documentation/docs/void-desktop-setup/Secure-boot.md
2023-08-16 23:13:16 +02:00

1.5 KiB

Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.

Linux secureboot

For linux to work with secureboot it's necessary to enroll keys using sbctl.

xbps-install -Sy sbctl sbsigntool

Then to create keys, enroll them and sign the executables with it.

# sbctl create-keys
# sbctl enroll-keys
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>

If you get an error with enrolling the keys it might be necessary to add the --microsoft flag.

Then to check if it worked.

# sbctl verify

The kernels will now automatically be signed after an update thanks to the sbsigntool package.

Don't forget to turn on secureboot in your bios!

Linux Windows dual boot

To obtain secure boot for a device with both linux and windows partitions (dual boot), the sbctl package is required. It may be installed with.

# xbps-install -Sy sbctl sbsigntool

Then to create keys, enroll them and sign the executables with it.

# sbctl create-keys
# sbctl enroll-keys --microsoft
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>

Then to check if it worked.

# sbctl verify

After every linux kernel update the new executables should be signed.