Secure Boot
Related articles
For an overview about Secure Boot in Linux see Rodsbooks' Secure Boot article. This article focuses on how to set up Secure Boot in Arch Linux.
Using a signed boot loader
Booting archiso
Booting the archiso with Secure Boot enabled is possible since the EFI applications PreLoader.efi
and HashTool.efi
have been added to it. A message will show up that says Failed to Start loader... I will now execute HashTool. To use HashTool for enrolling the hash of loader.efi
and vmlinuz.efi
, follow these steps.
- Select
OK
- In the HashTool main menu, select
Enroll Hash
, choose\loader.efi
and confirm withYes
. Again, selectEnroll Hash
andarchiso
to enter the archiso directory, then selectvmlinuz.efi
and confirm withYes
. Then chooseExit
to return to the boot device selection menu. - In the boot device selection menu choose
Arch Linux archiso x86_64 UEFI CD
The archiso boots, and you are presented with a shell prompt, automatically logged in as root. To check if the archiso was booted with Secure Boot, use this command:
$ od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
The characters denoted by XXXX
differ from machine to machine. To help with this, you can use tab completion or list the EFI variables.
If a Secure Boot is enabled, this command returns 1
as the final integer in a list of five, for example:
6 0 0 0 1
For a verbose status, another way is to execute:
# bootctl status
Set up PreLoader
Install preloader-signedAUR and copy PreLoader.efi
and HashTool.efi
to the boot loader directory; for systemd-boot use:
# cp /usr/share/preloader-signed/{PreLoader,HashTool}.efi esp/EFI/systemd
Now copy over the boot loader binary and rename it to loader.efi
; for systemd-boot use:
# cp esp/EFI/systemd/systemd-bootx64.efi esp/EFI/systemd/loader.efi
Finally, create a new NVRAM entry to boot PreLoader.efi
:
# efibootmgr --disk /dev/sdX --part Y --create --label "PreLoader" --loader /EFI/systemd/PreLoader.efi
Replace X
with the drive letter and replace Y
with the partition number of the EFI System Partition.
This entry should be added to the list as the first to boot; check with the efibootmgr
command and adjust the boot-order if necessary.
Fallback
If there are problems booting the custom NVRAM entry, copy HashTool.efi
& loader.efi
to the default loader location booted automatically by UEFI systems:
# cp /usr/share/preloader-signed/HashTool.efi esp/EFI/Boot # cp esp/EFI/systemd/systemd-bootx64.efi esp/EFI/Boot/loader.efi
Copy over PreLoader.efi
and rename it:
# cp /usr/share/preloader-signed/PreLoader.efi esp/EFI/Boot/bootx64.efi
For particularly intransigent UEFI implementations, copy PreLoader.efi
to the default loader location used by Windows systems:
# mkdir -p esp/EFI/Microsoft/Boot # cp /usr/share/preloader-signed/PreLoader.efi esp/EFI/Microsoft/Boot/bootmgfw.efi
As before, copy HashTool.efi
& loader.efi
to esp/EFI/Microsoft/Boot
When the system starts with Secure Boot enabled, follow the steps above to enrol loader.efi
and /vmlinuz-linux
(or whichever kernel image is being used).
Remove PreLoader
Uninstall preloader-signedAUR and simply remove the copied files and revert configuration; for systemd-boot use:
# rm esp/EFI/systemd/{PreLoader,HashTool}.efi # rm esp/EFI/systemd/loader.efi # efibootmgr -b N -B # bootctl update
Where N
is the NVRAM boot entry created for booting PreLoader.efi
.
Check with the efibootmgr command and adjust the boot-order if necessary.
Using your own keys
Secure Boot implementations use these keys:
- Platform Key (PK)
- Top-level key
- Key Exchange Key (KEK)
- Key used to sign signature databases or EFI binaries
- Signature Database (db)
- Contains keys and/or hashes used to sign EFI binaries
- Forbidden Signatures Database (dbx)
- Contains keys and/or hashes used to blacklist EFI binaries
To use Secure Boot you need at least PK, KEK and db keys.
