Skip to content

Instantly share code, notes, and snippets.

@junalmeida

junalmeida/0-secureboot-tpm-manjaro.md

Last active March 26, 2025 11:15
Show Gist options
  • Save junalmeida/13aadd6892ef6a119d0d229db341f382 to your computer and use it in GitHub Desktop.
Save junalmeida/13aadd6892ef6a119d0d229db341f382 to your computer and use it in GitHub Desktop.
Download ZIP
Enable SecureBoot in Manjaro
Raw
0-secureboot-tpm-manjaro.md

Enable SecureBoot in Manjaro

This how to aims to make UEFI boot your signed kernel+initramfs directly, without a bootloader like grub or system-boot. As a pre-requisite, you should log in to your UEFI settings and set SecureBoot into Setup Mode.

  1. Check EFI partition size, if you want to include extra drivers in initrd (like nvidia), make it at least 1gb. I recommend 2gb to be future-proof.
  2. Include extra drivers in /etc/mkinitcpio.conf. You need nvidia-dkms installed for this to work. I wanted to include this in my system so SDDM (the Login Screen itself) can run in Wayland. Important: Make sure FILES section doesn't include /crypto_keyfile.bin as it should not be included in the initramfs on the unencrypted EFI.
MODULES=(crc32c-intel i915 nvidia nvidia_modeset nvidia_uvm nvidia_drm)
  1. Modify /etc/mkinitcpio.d/linux612.preset (or your current kernel preset) to generate a Unified Kernel Image. (see example in this gist)
  2. Add a /etc/kernel/cmdline for your current kernel. You can check cat /proc/cmdline. (see example in this gist)
  3. Install sbctl
  4. Run sudo sbctl status to check current SecureBoot status. It should be in Setup Mode. If it is not, restart to UEFI and remove keys or reset secure boot.
  5. Run sudo sbctl create-keys then sudo sbctl enroll-keys --Microsoft.
  6. Run sudo mkinitcpio -P. It should create a UKI for your current kernel in the EFI partition.
  7. Run sudo efibootmgr to check current boot entries.
  8. Run sudo efibootmgr -B -b 000N to delete old entries. Where N is the Boot0000 entry you want to delete.
  9. Run sudo findmnt /boot/efi to find the EFI partition device. Usually, /dev/sda1 or /dev/nvme0n1p1.
  10. Run sudo efibootmgr -c -d /dev/nvme0n1 -p 1 -L "Manjaro" -l "EFI/Linux/manjaro-6.12-x86_64.efi"
  11. Run sudo sbctl verify to make sure all images are signed.

You should be able to restart now, enable Secure Boot and lock changes to boot order and secureboot itself with a firmware password.

Enable LUKS2 and Enroll with TPM

In order to have your disk enrolled and unlocked with a TPM key, you need a LUKS2 header. Manjaro still creates a LUKS1 container, so we need to convert it. It is possible to convert in place though.

To confirm your current LUKS version, run sudo cryptsetup luksDump /dev/nvme0n1p2. Note Version number (replace nvme0n1p2 to your device and partition, it could be /dev/sda2).

  1. Make sure you followed the UKI tutorial above and you don't need GRUB anymore.
  2. Boot into a live cd with cryptsetup available, because you can't convert with the system in use.
  3. Backup your luks header: sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file /mnt/backup/luks1.bkp
  4. Run sudo cryptsetup convert --type luks2 /dev/nvme0n1p2
  5. Restart back to your installed system.
  6. Run sudo systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2.
  7. After that, edit /etc/crypttab, making it look something like this:
luks-xxx-xxx-xxx-xxx-xxx UUID=xxx-xxx-xxx-xxx-xxx none tpm2-device=auto,discard
  1. Create /etc/crypttab.initramfs, making it the same as above.
  2. Check your TPM driver, run sudo systemd-cryptenroll --tpm2-device=list, note Driver column.
  3. Edit /etc/mkinitcpio.conf, add that driver to MODULES list. Also, in HOOKS change encrypt to sd-vconsole sd-encrypt and add systemd after base. It should look like this:
MODULES=(crc32c-intel tpm_tis i915 nvidia nvidia_modeset nvidia_uvm nvidia_drm)
HOOKS=(base systemd udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth sd-vconsole sd-encrypt filesystems)
  1. Recreate your UKI running sudo mkinitcpio -P
  2. Restart
Raw
cmdline
#/etc/kernel/cmdline #remove this comment and use your GUIDS. A good idea is to run cat /proc/cmdline
root=UUID=xxx-xxx-xxx-xxx-xxx rw rootflags=subvol=@ quiet cryptdevice=UUID=xxx-xxx-xxx-xxx-xxx:luks-xxx-xxx-xxx-xxx-xxx root=/dev/mapper/luks-xxx-xxx-xxx-xxx-xxx splash udev.log_priority=3
Raw
linux612.preset
#/etc/mkinitcpio.d/linux612.preset
#make sure paths exist and mounted
# mkinitcpio preset file for the '6.12-x86_64' package
#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-6.12-x86_64"
PRESETS=('default' 'fallback')
#default_config="/etc/mkinitcpio.conf"
#default_image="/boot/initramfs-6.12-x86_64.img"
default_uki="/boot/efi/EFI/Linux/manjaro-6.12-x86_64.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-manjaro.bmp"
#fallback_config="/etc/mkinitcpio.conf"
#fallback_image="/boot/initramfs-6.12-x86_64-fallback.img"
fallback_uki="/boot/efi/EFI/Linux/manjaro-6.12-x86_64-fallback.efi"
fallback_options="-S autodetect"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment