Setting up Secure Boot in Arch-based Distributions

I’ve learned how to successfully boot most Arch-based distributions with Secure Boot enabled by using the rEFInd boot loader (rEFIND generates the keys for me so I can sign it using MOK registration) and sign the installed kernel(s) image(s) with the same keys. The location of the packages required for this operation may differ depending on which distribution you use but they are available in AUR if not in one of the distribution’s repositories. I suggest you check them first. It may also be possible to sign the default boot loader for your distribution, but I’ve not learned how to do that yet (perhaps my next project?).

For this tutorial, I’ll use EndeavourOS in a virtual machine (with EFI and TPM2 enabled, at which point I ‘reset keys to default’ and kept Secure Boot temporarily disabled) so I can capture images. Going forward, I’ll assume you have one of the Arch-based distributions installed with Secure Boot disabled. Note that some distributions load the EFI partition at the /boot directory while others (including EndesvourOS) do so at the efi directory so you may havee to make adjustments to the locations I describe here for operations in the EFI partition.

Step 1. Set up shim:
Install the required packages in the terminal with:
‘yay -S shim-signed’ (Packages to cleanBuild = ‘N’; Diffs to show=‘N’; Proceed with installation?= ‘Y’)
'sudo pacman -S sbsigntools efitools refind’ (Proceed with installation?=‘Y’).

Step 2. Install refind to the EFI:
‘sudo refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys’ (Do you want to proceed with the installation?=‘Y’; Do you want to proceed with the installation?=‘Y’)

Step 3. Sign the kernel image(s):
Based on my testing, all three of the following commands are required with EndeavourOS

The syntax for sbsign is:
sbsign --key etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt [path to the boot image -often /boot/vmlinux - YMMV].

The commands I used follow:
sudo sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /efi/EFI/systemd/systemd-bootx64.efi /efi/EFI/systemd/systemd-bootx64.efi
sudo sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /efi/EFI/BOOT/BOOTX64.EFI /efi/EFI/BOOT/BOOTX64.EFI
sudo sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /efi/538b8c10e7a84c0caf2ed953dbafcfaa/6.6.2-arch1-1/linux /efi/538b8c10e7a84c0caf2ed953dbafcfaa/6.6.2-arch1-1/linux

Step 4. Reboot into the UEFI interface to enable Secure Boot and remember to remove the installation media. The UEFI interface differs based on computer make and model so I won’t explain how to enable Secure Boot in detail here. You will probably find the Secure Boot setting in either the Boot or Security sections of the interface.

Step 4. After enabling Secure Boot, save your changes and restart the computer. When the computer tries to start rEFInd, the boot will fail with an error message (see here).

err11017×741 1.45 KB

Press the ENTER key to go to the next screen which will offer the option to ‘Press any key to perform MOK management’ (I use the space key for this).

MOK 11032×719 21.9 KB

Navigate down to the ‘Enroll key from disk’ option and press the ENTER key.

MOK 21038×716 26.7 KB

Since I didn’t remove the installation media following the installation, I have two options (one is a very long string, navigate to it ignoring anything else and press the ENTER key to select it.

MOK 31040×714 75.4 KB

At the next screen, EFI should be the top (selected) choice. If not, navigate to it and press the ENTER key to select it and move to the next screen.

MOK 41040×715 64.5 KB

Navigate down to the ‘refind/’ option, then press the ENTER key to select it and move to the next screen.

MOK 51040×713 61.8 KB

Navigate down to the ‘keys/’ option, then press the ENTER key to select it and move to the next screen.

MOK 61039×713 73.8 KB

Navigate to the ‘refind_local.cer’ option (the key we want to enroll), then press the ENTER key to move to the next screen.

MOK 71037×717 59.9 KB

Navigate to the ‘continue’ option and press the ENTER key to go to the next screen.

MOK 81041×712 16.4 KB

Navigate down to the ‘Yes’ option and press the ENTER key to confirm enrolling the key(s) and move on to the next (and final) MOK Enrollment screen.

MOK 91041×715 15.2 KB

The ‘Reboot’ option should be the first (selected) item in the list. If not navigate to it then press the ENTER key to reboot the computer. rEFInd should load, and if all went well, your Arch-based distribution should successfully boot up.

