ArchLinux UEFI SecureBoot script
Language: English | 中文
Installation
Build package from sources
- First clone this repository from GitHub
git clone https://github.com/BigfootACA/secureboot-utils
cd secureboot-utils
Or clone from Code Cloud
git clone https://gitee.com/ClassFun/secureboot-utils
cd secureboot-utils
- Run makepkg
makepkg
After the build is successful, an ArchLinux software package will be generated
- Use pacman to install the package
pacman -U secureboot-utils-1.1-1-any.pkg.tar.xz
Install from AUR
Use yaourt:
yaourt -S secureboot-utils
Use yay:
yay -S secureboot-utils
Instructions
First use
- First you must support UEFI on your computer
ls /sys/firmware/efi
Or check from the BIOS.
- Then confirm that your computer supports SecureBoot
ls /sys/firmware/efi/efivars/SecureBoot-*
Or check from the BIOS.
- Adjust the SecureBoot mode from the BIOS to custom mode to prepare to import the generated public key
- Generate public and private keys and write them into the firmware system
secureboot-keygen
SecureBoot has been initialized, but the kernel or boot loader needs to be signed before enabling SecureBoot. Please check the following related content.
Rewrite the public key to the firmware system
If you need to rewrite the public key to the system, execute the following command:
secure-write
Sign the kernel
secureboot-sign --replace /boot/vmlinuz-linux
This software package comes with the standard kernel package linux and linux-lts, when reinstalling the kernel or upgrading the kernel, it will automatically resign the kernel to ensure normal use after the kernel is upgraded and restarted.
Sign systemd-boot
secureboot-sign --systemd-boot
bootctl install
This package comes with systemd the installation hook of will automatically re-sign systemd-boot when reinstalling the kernel or upgrading systemd to ensure normal use after restart.
Sign GRUB2
secureboot-sign --replace /boot/efi/EFI/boot/bootx64.efi
secureboot-sign --replace /boot/efi/EFI/arch/grubx64.efi