lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity

Updated Secure boot section

Browse source
This commit is contained in:
Tastatur 2023-08-17 10:54:11 +02:00
parent 4f9c1d9728
commit 579aefa00d
4 changed files with 9 additions and 110 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
docs/void-desktop-setup/Secure-boot.md
View file

@ -1,7 +1,5 @@
Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system. Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.
### Linux secureboot
For linux to work with secureboot it's necessary to enroll keys using sbctl. For linux to work with secureboot it's necessary to enroll keys using sbctl.
``` ```
@ -26,32 +24,10 @@ Then to check if it worked.
# sbctl verify # sbctl verify
``` ```
The kernels will now automatically be signed after an update thanks to the `sbsigntool` package. The kernels can automatically be signed after an update thanks to the `sbsigntool` package. Configure it `/etc/default/sbsigntool-kernel-hook` and change the options:
```
SBSIGN_EFI_KERNEL=1
```
> Don't forget to turn on secureboot in your bios! > Don't forget to turn on secureboot in your bios!
### Linux Windows dual boot
To obtain secure boot for a device with both linux and windows partitions (dual boot), the `sbctl` package is required. It may be installed with.
```
# xbps-install -Sy sbctl sbsigntool
```
Then to create keys, enroll them and sign the executables with it.
```
# sbctl create-keys
# sbctl enroll-keys --microsoft
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>
```
Then to check if it worked.
```
# sbctl verify
```
After every linux kernel update the new executables should be signed.

2
site/search/search_index.json
View file

File diff suppressed because one or more lines are too long

BIN
site/sitemap.xml.gz
View file

Binary file not shown.

83
site/void-desktop-setup/Secure-boot/index.html
View file

@ -60,11 +60,6 @@
<label class="md-overlay" for="__drawer"></label> <label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip"> <div data-md-component="skip">
<a href="#linux-secureboot" class="md-skip">
Skip to content
</a>
</div> </div>
<div data-md-component="announce"> <div data-md-component="announce">
@ -639,46 +634,10 @@
<label class="md-nav__link md-nav__link--active" for="__toc">
Secure boot
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active"> <a href="./" class="md-nav__link md-nav__link--active">
Secure boot Secure boot
</a> </a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#linux-secureboot" class="md-nav__link">
Linux secureboot
</a>
</li>
<li class="md-nav__item">
<a href="#linux-windows-dual-boot" class="md-nav__link">
Linux Windows dual boot
</a>
</li>
</ul>
</nav>
</li> </li>
@ -1161,28 +1120,6 @@
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#linux-secureboot" class="md-nav__link">
Linux secureboot
</a>
</li>
<li class="md-nav__item">
<a href="#linux-windows-dual-boot" class="md-nav__link">
Linux Windows dual boot
</a>
</li>
</ul>
</nav> </nav>
</div> </div>
</div> </div>
@ -1199,7 +1136,6 @@
<h1>Secure boot</h1> <h1>Secure boot</h1>
<p>Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.</p> <p>Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.</p>
<h3 id="linux-secureboot">Linux secureboot</h3>
<p>For linux to work with secureboot it's necessary to enroll keys using sbctl.</p> <p>For linux to work with secureboot it's necessary to enroll keys using sbctl.</p>
<pre><code>xbps-install -Sy sbctl sbsigntool <pre><code>xbps-install -Sy sbctl sbsigntool
</code></pre> </code></pre>
@ -1214,25 +1150,12 @@
<p>Then to check if it worked.</p> <p>Then to check if it worked.</p>
<pre><code># sbctl verify <pre><code># sbctl verify
</code></pre> </code></pre>
<p>The kernels will now automatically be signed after an update thanks to the <code>sbsigntool</code> package.</p> <p>The kernels can automatically be signed after an update thanks to the <code>sbsigntool</code> package. Configure it <code>/etc/default/sbsigntool-kernel-hook</code> and change the options:</p>
<pre><code>SBSIGN_EFI_KERNEL=1
</code></pre>
<blockquote> <blockquote>
<p>Don't forget to turn on secureboot in your bios!</p> <p>Don't forget to turn on secureboot in your bios!</p>
</blockquote> </blockquote>
<h3 id="linux-windows-dual-boot">Linux Windows dual boot</h3>
<p>To obtain secure boot for a device with both linux and windows partitions (dual boot), the <code>sbctl</code> package is required. It may be installed with.</p>
<pre><code># xbps-install -Sy sbctl sbsigntool
</code></pre>
<p>Then to create keys, enroll them and sign the executables with it.</p>
<pre><code># sbctl create-keys
# sbctl enroll-keys --microsoft
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-&lt;version&gt;
</code></pre>
<p>Then to check if it worked.</p>
<pre><code># sbctl verify
</code></pre>
<p>After every linux kernel update the new executables should be signed.</p>