--- gitea: none include_toc: false --- ### Secure boot Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system. #### - Linux secureboot For linux to work with secureboot it's necessary to enroll keys using sbctl. ``` xbps-install -Sy sbctl sbsigntool ``` Then to create keys, enroll them and sign the executables with it. ``` # sbctl create-keys # sbctl enroll-keys # sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI # sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi # sbctl sign -s /boot/vmlinuz- ``` If you get an error with enrolling the keys it might be necessary to add the `--microsoft` flag. Then to check if it worked. ``` # sbctl verify ``` The kernels will now automatically be signed after an update thanks to the `sbsigntool` package. Don't forget to turn on secureboot in your bios. #### - Linux Windows dual boot To obtain secure boot for a device with both linux and windows partitions (dual boot), the `sbctl` package is required. It may be installed with. ``` # xbps-install -Sy sbctl sbsigntool ``` Then to create keys, enroll them and sign the executables with it. ``` # sbctl create-keys # sbctl enroll-keys --microsoft # sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI # sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi # sbctl sign -s /boot/vmlinuz- ``` Then to check if it worked. ``` # sbctl verify ``` After every linux kernel update the new executables should be signed.