2023-08-16 22:09:10 +02:00
Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.
For linux to work with secureboot it's necessary to enroll keys using sbctl.
```
xbps-install -Sy sbctl sbsigntool
```
Then to create keys, enroll them and sign the executables with it.
```
# sbctl create-keys
# sbctl enroll-keys
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>
```
If you get an error with enrolling the keys it might be necessary to add the `--microsoft` flag.
Then to check if it worked.
```
# sbctl verify
```
2023-08-17 10:54:11 +02:00
The kernels can automatically be signed after an update thanks to the `sbsigntool` package. Configure it `/etc/default/sbsigntool-kernel-hook` and change the options:
2023-08-16 22:09:10 +02:00
```
2023-08-17 10:54:11 +02:00
SBSIGN_EFI_KERNEL=1
2023-08-16 22:09:10 +02:00
```
2023-08-17 10:54:11 +02:00
> Don't forget to turn on secureboot in your bios!
