lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity
documentation/docs/void-desktop-setup/post-installation/secure-boot.md

1.1 KiB
Raw Blame History

Secure boot

Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.

For linux to work with secureboot it's necessary to enroll keys using sbctl.

xbps-install -Sy sbctl sbsigntool

Then to create keys, enroll them and sign the executables with it.

# sbctl create-keys
# sbctl enroll-keys
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>

If you get an error with enrolling the keys it might be necessary to add the --microsoft flag.

Then to check if it worked.

# sbctl verify

The kernels can automatically be signed after an update thanks to the sbsigntool package. Configure it /etc/default/sbsigntool-kernel-hook and change the options:

SBSIGN_EFI_KERNEL=1

EFI_KEY_FILE=/usr/share/secureboot/keys/db/db.key
EFI_CERT_FILE=/usr/share/secureboot/keys/db/db.pem

Don't forget to turn on secureboot in your bios!

To check if your system is actually using secureboot run:

$ sbctl status