Manjaro SecureBoot Setup Guide

1000-signGrub.hook

[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Path
Target = /boot/efi/EFI/Manjaro/grubx64.efi

[Action]
Description = Signing GRUB with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/share/secureboot/signGrub.sh ;
Depends = sbsigntools
Depends = findutils
Depends = grep
Depends = grub

999-signKernel.hook

[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Operation = Remove
Target = linux*

[Action]
Description = Signing kernel with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output {} {}; fi' \;
Depends = sbsigntools
Depends = findutils
Depends = grep

README.md

Steps to setup secure-boot on Manjaro

NOTE: Using this guide on Arch Linux requires a few changes

Enter a rooted shell

sudo -i

Enable AUR

sed -Ei '/EnableAUR=true/s/^#//' /etc/pacman.conf

Install shim-signed & set as default boot option

pamac build shim-signed
mv /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/grubx64.efi
cp /usr/share/shim-signed/shimx64.efi /boot/efi/EFI/boot/bootx64.efi
cp /usr/share/shim-signed/mmx64.efi /boot/efi/EFI/boot/

Find boot partition & device

fdisk -l | grep "EFI System" | awk '{print $1}'

• Eg: If the command prints /dev/sdaX
  • /dev/sda is device & X is partition number

Register Shim BootEntry to NVRAM

efibootmgr --unicode --disk /dev/vda --part 1 --create --label "Shim" --loader /EFI/boot/bootx64.efi

Generate MOK

mkdir -p /usr/share/secureboot/keys/ 
openssl req -newkey rsa:4096 -nodes -keyout /usr/share/secureboot/keys/MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=Manjaro MOK/" -out /usr/share/secureboot/keys/MOK.crt
openssl x509 -outform DER -in /usr/share/secureboot/keys/MOK.crt -out /usr/share/secureboot/keys/MOK.cer
mkdir /boot/efi/keys
cp /usr/share/secureboot/keys/MOK.cer /boot/efi/keys/

Sign all available kernels

sudo pacman -Sy sbsigntools
find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec sh -c \
'if ! sbverify --list {} 2>/dev/null | grep -q "signature certificates"; then 
   sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output {} {}
 fi' \;

Grub requires modules to be built in the .efi file with .sbat section for secureboot

MODULES="all_video
boot
btrfs
cat
chain
configfile
cpuid
cryptodisk
echo
efifwsetup
efinet
ext2
fat
font
gcry_arcfour
gcry_blowfish
gcry_camellia
gcry_cast5
gcry_crc
gcry_des
gcry_dsa
gcry_idea
gcry_md4
gcry_md5
gcry_rfc2268
gcry_rijndael
gcry_rmd160
gcry_rsa
gcry_seed
gcry_serpent
gcry_sha1
gcry_sha256
gcry_sha512
gcry_tiger
gcry_twofish
gcry_whirlpool
gettext
gfxmenu
gfxterm
gfxterm_background
gzio
halt
help
hfsplus
iso9660
jpeg
keystatus
linux
loadenv
loopback
ls
lsefi
lsefimmap
lsefisystab
lssal
luks
luks2
lvm
mdraid09
mdraid1x
memdisk
minicmd
normal
ntfs
part_apple
part_gpt
part_msdos
password_pbkdf2
play
png
probe
raid5rec
raid6rec
reboot
regexp
search
search_fs_file
search_fs_uuid
search_label
serial
sleep
smbios
squash4
test
tpm
true
video
xfs
zfs
zfscrypt
zfsinfo"
grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="${MODULES}" --sbat /usr/share/grub/sbat.csv
sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/Manjaro/grubx64.efi
cp /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/boot/

This may require updating in future versions. Refer to https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/debian/build-efi-images for latest modules

Fix prohibited due to secure boot police error in GRUB

Note: Does not work [broken]. Your system will still probably boot with errors.

Default Manjaro GRUB configuration files inserts insmod * to /boot/grub/grub.cfg
Edit /etc/grub.d/* & /usr/share/grub/grub-mkconfig_lib files to comment out any instances of insmod * or echo insmod *.
Do the same for /etc/default/grub & comment out GRUB_PRELOAD_MODULES=* line.

Automatically sign linux images and grub on updade

Download 999-signKernel.hook & 1000-signGrub.hook from this gist and place it into /etc/pacman.d/hooks

• Create the directory if if does not exist
• Also 1000-signGrub.hook is probably not required. As grubx64.efi is created only once.

