In the latest newsletter (FOSS Weekly #24.34), I saw the item about the new (August) release of CachyOS, and it interested me, because it mentioned that Cachy now offers an easy way to sign the kernel, and have it done with an install hook any time the kernel’s updated. I currently sign the kernel manually, and having it signed automatically would make life easier for me.
I have a partition set aside for experimental installations, so I installed Cachy there and rebooted into it. I used the Cachy Hello app to get to the Cachy Wiki, and found the item about setting up secure boot on Cachy, then followed the directions there. Those instructions are a bit austere, and I don’t recommend following the process for Linux newbies, but if you’re familiar with the command line, and understand a bit about your computer’s UEFI interface, the process isn’t a very high hill to climb. Here’s the Secure Boot Setup page for anyone who’s interested in seeing the original documentation. I’m going to write the steps I followed on both my Lenovo Legion 5 laptop PC and on my desktop PC with an ASUS Tuf Gaming motherboard. There were a few differences, and the steps I used on my desktop PC may help others understand what setup mode’s all about.
For the purposes of this post, I’ll assume that your computer is running with secure boot disabled now. If not, you may be best served to disable it before continuing. Note that I use Garuda KDE-Lite GNU/Linux here, so I’ll provide Arch-based directions. You’ll have to modify my commands to match your distribution’s packaging system for actions such as installing sbctl.
Note: I don’t know which distributions offer sbctl in their repositories, so if yours doesn’t, you can get it from the developer’s GitHub page (linked above).
Step 1. Install sbctl:
sudo pacman -S sbctl
Step 2 (IMPORTANT! Skip this step if you do NOT use the Grub boot manager. NOTE that this command is for CachyOS. You should change the bootloader-id to match your distribution, or use rEFInd like I do, and bypass use of this command all together):
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=cachyos --modules="tpm" --disable-shim-lock
Step 3. Enter Setup mode in UEFI:
This step requires some explanation. On my Lenovo Legion 5 laptop PC, there is a setting to enter Setup Mode. On my desktop PC, there is no such setting. Instead, I had to delete all keys in the secure boot settings area. As far as I know, there is a way to delete secure boot keys in all UEFI interfaces.
In the terminal emulator, you can access the UEFI interface by using the following command (provided your computer uses systemd)
systemctl reboot --firmware-setup
Step 4. Setting Up sbctl:
The following comes from the CachyOS wiki (Make sure the output you see in your terminal window matches what’s in the examples that follow):
Terminal window
❯ sudo sbctl status # If setup mode is enabled we can proceed
to the next step
Installed: ✘ sbctl is not installed
Setup Mode: ✘ Enabled
Secure Boot ✘ Disabled
❯ sudo sbctl create-keys # Create your custom secure boot keys
Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Creating secure boot keys...✔
Secure boot keys created!
❯ sudo sbctl enroll-keys -m # Enroll your keys with Microsoft's keys
Enrolling keys to EFI variables...✔
Enrolled keys to the EFI variables!
❯ sudo sbctl status
# sbctl should now be installed and we can proceed to
signing the kernel images and boot manager
Installed: ✔ sbctl is installed
Owner GUID: a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode: ✔ Disabled
Secure Boot ✘ Disabled
Vendor Keys: microsoft
Step 5. Signing the Kernel Image and Boot Manager:
CachyOS provides a script sbctl-batch-sign that takes the list of files needed to be signed from sudo sbctl verify and signs them all. Open the link (above) in a new tab, and copy the content of the script to your clipboard, then in the terminal, run sudo nano /usr/bin/sbctl-batch-sign to create the new script in the correct location on the system, and paste the script’s content from the clipboard into the nano window (using CRTL+ALT+V, because you’re pasting in the terminal). Finally, save your changes with CTRL+X, Y, Enter, then make the file executable with chmod +x /usr/bin/sbctl-batch-sign.
Terminal window
❯ sudo sbctl verify
Verifying file database and EFI images in /boot...
✘ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn4.0.fc40.x86_64/linux is not signed
✘ /boot/EFI/BOOT/BOOTX64.EFI is not signed
✘ /boot/EFI/systemd/systemd-bootx64.efi is not signed
✘ /boot/1c4b5246eef05ac3bc87339323cd5101/0-rescue/linux is not signed
✘ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn3.0.fc40.x86_64/linux is not signed
❯ sudo sbctl-batch-sign
❯ sudo sbctl verify
Verifying file database and EFI images in /boot...
✔ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn4.0.fc40.x86_64/linux is signed
✔ /boot/EFI/BOOT/BOOTX64.EFI is signed
✔ /boot/EFI/systemd/systemd-bootx64.efi is signed
✔ /boot/1c4b5246eef05ac3bc87339323cd5101/0-rescue/linux is signed
✔ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn3.0.fc40.x86_64/linux is signed
Note
In some cases with rEFInd, the kernel image might not be detected when running `sudo sbctl verify`. To sign the kernel image, you can just do `sudo sbctl sign -s /boot/vmlinuz-linux-cachyos`. The file name of the kernel image varies between kernel versions and there could be more than one if you have multiple kernel versions installed. If you're not using CachyOS, replace the kernel image name (vmlinuz-linux-cachyos) with your systems kernel name. (I have `vmlinuz-linux-zen` in Garuda here.
Step 6. Enable Secure Boot:
With all the above steps completed, it’s time to reboot to the UEFI interface to enable secure boot.:
systemctl reboot --firmware-setup
That’s it. Now when you update your kernel, it’ll be signed automatically for you.
*** A Final Word:
Today (Friday August 30, 2024), Garuda released kernel 6.10.7-zen1-1-zen (64-bit), and sbctl did automatically sign the new kernel image for me as part of the installation procedure, so I could reboot into the new kernel version with no extra steps required.
I hope some of you find this useful,
Ernie