jmarya/knowledge
jmarya/knowledge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
knowledge/technology/linux/sbctl.md
JMARyA c85814db1a
All checks were successful
ci/woodpecker/push/validate_schema Pipeline was successful
Details
add sbctl + systemd-cryptenroll
2024-12-16 16:20:32 +01:00

1.1 KiB
Raw Permalink Blame History

obj repo rev
application https://github.com/Foxboron/sbctl 2024-12-16

sbctl (Secure Boot Manager)

sbctl intends to be a user-friendly secure boot key manager capable of setting up secure boot, offer key management capabilities, and keep track of files that needs to be signed in the boot chain.

Usage

Install the necessary packages:

pacman -S sbctl sbsigntools

Check that Secure Boot "Setup Mode" is "Enabled" in UEFI:

sbctl status

Create your own signing keys:

sbctl create-keys

Sign the systemd bootloader:

sbctl sign -s \
  -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed \
  /usr/lib/systemd/boot/efi/systemd-bootx64.efi

Enroll your custom keys:

sbctl enroll-keys

# Enroll and include Microsoft Keys
sbctl enroll-keys --microsoft

Sign EFI files:

sbctl sign -s /boot/EFI/Linux/arch-linux.efi
sbctl sign -s /boot/EFI/Linux/arch-linux-fallback.efi
sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
sbctl sign -s /efi/EFI/Boot/bootx64.efi

Verify signature of EFI files:

sbctl verify

Resign everything:

sbctl sign-all