The package is available on AUR: arch-secure-boot
See the available configuration options in the top of the script.
Add your overrides to /etc/arch-secure-boot/config
.
arch-secure-boot generate-keys
generates new keys for Secure Bootarch-secure-boot enroll-keys
adds them to your UEFIarch-secure-boot generate-efi
creates several images signed with Secure Boot keysarch-secure-boot add-efi
adds UEFI entry for the main Secure Boot imagearch-secure-boot generate-snapshots
generates a list of btrfs snapshots for recoveryarch-secure-boot initial-setup
runs all the steps in the proper order
secure-boot-linux.efi
- the main imagevmlinuz-linux
+initramfs-linux
+*-ucode
+ hardcodedcmdline
secure-boot-linux-efi-shell.efi
- UEFI shell that is used to boot into a snapshot- needed only because default Dell UEFI shell is buggy
secure-boot-linux-recovery.efi
- recovery image that can be a used to boot from snapshotvmlinuz-linux
+initramfs-linux-fallback
secure-boot-linux-lts-recovery.efi
- recovery LTS image that can be used to boot from snapshotvmlinuz-linux-lts
+initramfs-linux-lts-fallback
fwupdx64.efi
image is also being signed.
- BIOS: Set admin password, disable Secure Boot, delete all Secure Boot keys
- Generate and enroll keys
- Generate EFI images and add the main one (only!) to UEFI
- BIOS: Enable Secure Boot
- BIOS: use admin password to boot into
efi-shell
image - Inspect recovery script using
edit FS0:\recovery.nsh
- Run the script using
FS0:\recovery.nsh
- Once recovered, remove
efi-shell
entry from UEFI