
# efibootmgr --create \
--disk /dev/sda \
--part 1 \
--label "My Signed Bundle" \
--loader /EFI/Linux/ArchBundle.efi
Reboot to UEFI settings, set up an admin password to prevent unwanted tampering. Now you can reboot and it should boot straight to Arch linux.
Once in Arch Linux, check Secure Boot status and verify all is well:
# sbctl status
END OF SECURE BOOT SETUP
Whenever Pacman updates the kernel, sbctl auto-generates the bundle with the new kernel and signs it.
To change kernel options, just edit /etc/kernel/cmdline, update the bundle and sign it
# nano /etc/kernel/cmdline
# sbctl generate-bundles --sign