From bdac650c5e7d4403118109ec008df69626c2a3d3 Mon Sep 17 00:00:00 2001 From: Sandro Keil Date: Tue, 24 Jul 2018 19:19:45 +0200 Subject: [PATCH] Add secure boot chapter --- book/arch/06-secure-boot.md | 65 ++++++++++++++++++++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/book/arch/06-secure-boot.md b/book/arch/06-secure-boot.md index 273f36d..4aec29a 100644 --- a/book/arch/06-secure-boot.md +++ b/book/arch/06-secure-boot.md @@ -1,3 +1,66 @@ # Setup secure boot -TBD +This chapter describes how to configure secure boot because no one should modify the bootloader or boot from another medium. +Gerke Max Preussner describes this very detailed in his post [Fully Encrypted ArchLinux with Secure Boot on Yoga 920](https://gmpreussner.com/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920?#secureboot) +Please read his chapter about secure boot and come back to enable it. + +## UEFI setup mode +To create own UEFI keys UEFI secure boot must be set into setup mode in BIOS. Restart the computer and enter BIOS setup. + +1. Navigate to the **Security** page +1. Go to Set **Administrator/Supervisor Password** and enter a strong password +1. Go to **Reset to Setup Mode**, press Enter and select Yes +1. Save the changes and exit BIOS Setup + +The preloaded secure boot keys for Microsoft/OEM are now deleted. You can restore it if needed. + +## Setup cryptboot +Download or copy [xmikos/cryptboot](https://github.com/xmikos/cryptboot) to your home folder. To install *cryptboot* some +packages are required. Let's install them. + +``` +pacman -S binutils fakeroot +``` + +Next step is to install it without checksum check. Enter the *cryptboot* folder and execute + +> You can use *ArchLinux* as name + +``` +makepkg -si --skipchecksums +``` + +Almost finished. The last step is to generate and enroll the new keys. This is easy with the following commands: + +``` +cryptboot-efikeys create +cryptboot-efikeys enroll +cryptboot update-grub +``` + +## Pacman hooks +To auto sign the kernel after an upgrade it's handy to have a [pacman hook for signing the kernel](https://wiki.archlinux.org/index.php/Secure_Boot#Signing_kernel_with_pacman_hook). Paste +Open the file with `/etc/pacman.d/hooks/98-secureboot.hook` and put these lines in it. + +``` +[Trigger] +Operation = Install +Operation = Upgrade +Type = Package +Target = linux + +[Action] +Description = Signing Kernel for SecureBoot - Update GRUB +When = PostTransaction +Exec = /usr/bin/cryptboot update-grub +``` + +## Enable UEFI secure boot +If you encountered no errors you can now enable UEFI secure boot. Restart the computer and enter BIOS setup. + +1. Navigate to the **Security** page +1. Go to **Secure Boot** and enable it +1. Save the changes and exit BIOS Setup + +Try to boot from an USB stick. It should not be possible anymore. If you need to boot from an other medium, disable +secure boot.