58 lines
1.1 KiB
Markdown
58 lines
1.1 KiB
Markdown
|
---
|
||
|
|
obj: application
|
||
|
|
repo: https://github.com/Foxboron/sbctl
|
||
|
|
rev: 2024-12-16
|
||
|
|
---
|
||
|
|
|
||
|
|
# sbctl (Secure Boot Manager)
|
||
|
|
sbctl intends to be a user-friendly secure boot key manager capable of setting up secure boot, offer key management capabilities, and keep track of files that needs to be signed in the boot chain.
|
||
|
|
|
||
|
|
## Usage
|
||
|
|
Install the necessary packages:
|
||
|
|
```sh
|
||
|
|
pacman -S sbctl sbsigntools
|
||
|
|
```
|
||
|
|
|
||
|
|
Check that Secure Boot "Setup Mode" is "Enabled" in UEFI:
|
||
|
|
```sh
|
||
|
|
sbctl status
|
||
|
|
```
|
||
|
|
|
||
|
|
Create your own signing keys:
|
||
|
|
```sh
|
||
|
|
sbctl create-keys
|
||
|
|
```
|
||
|
|
|
||
|
|
Sign the systemd bootloader:
|
||
|
|
```sh
|
||
|
|
sbctl sign -s \
|
||
|
|
-o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed \
|
||
|
|
/usr/lib/systemd/boot/efi/systemd-bootx64.efi
|
||
|
|
```
|
||
|
|
|
||
|
|
Enroll your custom keys:
|
||
|
|
```sh
|
||
|
|
sbctl enroll-keys
|
||
|
|
|
||
|
|
# Enroll and include Microsoft Keys
|
||
|
|
sbctl enroll-keys --microsoft
|
||
|
|
```
|
||
|
|
|
||
|
|
Sign EFI files:
|
||
|
|
```sh
|
||
|
|
sbctl sign -s /boot/EFI/Linux/arch-linux.efi
|
||
|
|
sbctl sign -s /boot/EFI/Linux/arch-linux-fallback.efi
|
||
|
|
sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
|
||
|
|
sbctl sign -s /efi/EFI/Boot/bootx64.efi
|
||
|
|
```
|
||
|
|
|
||
|
|
Verify signature of EFI files:
|
||
|
|
```sh
|
||
|
|
sbctl verify
|
||
|
|
```
|
||
|
|
|
||
|
|
Resign everything:
|
||
|
|
```sh
|
||
|
|
sbctl sign-all
|
||
|
|
```
|