MOK 101041×709 26.5 KB

I found the three commands I needed for EndeavourOS with trial and error. First, I tried signing the image ‘/efi/EFI/systemd/systemd-bootx64.efi’, then I signed ‘/efi/EFI/BOOT/BOOTX64.EFI’, and finally my installation successfully booted up after I signed ‘/efi/538b8c10e7a84c0caf2ed953dbafcfaa/6.6.2-arch1-1/linux’ so don’t give up at your first failure. Your distribution may have more than one image that needs signing. If you use EndeavourOS, the ‘538b8c10e7a84c0caf2ed953dbafcfaa’ dierctory in’/efi/538b8c10e7a84c0caf2ed953dbafcfaa/6.6.2-arch1-1/linux’ will be a different numerical directory name for your system. To find out what the directory name is, I switched to a super-user terminal by executing ‘sudo -s’, then entered my password. Once in the superuser terminal session, I executed ‘thunar’ to get a superuser thunar session. I used it to navigate around my EFI partition’s directories to find all three images (one at a time) I ended up signing. If you use a different Arch-based distribution, you may only have one or two images to sign.

That’s about it. I hope this helps others,

Ernie

Ernie, I admire your precise detail and careful explanation. You have succeeded in extinguishing any interest I ever had in Arch or related distros. Since my old Canon printer driver is a .deb package, I will simply use Debian-based distros. Once the printer dies, I might toy with .rpm-based distros, but not until then.

Thank you for helping me close that door.

I didn’t intend my discussion on enabling Secure Boot in Arch-based distributions to have the effect of ‘closing the door’ on Arch for you. That was not my intent at all. While EndeavourOS doesn’t offer a graphical package manager that covers every available package in the distribution’s repositories like Debian-based distributions do, it does offer a graphical package installation assistant that gives the user a selection of the most popular packages (LibreOffice et-al) that you can select, and the assistant will install for you when you click the ‘Apply’ button. Other Arch-based distributions offer a much more complete graphical package manager (usually pamac) that works just like any package manager you may have already used. The truth is that I prefer working mostly at the command line for projects like enabling Secure Boot or making any other low level changes to how a distribution works. For this project, I could have used nemo (the file manager that comes with the Cinamon desktop environment) to graphically work in the EFI partition, but since I was using xfce4 and nemo doesn’t come with it, I wanted to use the ‘native’ utilities/tools, so I elevated my terminal window to super-user mode, then opened thunar (the file manager that comes with xfce4) for that work.

If you prefer Debian-based distributions, give Debian 12 a look-see. I did so, and was very pleasantly surprised at how easy the installation was and how easily I could customize it to meet my preferences (I spun up a VM for it out of curiosity). It offers nearly all the available Desktop Environments I know of (and a few that I didn’t until I saw the list in the installer). The only drawback to using Debian for me is that I prefer a more cutting-edge package selection (latest-stable rather than stable) and Debian is too cautious in that respect for my taste. At the same time, it’s rock solid in performance and dependability, so if all I wanted was a system I could depend on day to day, I’d choose it, hands down, but I want something I can play around and experiment with (I’m a retiree).

As a final thought, Debian 12 supports Secure Boot, so if you want it, you don’t have to do anything to get it. Debian works just fine with or without Secure Boot enabled ‘right out of the box’. I found that very interesting and encouraging too. For me, Secure Boot’s a security thing. I look at system security as a layered paradigm analogous to an onion. The more layers I can add to my security regimen, the smaller I make my system’s attack surface (and the harder I make it for the bad guys), hopefully to the point that what they get won’t be worth their time and effort. I never look at my computers as if they’re anywhere near to being impervious to attack because the only way for that to happen is if I never turn them on, but I do want to do everything I reasonably can to get them as near that objective as possible while still being able to use them.

My2Cents,

Ernie

There is an option to unpack a .deb package (it is an ar archive) and install it by hand.
I have used a .deb printer driver package in Void Linux, which is not Debian based. It works fine.

I’m with you there.

I dont see what you and @berninghausen are reacting to.
The complications are because of secure boot and Refind, not Arch.
I have just done an Artix install. Artix is Arch based. It was simple.

