- Download
*.iso
and*.iso.sig
from https://archlinux.org/download/ - Verify sha256
- Verify signature:
gpg --keyserver-options auto-key-retrieve --verify *.iso.sig
- Firmware:
OVMF_CODE.secboot.fd
- Add TPM v2
loadkeys de
ls /sys/firmware/efi/efivars
iwctl --passphrase $(gpg -d wifi_key.txt.gpg) station wlan0 connect-hidden <ssid>
timedatectl set-ntp true
cfdisk /dev/vda
- Select
gpt
- Create a 300M
EFI System
partition (/dev/vda1
⇒/boot/efi
) - Create a 300M
Linux filesystem
partition (/dev/vda2
⇒/boot
) - Create a
Linux filesystem
partition (/dev/vda3
⇒/dev/mapper/root
⇒/
) - Write changes and exit
# cryptsetup -y -v luksFormat /dev/vda3
# cryptsetup open /dev/vda3 root
# mkfs.ext4 /dev/mapper/root
# mount /dev/mapper/root /mnt
# mkfs.ext4 /dev/vda2
# mount -m /dev/vda2 /mnt/boot
# mkfs.fat -F32 /dev/vda1
# mount -m /dev/vda1 /mnt/boot/efi
- Select mirrors in
/etc/pacman.d/mirrorlist
(optional) - Enable
ParallelDownloads
in/etc/pacman.conf
(optional) pacstrap /mnt base base-devel linux linux-firmware grub efibootmgr neovim git sudo networkmanager man-db wget sbsigntools
# genfstab -U /mnt >> /mnt/etc/fstab
# arch-chroot /mnt
# ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
# hwclock --systohc
# nvim /etc/locale.gen # uncomment your locales
# locale-gen
# echo LANG=en_US.UTF-8 > /etc/locale.conf
# echo KEYMAP=de-latin1 > /etc/vconsole.conf
# echo arch > /etc/hostname
# systemctl enable NetworkManager
# passwd
Add the keyboard
, keymap
and encrypt
hooks to /etc/mkinitcpio.conf
:
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)
Run mkinitcpio -P
# mkdir -p /root/SecureBoot/VM
# cd /root/SecureBoot/VM
# openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days 3650 -out PK.crt
# openssl x509 -in PK.crt -outform der -out PK.der
# wget -Ux https://www.microsoft.com/pkiops/certs/Mic{CorKEKCA2011_2011-06-24,WinProPCA2011_2011-10-19,CorUEFCA2011_2011-06-27}.crt
# mkdir -p /boot/efi/SecureBoot/
# cp PK.der Mic*.crt /boot/efi/SecureBoot/
# mkdir -p /root/SecureBoot
# cd /root/SecureBoot
# openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt
# openssl x509 -outform DER -in MOK.crt -out MOK.cer
# mkdir -p /boot/efi/SecureBoot/
# cp MOK.cer /boot/efi/SecureBoot/
- Get device uuid of
/dev/vda3
:blkid -s UUID -o value /dev/vda3
- Add kernel parameters in
/etc/default/grub
(replacedevice-UUID
):cryptdevice=UUID=device-UUID:root root=/dev/mapper/root
- Uncomment/add
GRUB_DISABLE_OS_PROBER=false
to/etc/default/grub
- Cd into
/root/SecureBoot
and create the filebuild_grub.sh
:#!/bin/bash output=/boot/efi/EFI/shim/grubx64.efi config=$(mktemp) grub-mkconfig -o $config grub-mkstandalone -O x86_64-efi -o $output --sbat /usr/share/grub/sbat.csv --modules="pgp part_gpt part_msdos fat ext2 configfile gcry_sha256 gcry_rsa password_pbkdf2 normal linux all_video search search_fs_uuid reboot sleep loadenv minicmd test echo font" boot/grub/grub.cfg=$config -v rm $config for file in /boot/vmlinuz-linux $output; do sbsign --key MOK.key --cert MOK.crt --output $file $file done
- Build grub and add it to UEFI:
# chmod +x build_grub.sh # mkdir -p /boot/efi/EFI/shim/ # ./build_grub.sh # efibootmgr -v -d /dev/vda -c -L GRUB -l /EFI/shim/grubx64.efi
- Create the file
/etc/pacman.d/hooks/999-sign_kernel_for_secureboot.hook
:[Trigger] Operation = Install Operation = Upgrade Type = Package Target = linux Target = linux-lts Target = linux-hardened Target = linux-zen [Action] Description = Signing kernel with Machine Owner Key for Secure Boot When = PostTransaction Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --cert /root/SecureBoot/MOK.crt --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /root/SecureBoot/MOK.key --cert /root/SecureBoot/MOK.crt --output {} {}; fi' ; Depends = sbsigntools Depends = findutils Depends = grep
# exit
# umount -R /mnt
# cryptsetup close root
# reboot
# useradd -m -s /bin/bash -G wheel user
# passwd user
# nvim /etc/sudoers # uncomment wheel privileges
# su user
$ cd $(mktemp -d)
$ git clone https://aur.archlinux.org/paru-bin.git
$ cd paru-bin
$ makepkg -si
$ paru -S shim-signed
$ exit
# cp /usr/share/shim-signed/{shimx64,mmx64}.efi /boot/efi/EFI/shim/
# efibootmgr -v -d /dev/vda -c -L Shim -l /EFI/shim/shimx64.efi
efibootmgr -n0
to reboot to uefi setupreboot
- Setup secure boot in uefi
- Reboot to shim
- Enroll key from disk:
SecureBoot/MOK.cer
- Reboot
- Find bootnum of GRUB:
efibootmgr -v
- Remove GRUB from UEFI:
efibootmgr -B -b xxxx