57 lines
1.5 KiB
Markdown
57 lines
1.5 KiB
Markdown
Secure boot is sometimes a necessity when working with a windows dual boot on laptops and also an extra layer of protection for your system.
|
|
|
|
### Linux secureboot
|
|
|
|
For linux to work with secureboot it's necessary to enroll keys using sbctl.
|
|
|
|
```
|
|
xbps-install -Sy sbctl sbsigntool
|
|
```
|
|
|
|
Then to create keys, enroll them and sign the executables with it.
|
|
|
|
```
|
|
# sbctl create-keys
|
|
# sbctl enroll-keys
|
|
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
|
|
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
|
|
# sbctl sign -s /boot/vmlinuz-<version>
|
|
```
|
|
|
|
If you get an error with enrolling the keys it might be necessary to add the `--microsoft` flag.
|
|
|
|
Then to check if it worked.
|
|
|
|
```
|
|
# sbctl verify
|
|
```
|
|
|
|
The kernels will now automatically be signed after an update thanks to the `sbsigntool` package.
|
|
|
|
> Don't forget to turn on secureboot in your bios!
|
|
|
|
### Linux Windows dual boot
|
|
|
|
To obtain secure boot for a device with both linux and windows partitions (dual boot), the `sbctl` package is required. It may be installed with.
|
|
|
|
```
|
|
# xbps-install -Sy sbctl sbsigntool
|
|
```
|
|
|
|
Then to create keys, enroll them and sign the executables with it.
|
|
|
|
```
|
|
# sbctl create-keys
|
|
# sbctl enroll-keys --microsoft
|
|
# sbctl sign -s /boot/EFI/Boot/BOOTX64.EFI
|
|
# sbctl sign -s /boot/EFI/gummiboot/gummibootx64.efi
|
|
# sbctl sign -s /boot/vmlinuz-<version>
|
|
```
|
|
|
|
Then to check if it worked.
|
|
|
|
```
|
|
# sbctl verify
|
|
```
|
|
|
|
After every linux kernel update the new executables should be signed.
|