Just reacting to my past experience with all the distros I have used. Some Arch based and some not. For me, right now, Pop!_OS just works and Ubuntu 22.04 is just as good.

I’m not in a distro hopping mode. These work and work great so I’m out of the game. At least for now.

I’m sorry if I upset anyone with this post. My intent was to provide a bit of information for anyone who’s interested, but perhaps I shouldn’t be so forthcoming in the future. My bad, I’m sorry,

Ernie

Hi Ernie,
You dont need to apologise.
I get that reaction all the time… anything complicated, especially CLI, seems to stimulate that not for me response.
It does not deter me, dont let it put you off. You are lifting the quality of this site.
Regards
Neville

Thank you for that. I just don’t like the idea that anything I write can put others off from learning/experiencing something new. When I read about something I think is too far over my head, I just put off trying it out until I have time to learn more so I c an better understand what I was reading. UEFI and Secure Boot make a great example of that for me. I keep looking for material on the subject so I can learn about it in small bites. I’ve learned how to enable Secure Boot with Arch-based distributions using the utilities I mention in my post along with the rEFInd boot loader, even though those distributions don’t come configured for Secure Boot out-of-the-box. Next, I want to learn to use different boot loaders, then maybe learn to enable Secure Boot in any distribution, you know, like universal Secure Boot support for GNU/Linux.

For me, it’s more about learning to do things that weren’t designed into a system before I learned how to do them. That’s one of the things I love about GNU/Linux. You can find a way to do nearly anything if you put your mind to it.

Ernie

Ernie, I admire your ability to make sense out of what’s under the hood. At 76, I really don’t give a toss about the inner workings. I do enjoy using a really stable, snappy distro that allows me to do anything I want to do easily. Debian 12 is indeed a fine choice, as is Peppermint Debian.

As long as a distro lets me sample other distros (I find Gnome Boxes is more than adequate and very simple) and use the hardware I have (sorry, Neville, hand installation exceeds my patience), I’m happy. Mint 21.2 is currently in the foreground, but I have Linux Lite, Xubuntu, and Fat Dog in partitions on my sandbox drive.

Thirty years ago I might have been shoulder to shoulder with you, fighting the good fight. I’m quite satisfied to read about your successes and drink my tea.

Bill

Heck no. That was healthy discussion wasn’t it?
Different strokes for different folks. That’s what it’s all about. Not better or worse.

Exactly ( fifteen chars)

At 78 I am headed in the opposite direction. I enjoy understanding the inner workings. I still keep a nice stable distro as a fallback.

Hi Ernie
I can only say Thank You for the posts you publish.
I’m very interested in reading your posts, believe me.
Keep doing your great work.

Jorge

I will. I don’t think I can stop it. If I can’t put what I learn here, I’ll put it on my blog (something I haven’t done in a while - I should probably get back into doing that too ).

Thank you, Ernie

Since I’m only 74, it looks as if I’m the younger one here , and I still want to understand how things work.

Ernie

Thank you for that. Chalk the tenor of my response yesterday to me having a bit of a rough time here at home. That’s all straightened out now, so everything with me is good now. I appreciate everyone’s concern ,

Ernie

Found this interesting quote

They’re called the golden years for a reason.
 Getting older has its perks.
 For one, you’re good at using what you’ve learned.
 This is called crystalized intelligence,
 and it keeps getting better, even when you’re 65 or 70.

Hate to be a pedant, but Arch is not “.rpm” - that’s CentOS, Red Hat, Oracle etc, and to some extent SUSE and OpenSUSE (that doesn’t mean a Red Hat RPM will install on SUSE however - least that was not my experience when I used to use Suse SLES for my main Linux distro - tried installing an RPM package for Red Hat - didn’t install - too many unresolved dependancies). **

I’m “only” 61, you blokes make me feel like a spring chicken - which is odd, most of my colleagues are at least 10 years younger, some even 30+ years younger, and my best mate is 7 years my junior, and I’ve been working in IT for 30 years and a Linux user for 25+ years (started in late 1995 with Slackware).

BTW - nice well written article / howto - thanks @ernie

** I’ve had less than spectacular results with RPM for Brother printers on Oracle Linux CUPS servers for one of my customers… I still think DEB is a superior package format…