{"id":20812740,"url":"https://github.com/dadevel/secboot","last_synced_at":"2025-05-07T11:03:39.778Z","repository":{"id":133485550,"uuid":"370147503","full_name":"dadevel/secboot","owner":"dadevel","description":"Utility to secure your Linux boot process.","archived":false,"fork":false,"pushed_at":"2024-10-15T18:30:26.000Z","size":30,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-31T09:21:19.161Z","etag":null,"topics":["secure-boot","tpm-pin","unified-kernel-image"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dadevel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-23T20:07:43.000Z","updated_at":"2024-10-15T18:30:29.000Z","dependencies_parsed_at":null,"dependency_job_id":"4eaf5a5b-508d-4a81-9735-0bef1247e047","html_url":"https://github.com/dadevel/secboot","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fsecboot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fsecboot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fsecboot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fsecboot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dadevel","download_url":"https://codeload.github.com/dadevel/secboot/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252865704,"owners_count":21816306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["secure-boot","tpm-pin","unified-kernel-image"],"created_at":"2024-11-17T20:57:54.374Z","updated_at":"2025-05-07T11:03:39.667Z","avatar_url":"https://github.com/dadevel.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# secboot\n\nAn all-in-one Python script to secure your Linux boot process.\n\nIncluded features:\n\n- enrollment of self-signed Secure Boot certificates\n- direct kernel boot trough [Unified Kernel Images](https://wiki.archlinux.org/title/Unified_kernel_image) built with [Dracut](https://github.com/dracutdevs/dracut)\n- LUKS encryption keys stored in TPM and protected by TPM PIN via [systemd-cryptenroll](https://www.freedesktop.org/software/systemd/man/latest/systemd-cryptenroll.html)\n- integrated support for [fwupd](https://github.com/fwupd/fwupd)\n\nSupported distributions:\n\n- Arch Linux (stable)\n- Debian/Ubuntu (experimental)\n\nHardware requirements:\n\n- TPM 2.0 in firmware or dedicated\n\n## Setup \u0026 Usage\n\nThe setup can be performed on an existing installation as long as the installation is booted via UEFI and has a LUKS-encrypted root partition.\n\nFirst install the following dependencies with the package manager of your distro:\n\n- Python 3.11 or newer\n- cryptsetup\n- dracut\n- efibootmgr\n- efitools\n- fwupd\n- openssl\n- sbsigntools\n- tpm2-tools\n\nThen install the `secboot` utility together with accompanying package manager hooks.\nCurrently supported are `apt` on Debian/Ubuntu and `pacman` on Arch Linux.\n\n~~~ bash\ngit clone --depth 1 https://github.com/dadevel/secboot.git\nsudo ./secboot/setup.sh\n~~~\n\nThe next step is the configuration of `secboot`.\nA description of the options and their default values can be found at the top of [main.py](./secboot/main.py#L18).\nThe configuration is always stored at `/etc/secboot/config.json`.\n\nExample for Ubuntu with automatic signing of dynamic kernel modules:\n\n~~~ json\n{\n  \"efi-partition\": \"/dev/sda1\",\n  \"efi-mountpoint\": \"/boot/efi\",\n  \"efi-subdir\": \"/boot/efi/EFI/Linux\",\n  \"luks-partition\": \"/dev/sda2\",\n  \"kernel-params\": \"rw root=LABEL=root\",\n  \"dkms-files\": [\"/usr/lib/modules/{version}/updates/dkms/*.ko\"]\n}\n~~~\n\nExample for Arch Linux with additional hardening and fallback to LTS kernel:\n\n~~~ json\n{\n  \"efi-partition\": \"/dev/nvme0n1p1\",\n  \"efi-mountpoint\": \"/boot\",\n  \"efi-subdir\": \"/boot/EFI/Linux\",\n  \"luks-partition\": \"/dev/nvme0n1p2\",\n  \"kernel-params\": \"rw rd.luks.allow-discards rd.luks.timeout=0 root=LABEL=root rootflags=x-systemd.device-timeout=0 lsm=capability,landlock,lockdown,yama,bpf,integrity rd.shell=0 rd.emergency=reboot quiet\",\n  \"kernel-priority\": [\"linux\", \"linux-lts\"],\n  \"initramfs-compression\": \"zstd\"\n}\n~~~\n\nBefore you continue bring your UEFI firmware into Secure Boot Setup Mode.\nThe procedure on Lenovo ThinkPads is the following:\n\n1. Power cycle your laptop and press `F1` when the Lenovo logo appears to open BIOS settings.\n2. Ensure that `Security/Secure Boot/Secure Boot` is `Enabled`.\n3. Select `Security/Secure Boot/Reset to Setup Mode` and `Security/Secure Boot/Clear All Secure Boot Keys`.\n4. Make sure the TPM module is enabled.\n5. Save and exit with `F10`.  \n\nAfter your computer booted back up generate the Secure Boot certificates and enroll them.\nThe command is idempotent and can be repeated in case of failure.\n\n~~~ bash\nsudo secboot enroll-certificates\n~~~\n\nThen trigger a rebuild of the UKI by reinstalling the kernel package.\n\n~~~ bash\n# Arch Linux\nsudo pacman -S linux\n# Debian/Ubuntu\nsudo apt install --reinstall -y linux-image-6.5.0-21-generic\n~~~\n\nNext reboot your computer.\n\n~~~ bash\nsudo systemctl reboot\n~~~\n\nWait until the reboot completed and verify that Secure Boot is active.\n\n~~~ bash\nsudo fwupdtool security 2\u003e /dev/null | grep -i 'secure boot'\n~~~\n\nNow add a TPM-protected key to LUKS.\nThe command is idempotent as well.\n\n~~~ bash\nsudo secboot enroll-tpm\n~~~\n\nThen trigger another UKI rebuild.\n\n~~~ bash\n# Arch Linux\nsudo pacman -S linux\n# Debian/Ubuntu\nsudo apt install --reinstall -y linux-image-6.5.0-21-generic\n~~~\n\nAnd reboot one more time.\n\n~~~ bash\nsudo systemctl reboot\n~~~\n\nOn Arch Linux you can now remove `mkinitcpio`.\n\n~~~ bash\nsudo pacman -Rns mkinitcpio\n~~~\n\n## Troubleshooting\n\nThe warning *data remaining: gaps between PE/COFF sections?* is caused by `sbsign` and can be safely ignored.\n\nIf fwupd fails on Arch Linux with the error *Secure Boot is enabled, but shim isn't installed* then run `sudo touch /boot/efi/EFI/arch/shimx64.efi`.\n\n## References\n\n- [User:Krin/Secure Boot, full disk encryption, and TPM2 unlocking install](http://web.archive.org/web/20231203112801/https://wiki.archlinux.org/title/User:Krin/Secure_Boot,_full_disk_encryption,_and_TPM2_unlocking_install)\n- [Unlocking LUKS2 volumes with TPM2, FIDO2, PKCS#11 Security Hardware on systemd 248](http://web.archive.org/web/20240209114847/http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadevel%2Fsecboot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdadevel%2Fsecboot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadevel%2Fsecboot/lists"}