a momentary lapse of reason

Configure SecureBoot

SecureBoot is an extension to modern computer systems that allows you to define what conditions the computer will boot under. It can be used to prevent booting your computer from a USB drive or from booting a compromised kernel image. This is an important step because we will use the SecureBoot state to determine whether the TPM will automatically unlock your hard drive's decryption key: in the event that somebody tries to boot from a USB hard drive or to sneak an unsigned boot image into your system's boot partition, the computer will refuse to boot from it and the TPM will not unlock your hard drive.

All of the instructions in this section need to be run from a terminal/command line.

First step

You need to put your system into SecureBoot setup mode. The instructions for how to do this will vary. Please consult your computer manufacturer's documentation for how to do this. On my Tuxedo laptop, I needed to choose the option to erase the SecureBoot settings, which caused the computer to reboot in setup mode.

Be careful with this step. If you already have a Windows installation that you want to keep, this could prevent your Windows system from booting again, or force it to prompt you for a recovery key.

Install necessary packages

When you've booted your computer into setup mode, you need to install supporting libraries sbctl and sbsigntools (the specific name may be different on a system other than Arch). Install with the following command:

sudo pacman -S sbctl sbsigntools

Verify the SecureBoot state is in Setup Mode

Run the following command to verify SecureBoot is in Setup mode:

sudo sbctl status

You should see something like this:

Installed: ✓ sbctl is installed
Owner GUID: 308b1735-df33-43b9-95d3-9a5f3d21699f
Setup Mode: ✓ Enabled
Secure Boot: ✓ Disabled
Vendor Keys: none

Generate SecureBoot signing keys

Next, you need to generate signing keys. These will be used to cryptographically sign your Unified Kernel Images. This signature will be checked by SecureBoot to validate that your system has not been compromised. Run the following command:

sudo sbctl create-keys

Enroll your signing keys in SecureBoot

You need to provide your system with a cryptographic signature that it can use to check your boot image with. Enroll your keys with the following command:

sudo sbctl enroll-keys -m

This step will fail if your system is not in SecureBoot Setup Mode. NOTE: The -m option may not be necessary. It will enroll the Microsoft public keys in SecureBoot, allowing you to boot a Windows installation. Additionally, some hardware manufacturers may use Microsoft keys to sign their UEFI/BIOS images. I did not need it for my Tuxedo laptop, but you may need it for your system.

Sign your boot images

Next, you need to cryptographically sign your boot images. You can get a list of the images that will be checked with the following command:

sudo sbctl verify

The output will look something like this:

Verifying file database and EFI images in /boot...
 /boot/EFI/BOOT/BOOTX64.EFI is NOT signed
 /boot/EFI/Linux/arch-linux-fallback.efi is NOT signed
 /boot/EFI/Linux/arch-linux.efi is NOT signed
 /boot/EFI/systemd/systemd-bootx64.efi is NOT signed
 /boot/vmlinuz-linux is NOT signed

You need to sign every file identified in this list. Do so with the following command:

sudo sbctl sign -s ((filename))

When they're all signed, the output will look like this:

Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/Linux/arch-linux-fallback.efi is signed
✓ /boot/EFI/Linux/arch-linux.efi is signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
✓ /boot/vmlinuz-linux is signed

Verify that the mkinitcpio hook will automatically sign your kernel

Arch should automatically sign an updated kernel next time you update your system. You need to make sure that this is the case before you enable SecureBoot in your BIOS. Use the following command:

sudo mkinitcpio -P

Read the output as it appears. You're looking for a line similar to this:

Signing /boot/EFI/Linux/arch-linux.efi
✓ Signed /boot/EFI/Linux/arch-linux.efi

If you see it, you can be confident that your computer will automatically sign the kernel whenever you run a system update.

This verification is critical before you enable SecureBoot. If you don't see the line indicating that the kernel was signed, your system will refuse to boot with SecureBoot enabled.

Reboot your computer, enable SecureBoot

Reboot your computer once, to make sure everything is still working as expected. You will still need to enter your password to decrypt the hard drive, but your computer should otherwise boot as normal.

Once you're sure your computer will still boot, reboot into your UEFI settings and enable SecureBoot. This will likely cause your computer to reboot again.

Validate that your system is using SecureBoot

Finally, check that your system is using SecureBoot using the following command:

sudo sbctl status

If it all worked, you should see an output that looks like this:

Installed:  ✓ sbctl is installed
Owner GUID: 308b1735-df33-43b9-95d3-9a5f3d21699f
Setup Mode: ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    none

If this is what you see, continue on to the next section to configure the TPM to automatically decrypt your hard drive.

Back to Top