documentation/docs/void-desktop-setup/Secure-boot.-.md
2023-08-16 22:09:10 +02:00

1.5 KiB

Secure boot

Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.

- Linux secureboot

For linux to work with secureboot it's necessary to enroll keys using sbctl.

xbps-install -Sy sbctl sbsigntool

Then to create keys, enroll them and sign the executables with it.

# sbctl create-keys
# sbctl enroll-keys
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>

If you get an error with enrolling the keys it might be necessary to add the --microsoft flag.

Then to check if it worked.

# sbctl verify

The kernels will now automatically be signed after an update thanks to the sbsigntool package.

Don't forget to turn on secureboot in your bios.

- Linux Windows dual boot

To obtain secure boot for a device with both linux and windows partitions (dual boot), the sbctl package is required. It may be installed with.

# xbps-install -Sy sbctl sbsigntool

Then to create keys, enroll them and sign the executables with it.

# sbctl create-keys
# sbctl enroll-keys --microsoft
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>

Then to check if it worked.

# sbctl verify

After every linux kernel update the new executables should be signed.