{"id":23141977,"url":"https://github.com/gdamjan/secure-boot","last_synced_at":"2025-04-04T11:32:55.628Z","repository":{"id":55121808,"uuid":"53895775","full_name":"gdamjan/secure-boot","owner":"gdamjan","description":"UEFI SecureBoot for ArchLinux","archived":false,"fork":false,"pushed_at":"2022-08-15T13:14:28.000Z","size":25,"stargazers_count":59,"open_issues_count":7,"forks_count":3,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-02-09T21:23:29.952Z","etag":null,"topics":["boot","uefi","uefi-secureboot"],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gdamjan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-03-14T22:15:21.000Z","updated_at":"2024-09-30T02:23:30.000Z","dependencies_parsed_at":"2022-08-14T12:40:26.698Z","dependency_job_id":null,"html_url":"https://github.com/gdamjan/secure-boot","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gdamjan%2Fsecure-boot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gdamjan%2Fsecure-boot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gdamjan%2Fsecure-boot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gdamjan%2Fsecure-boot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gdamjan","download_url":"https://codeload.github.com/gdamjan/secure-boot/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247171050,"owners_count":20895577,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["boot","uefi","uefi-secureboot"],"created_at":"2024-12-17T14:15:55.995Z","updated_at":"2025-04-04T11:32:55.598Z","avatar_url":"https://github.com/gdamjan.png","language":"Makefile","readme":"# UEFI SecureBoot on ArchLinux\n\n\u003e ⚠️ Note: this project will be deprecated soon, by the [`--uefi`](https://github.com/archlinux/mkinitcpio/pull/53) option in mkinitcpio and [sbctl](https://github.com/Foxboron/sbctl).\n \n## Rationale\n\nI want full control at what boots the computer to avoid the so called [_evil maid attack_](https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html). That requires setting SecureBoot with only my own keys. SecureBoot protects the computer from tampering with the installed OS and boot files, while it's left powered off outside our view. It's not a substitute for disk encryption though, it's an addition to it.\n\n\n## Quick Start\n\n* `secure-boot gen-keys` will create the keys in `/etc/secure-boot/` - make sure no-one can access them!\n\nThe `*.auth` files **must be enrolled** in the UEFI firmware the first time. Unfortunately this procedure\ndepends on the hardware i.e. the BIOS/UEFI (see below for a Thinkpad).\n* `secure-boot enroll` (experimental) enrolls the keys into the UEFI firmware using `efi-updatevar` from [efitools](https://www.archlinux.org/packages/extra/x86_64/efitools/) package.\n\n* `secure-boot update` will update the EFI executable in `/boot/Efi/Secure/secure-boot-linux.efi`\n* `secure-boot install` will run update and add an entry to the EFI boot list for the newly created image\n\n`secure-boot.hook` can be installed as a pacman hook (`/etc/pacman.d/hooks/`) that runs `secure-boot update` when the `linux`, `{intel,amd}-ucode` package or `initramfs` is updated. You can\nuse that file as a template for other kernels too (this procedure should converge to systemds kernel-install).\n\n\n## Configuration\n\nOptions can be put in `/etc/secure-boot/config.mk` (in makefile format). See the top lines of [secure-boot](secure-boot) for the\npossible options. You can also specify them on the command line:\n\n* `secure-boot KERNEL=linux-lts update` will sign and setup the -lts kernel (also linux-git, linux-zen, etc) - but make sure to setup\n  the pacman hook for those too.\n* by default the script expects a cpu microcode archive exists at `/boot/intel-ucode.img`, and packs it to the common initramfs.\n  Use `secure-boot UCODE= update` to disable it.\n\n\n## Intro\n\nTo simplify, I boot Linux directly from UEFI (no intermediate bootloaders).\n\nUEFI can only boot a single efi executable, but to boot Linux you also need one or more initramfs (including intel micro-code) and a command line[1].\nSo all of these things have to be combined with `objcopy`. The combined file is then signed.\n\nAlternatively I'd need to use grub2 or some other bootloader that knows about SecureBoot - that kind of scares me since it increases the [attack surface](https://lwn.net/Articles/827403/).\n\n[1] command line: the boot command line maybe could be avoided with [auto-discovery](http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/).\nAFAIK Arch is not fully ready for that yet.\n\nThree keys/certificates are needed for UEFI SecureBoot (PK, KEK, DB). They are created with openssl.\n\nMAKE SURE YOU KEEP your keys **SECURE**! Also put a BIOS password!\n\n**ASSUMPTIONS:** `/boot/` is the ESP (EFI System Partition)\n\n**Required packages**: efibootmgr and from AUR: sbsigntools and efitools. pesign was recommended in some docs, didn't work at all for me when signing files.\n\n\n## Thinkpad\n\nThinkpads (T450s, X1 Carbon) don't have key management in the firmware (the _bios_), so a third-party one needs to be used.\n`efitools` has `KeyTool.efi`, so I copied it and the `*.auth` files in `/boot/keys` and set it up to boot on next-boot with efibootmgr.\n\nMake sure to clear the built-in keys first, otherwise you can't setup your own. In some firmwares there's a separate option for that,\nor it does it when you select *Enter Setup mode* option. Save and reset, and now KeyTool.efi will be able to *replace* the PK, KEK and db\ncertificates. I didn't just *add* the certificate because I wanted only my own keys there. If that is ok, reboot and **enable SecureBoot**.\n\nOn the next reboot KeyTool.efi can't run since it's not signed, so the boot will continue to my own combined and signed Linux image.\n\nDon't forget to upgrade the firmware before starting. Bugs are often fixed and not even documented.\n\n\n## Testing in KVM\n\nTo run QEMU/KVM with the OVMF firmware (path specific to ArchLinux), run it as:\n\n```\nqemu-system-x86_64 -enable-kvm -bios /usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd -hda vfat:/usr/share/efitools/efi/\n```\n\nor just install some Linux from .iso. Don't forget, UEFI requires GPT.\n\n\n### References\n\n* http://tomsblog.gschwinds.net/2014/08/uefi-secure-boot-hands-on-experience/\n* https://fedoraproject.org/wiki/Using_UEFI_with_QEMU\n* https://wiki.ubuntu.com/SecurityTeam/SecureBoot\n* http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO\n* https://www.suse.com/communities/conversations/uefi-secure-boot-details/\n* http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgdamjan%2Fsecure-boot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgdamjan%2Fsecure-boot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgdamjan%2Fsecure-boot/lists"}