Once Secure Boot is in "User Mode" keys can only be updated by signing (using sign-efi-sig-list) the update with a higher level key. Platform key can be signed by itself.
Creating keys
To generate keys, install efitools.
You will need keys and certificates in multiple formats:
- Create keys and PEM format certificates for
sbsign
- Convert certificates to DER format for firmware
- Convert certificates to EFI Signature List for
KeyTool
Create a GUID for owner identification:
$ uuidgen --random
Platform key:
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 $ openssl x509 -outform DER -in PK.crt -out PK.cer $ cert-to-efi-sig-list -g GUID PK.crt PK.esl $ sign-efi-sig-list -g GUID -k PK.key -c PK.crt PK PK.esl PK.auth
Create an empty file null.esl
and sign it to allow deleting Platform Key:
$ sign-efi-sig-list -g GUID -c PK.crt -k PK.key PK null.esl rm_PK.auth
Key Exchange Key:
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 $ openssl x509 -outform DER -in KEK.crt -out KEK.cer $ cert-to-efi-sig-list -g GUID KEK.crt KEK.esl
Signature Database:
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 $ openssl x509 -outform DER -in db.crt -out db.cer $ cert-to-efi-sig-list -g GUID db.crt db.esl
Signing bootloader and kernel
When Secure Boot is active (i.e. in "User Mode") you will only be able to launch signed binaries, so you need to sign your kernel and boot loader.
Install sbsigntools.
# sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux # sbsign --key db.key --cert db.crt --output esp/EFI/BOOT/BOOTX64.EFI esp/EFI/BOOT/BOOTX64.EFI
Put firmware in "Setup Mode"
Secure Boot is in Setup Mode when the Platform Key is removed. To put firmware in Setup Mode, enter firmware setup utility and find an option to delete or clear certificates.
Enrol keys in firmware
Copy all *.cer
, *.esl
, *.auth
to a FAT formatted file system (you can use EFI System Partition).
Launch firmware setup utility or KeyTool and enrol db, KEK and PK certificates.
If the used tool supports it prefer using .auth
and .esl
over .cer
.
Using firmware setup utility
Firmwares have various different interfaces, see Replacing Keys Using Your Firmware's Setup Utility for example how to enrol keys.
Using KeyTool
KeyTool.efi
is in efitools package, copy it to ESP. To use it after enrolling keys, sign it with sbsign
.
# sbsign --key db.key --cert db.crt --output esp/EFI/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
Launch KeyTool-signed.efi
using firmware setup utility, boot loader or UEFI Shell and enrol keys.
See Replacing Keys Using KeyTool for explanation of KeyTool menu options.
Disable Secure Boot
The Secure Boot feature can be disabled via the UEFI firmware interface. You may access the firmware configuration by pressing a special key during the boot process. The key to use depends on the firmware. It is usually one of Esc
, F2
, Del
or possibly another Fn
key.
If using a hotkey did not work and you can boot Windows, you can force a reboot into the firmware configuration in the following way (for Windows 10): Settings > Update & Security > Recovery > Advanced startup (Restart now) > Troubleshoot > Advanced options > UEFI Firmware settings > restart.
Note that some motherboards (this is the case in a Packard Bell laptop) only allow to disable secure boot if you have set an administrator password (that can be removed afterwards). See also Rod Smith's Disabling Secure Boot.
See also
- Wikipedia:Unified Extensible Firmware Interface#Secure boot
- Dealing with Secure Boot by Rod Smith
- Controlling Secure Boot by Rod Smith
- UEFI secure booting (part 2) by Matthew Garrett
- efitools README
- Will your computer's "Secure Boot" turn out to be "Restricted Boot"? — Free Software Foundation
- Free Software Foundation recommendations for free operating system distributions considering Secure Boot