documentation/docs/void-desktop-setup/Secure-boot.md

Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.

### Linux secureboot

For linux to work with secureboot it's necessary to enroll keys using sbctl.

```
xbps-install -Sy sbctl sbsigntool
```

Then to create keys, enroll them and sign the executables with it.

```
# sbctl create-keys
# sbctl enroll-keys
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>
```

If you get an error with enrolling the keys it might be necessary to add the `--microsoft` flag.

Then to check if it worked.

```
# sbctl verify
```

The kernels will now automatically be signed after an update thanks to the `sbsigntool` package.

> Don't forget to turn on secureboot in your bios!

### Linux Windows dual boot

To obtain secure boot for a device with both linux and windows partitions (dual boot), the `sbctl` package is required. It may be installed with.

```
# xbps-install -Sy sbctl sbsigntool
```

Then to create keys, enroll them and sign the executables with it.

```
# sbctl create-keys
# sbctl enroll-keys --microsoft
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>
```

Then to check if it worked.

```
# sbctl verify
```

After every linux kernel update the new executables should be signed.
First pages 2023-08-16 22:09:10 +02:00			`Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.`

Added a lot of pages 2023-08-16 23:13:16 +02:00			`### Linux secureboot`
First pages 2023-08-16 22:09:10 +02:00
			`For linux to work with secureboot it's necessary to enroll keys using sbctl.`

			```
			`xbps-install -Sy sbctl sbsigntool`
			```

			`Then to create keys, enroll them and sign the executables with it.`

			```
			`# sbctl create-keys`
			`# sbctl enroll-keys`
			`# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI`
			`# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi`
			`# sbctl sign -s /boot/vmlinuz-<version>`
			```

			If you get an error with enrolling the keys it might be necessary to add the `--microsoft` flag.

			`Then to check if it worked.`

			```
			`# sbctl verify`
			```

			The kernels will now automatically be signed after an update thanks to the `sbsigntool` package.

Added a lot of pages 2023-08-16 23:13:16 +02:00			`> Don't forget to turn on secureboot in your bios!`
First pages 2023-08-16 22:09:10 +02:00
Added a lot of pages 2023-08-16 23:13:16 +02:00			`### Linux Windows dual boot`
First pages 2023-08-16 22:09:10 +02:00
			To obtain secure boot for a device with both linux and windows partitions (dual boot), the `sbctl` package is required. It may be installed with.

			```
			`# xbps-install -Sy sbctl sbsigntool`
			```

			`Then to create keys, enroll them and sign the executables with it.`

			```
			`# sbctl create-keys`
			`# sbctl enroll-keys --microsoft`
			`# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI`
			`# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi`
			`# sbctl sign -s /boot/vmlinuz-<version>`
			```

			`Then to check if it worked.`

			```
			`# sbctl verify`
			```

Added a lot of pages 2023-08-16 23:13:16 +02:00			`After every linux kernel update the new executables should be signed.`