1.5 KiB
Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.
Linux secureboot
For linux to work with secureboot it's necessary to enroll keys using sbctl.
xbps-install -Sy sbctl sbsigntool
Then to create keys, enroll them and sign the executables with it.
# sbctl create-keys
# sbctl enroll-keys
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>
If you get an error with enrolling the keys it might be necessary to add the --microsoft flag.
Then to check if it worked.
# sbctl verify
The kernels will now automatically be signed after an update thanks to the sbsigntool package.
Don't forget to turn on secureboot in your bios!
Linux Windows dual boot
To obtain secure boot for a device with both linux and windows partitions (dual boot), the sbctl package is required. It may be installed with.
# xbps-install -Sy sbctl sbsigntool
Then to create keys, enroll them and sign the executables with it.
# sbctl create-keys
# sbctl enroll-keys --microsoft
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /boot/vmlinuz-<version>
Then to check if it worked.
# sbctl verify
After every linux kernel update the new executables should be signed.