Download signGrub.sh from this gist and place it into /usr/share/secureboot/

• Omit this step if you skipped sign Grub hook.

Run

chmod a+x /etc/pacman.d/hooks/{999-signKernel.hook,1000-signGrub.hook} /usr/share/secureboot/signGrub.sh

---

Now Your Manjaro installation is ready for secureboot

Reboot the system & Enable SecureBoot from the UEFI An error will be displayed about security violation. Ignore this and press Enter twice, to enter MOK Management. Now Enroll the MOK from keys/MOK.cer of the device ESP on the MOK Management screen.

Reboot the system and your Manjaro install is ready with secure-boot working.

signGrub.sh

#!/bin/bash

MODULES="all_video
boot
btrfs
cat
chain
configfile
cpuid
cryptodisk
echo
efifwsetup
efinet
ext2
fat
font
gcry_arcfour
gcry_blowfish
gcry_camellia
gcry_cast5
gcry_crc
gcry_des
gcry_dsa
gcry_idea
gcry_md4
gcry_md5
gcry_rfc2268
gcry_rijndael
gcry_rmd160
gcry_rsa
gcry_seed
gcry_serpent
gcry_sha1
gcry_sha256
gcry_sha512
gcry_tiger
gcry_twofish
gcry_whirlpool
gettext
gfxmenu
gfxterm
gfxterm_background
gzio
halt
help
hfsplus
iso9660
jpeg
keystatus
linux
loadenv
loopback
ls
lsefi
lsefimmap
lsefisystab
lssal
luks
luks2
lvm
mdraid09
mdraid1x
memdisk
minicmd
normal
ntfs
part_apple
part_gpt
part_msdos
password_pbkdf2
play
png
probe
raid5rec
raid6rec
reboot
regexp
search
search_fs_file
search_fs_uuid
search_label
serial
sleep
smbios
squash4
test
tpm
true
video
xfs
zfs
zfscrypt
zfsinfo"


if ! /usr/bin/sbverify --list /boot/efi/EFI/Manjaro/grubx64.efi 2>/dev/null | /usr/bin/grep -q "signature certificates"; then
    /usr/bin/grub-install --target=x86_64-efi --efi-directory=/boot/efi/ --modules="${MODULES}" --sbat /usr/share/grub/sbat.csv
    /usr/bin/sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/Manjaro/grubx64.efi
    /usr/bin/cp /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/boot/
fi

There's an error in the signing commands, cp /boot/efi/EFI/Majaro/grubx64.efi /boot/efi/EFI/boot/
'Majaro' should be 'Manjaro'. Other than that, I've tested this full process and can verify it works on 6.6.32-1-MANJARO.

There's an error in the signing commands, cp /boot/efi/EFI/Majaro/grubx64.efi /boot/efi/EFI/boot/ 'Majaro' should be 'Manjaro'. Other than that, I've tested this full process and can verify it works on 6.6.32-1-MANJARO.

Thanks for reporting that. I have fixed it now.

Thanks :)
Is this works at every Arch-based Distros?

Thanks :) Is this works at every Arch-based Distros?

Should work on any Arch derivatives (maybe with minimal changes) as this guide is based on the Arch wiki but is tested only on Manjaro.

I had a problem with the Sign All Available Kernels:

find: missing argument for '-exec'

find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec sh -c '
if ! sbverify --list "$1" 2>/dev/null | grep -q "signature certificates"; then
    sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output "$1" "$1"
fi' sh {} \;

This is the modded script that worked for me.

Hey folks, I'm having an issue with the pacman hook. I've had to use the modified script provided by @murapa96. I used this hook file with the modified command:

[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Operation = Remove
Target = linux*

[Action]
Description = Signing kernel with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/bash -c 'if ! /usr/bin/sbverify --list "$1" 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output "$1" "$1"; fi' _ {} \;
Depends = sbsigntools
Depends = findutils
Depends = grep

But when the hook is trigged I get this error: /usr/bin/find Missing agrument for '-exec', even with the modified version.
Am I just missing something?? When I run the command in a root shell it works and nothing is returned..

I have updated the guide and the script. Should work without any errors now.

@TheGreyDiamond can u try the updated hook file.

Still facing the same error I'm afraid.
/usr/bin/find: Fehlendes Argument für »-exec«. (Which translates to missing argument for -exec)

find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec sh -c \
'if ! sbverify --list {} 2>/dev/null | grep -q "signature certificates"; then 
   sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output {} {}
 fi' \;

This is the fixed script and should run.
Adding the same in hook requires specifying full path of executables.