!!!BE AWARE!!! of doing dual-boot (Windows + Linux) setup. This guide doesn't explain ANYTHING about dual-boot, and you should do it on your own. Before you proceed, beware of these:
- Secure Boot + self-signed keys + NVIDIA GPU = bricked laptop.
- Dual booting with other operating systems. Microsoft Windows.
You need to backup your keys. See UEFI. Secure boot. Using your own keys.
NOTES: You need to boot in the freshly installed OS (without chroot) before following these steps. I would recommend to do it in the end of the installation.
Secure Boot is a security feature found in the UEFI standard, designed to add a layer of protection to the pre-boot process: by maintaining a cryptographically signed list of binaries authorized or forbidden to run at boot, it helps in improving the confidence that the machine core boot components (boot manager, kernel, initramfs) haven't been tampered with.
- Clear existing keys and reset Secure Boot to
Setup Modeon firmware settings in your BIOS. pacman -S sbctl efitools.
NOTES: sbctl is a user-friendly way of setting up secure boot and signing files.
NOTES: sbctl does not work with all hardware. How well it will work depends on the manufacturer.
Before starting, go to your firmware settings and set secure boot mode to Setup mode. This is different for each device. If you want to boot into the firmware of your motherboard directly, then you can use this command: systemctl reboot --firmware-setup.
Once you log back in, check the secure boot status: sbctl status.
You should see that sbctl is not installed and secure boot is disabled.
Installed: Sbctl is not installed
Setup Mode: Enabled
Secure Boot: DisabledThen create your custom secure boot keys: sbctl create-keys.
Enroll your keys, with Microsoft's keys, to the UEFI: sbctl enroll-keys -m.
- NOTES: !!!WARNING!!! some firmware is signed and verified with Microsoft's keys when secure boot is enabled. Not validating devices could brick them. To enroll your keys without enrolling Microsoft's, run:
sbctl enroll-keys. Only do this if you know what you are doing.
Check the secure boot status again: sbctl status. sbctl should be installed now, but secure boot will not work until the boot files have been signed with the keys you just created.
Check what files need to be signed for secure boot to work: sbctl verify. The output might be:
Verifying file database and EFI images in /boot...
✗ /boot/EFI/BOOT/BOOTX64.EFI is not signed
✗ /boot/EFI/systemd/systemd-bootx64.efi is not signed
✗ /boot/vmlinuz-linux is not signedNow sign all the unsigned files. Usually the kernel and the boot loader need to be signed. For example:
sbctl sign -s /boot/vmlinuz-linux
sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFINOTES: the files that need to be signed will depend on your system's layout, kernel and boot loader.
Now you are done! Reboot your system and turn secure boot back on in the firmware settings. If the boot loader and OS load, secure boot should be working. Check with: sbctl status.
sbctl comes with a pacman hook that automatically signs all new files whenever the Linux kernel, systemd or the boot loader is updated. But we use systemd-boot and systemd-boot-update.service in this guide, so the boot loader is only updated after a reboot, and the sbctl pacman hook will therefore not sign the new file. As a workaround, it can be useful to sign the boot loader directly in /usr/lib/, as bootctl install and update will automatically recognize and copy .efi.signed files to the ESP if present, instead of the normal .efi file.
sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efiNOTES: see Automatic signing with the pacman hook for more information.
NOTES: see Systemd boot pacman hook for more information, if you want to change sign secure boot process described above.
Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.
To check if your laptop supports TPM 2.0 run.
- Var. I:
test -e /dev/tpm0 && echo PASS || echo FAIL.- NOTES: if tpm is present, the result would be
PASS.
- NOTES: if tpm is present, the result would be
- Var. II:
cat /sys/class/tpm/tpm0/device/description.- NOTES: if tpm is present, the result would be
TPM 2.0 Device.
- NOTES: if tpm is present, the result would be
- Var. III:
cat /sys/class/tpm/tpm0/tpm_version_major.- NOTES: if tpm 2 is present, the result would be
2.
- NOTES: if tpm 2 is present, the result would be
- Var. IV: on working machines before installation:
bootctl status.
Also, you need to check systemd version: systemctl --version, it has to be more then or equal to 248.
If all things are present, we need to install tpm2-tss: pacman -Syu tpm2-tss tpm2-tools.
List available TPMs: systemd-cryptenroll --tpm2-device=list.
PATH DEVICE DRIVER
/dev/tpmrm0 NTC0702:00 tpm_tisPlatform Configuration Registers (PCR) contain hashes that can be read at any time but can only be written via the extend operation, which depends on the previous hash value, thus making a sort of blockchain. They are intended to be used for platform hardware and software integrity checking between boots (e.g. protection against Evil Maid attack). They can be used to unlock encryption keys and proving that the correct OS was booted.
Enroll the key in the TPM and the LUKS volume and bind the key to PCRs 0, 4 and 7: systemd-cryptenroll: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,4,7 /dev/sda2.
- NOTES: see Accessing PCR registers for more information.
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,7 /dev/sda2
PCR0: Core System Firmware executable code (aka Firmware)
PCR7: Secure Boot State
New TPM2 token enrolled as key slot 1.@todo finish this section