Skip to content

Instantly share code, notes, and snippets.

@Jai-JAP

Jai-JAP/1000-signGrub.hook

Last active June 26, 2024 14:28
Show Gist options
  • Save Jai-JAP/5d5d9f67f19e5e5eaf6825b371a17d5d to your computer and use it in GitHub Desktop.
Save Jai-JAP/5d5d9f67f19e5e5eaf6825b371a17d5d to your computer and use it in GitHub Desktop.
Download ZIP
Manjaro SecureBoot Setup Guide
Raw
1000-signGrub.hook
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Path
Target = /boot/efi/EFI/Manjaro/grubx64.efi
[Action]
Description = Signing GRUB with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/share/secureboot/signGrub.sh ;
Depends = sbsigntools
Depends = findutils
Depends = grep
Depends = grub
Raw
999-signKernel.hook
[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Operation = Remove
Target = linux*
[Action]
Description = Signing kernel with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output {} {}; fi' ;
Depends = sbsigntools
Depends = findutils
Depends = grep
Raw
README.md

Steps to setup secure-boot on Manjaro

NOTE: Using this guide on Arch Linux requires a few changes

Enter a rooted shell

sudo -i

Enable AUR

sed -Ei '/EnableAUR=true/s/^#//' /etc/pacman.conf

Install shim-signed & set as default boot option

pamac build shim-signed
mv /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/grubx64.efi
cp /usr/share/shim-signed/shimx64.efi /boot/efi/EFI/boot/bootx64.efi
cp /usr/share/shim-signed/mmx64.efi /boot/efi/EFI/boot/

Find boot partition & device

fdisk -l | grep "EFI System" | awk '{print $1}'
  • Eg: If the command prints /dev/sdaX
    • /dev/sda is device & X is partition number

Register Shim BootEntry to NVRAM

efibootmgr --unicode --disk /dev/vda --part 1 --create --label "Shim" --loader /EFI/boot/bootx64.efi

Generate MOK

mkdir -p /usr/share/secureboot/keys/ 
openssl req -newkey rsa:4096 -nodes -keyout /usr/share/secureboot/keys/MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=Manjaro MOK/" -out /usr/share/secureboot/keys/MOK.crt
openssl x509 -outform DER -in /usr/share/secureboot/keys/MOK.crt -out /usr/share/secureboot/keys/MOK.cer
mkdir /boot/efi/keys
cp /usr/share/secureboot/keys/MOK.cer /boot/efi/keys/

Sign all available kernels

sudo pacman -Sy sbsigntools
find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec sh -c \
'if ! sbverify --list {} 2>/dev/null | grep -q "signature certificates"; then 
   sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output {} {}
 fi' ;

Grub requires modules to be built in the .efi file with .sbat section for secureboot

MODULES="all_video
boot
btrfs
cat
chain
configfile
cpuid
cryptodisk
echo
efifwsetup
efinet
ext2
fat
font
gcry_arcfour
gcry_blowfish
gcry_camellia
gcry_cast5
gcry_crc
gcry_des
gcry_dsa
gcry_idea
gcry_md4
gcry_md5
gcry_rfc2268
gcry_rijndael
gcry_rmd160
gcry_rsa
gcry_seed
gcry_serpent
gcry_sha1
gcry_sha256
gcry_sha512
gcry_tiger
gcry_twofish
gcry_whirlpool
gettext
gfxmenu
gfxterm
gfxterm_background
gzio
halt
help
hfsplus
iso9660
jpeg
keystatus
linux
loadenv
loopback
ls
lsefi
lsefimmap
lsefisystab
lssal
luks
luks2
lvm
mdraid09
mdraid1x
memdisk
minicmd
normal
ntfs
part_apple
part_gpt
part_msdos
password_pbkdf2
play
png
probe
raid5rec
raid6rec
reboot
regexp
search
search_fs_file
search_fs_uuid
search_label
serial
sleep
smbios
squash4
test
tpm
true
video
xfs
zfs
zfscrypt
zfsinfo"
grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="${MODULES}" --sbat /usr/share/grub/sbat.csv
sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/Manjaro/grubx64.efi
cp /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/boot/

This may require updating in future versions. Refer to https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/debian/build-efi-images for latest modules

Fix prohibited due to secure boot police error in GRUB

Note: Does not work [broken]. Your system will still probably boot with errors.

Default Manjaro GRUB configuration files inserts insmod * to /boot/grub/grub.cfg
Edit /etc/grub.d/* & /usr/share/grub/grub-mkconfig_lib files to comment out any instances of insmod * or echo insmod *.
Do the same for /etc/default/grub & comment out GRUB_PRELOAD_MODULES=* line.

Automatically sign linux images and grub on updade

Download 999-signKernel.hook & 1000-signGrub.hook from this gist and place it into /etc/pacman.d/hooks

  • Create the directory if if does not exist
  • Also 1000-signGrub.hook is probably not required. As grubx64.efi is created only once.

Download signGrub.sh from this gist and place it into /usr/share/secureboot/

  • Omit this step if you skipped sign Grub hook.

Run

chmod a+x /etc/pacman.d/hooks/{999-signKernel.hook,1000-signGrub.hook} /usr/share/secureboot/signGrub.sh

Now Your Manjaro installation is ready for secureboot

Reboot the system & Enable SecureBoot from the UEFI An error will be displayed about security violation. Ignore this and press Enter twice, to enter MOK Management. Now Enroll the MOK from keys/MOK.cer of the device ESP on the MOK Management screen.

Reboot the system and your Manjaro install is ready with secure-boot working.

Raw
signGrub.sh
#!/bin/bash
MODULES="all_video
boot
btrfs
cat
chain
configfile
cpuid
cryptodisk
echo
efifwsetup
efinet
ext2
fat
font
gcry_arcfour
gcry_blowfish
gcry_camellia
gcry_cast5
gcry_crc
gcry_des
gcry_dsa
gcry_idea
gcry_md4
gcry_md5
gcry_rfc2268
gcry_rijndael
gcry_rmd160
gcry_rsa
gcry_seed
gcry_serpent
gcry_sha1
gcry_sha256
gcry_sha512
gcry_tiger
gcry_twofish
gcry_whirlpool
gettext
gfxmenu
gfxterm
gfxterm_background
gzio
halt
help
hfsplus
iso9660
jpeg
keystatus
linux
loadenv
loopback
ls
lsefi
lsefimmap
lsefisystab
lssal
luks
luks2
lvm
mdraid09
mdraid1x
memdisk
minicmd
normal
ntfs
part_apple
part_gpt
part_msdos
password_pbkdf2
play
png
probe
raid5rec
raid6rec
reboot
regexp
search
search_fs_file
search_fs_uuid
search_label
serial
sleep
smbios
squash4
test
tpm
true
video
xfs
zfs
zfscrypt
zfsinfo"
if ! /usr/bin/sbverify --list /boot/efi/EFI/Manjaro/grubx64.efi 2>/dev/null | /usr/bin/grep -q "signature certificates"; then
/usr/bin/grub-install --target=x86_64-efi --efi-directory=/boot/efi/ --modules="${MODULES}" --sbat /usr/share/grub/sbat.csv
/usr/bin/sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/Manjaro/grubx64.efi
/usr/bin/cp /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/boot/
fi
@aplace-lab
Copy link

There's an error in the signing commands, cp /boot/efi/EFI/Majaro/grubx64.efi /boot/efi/EFI/boot/
'Majaro' should be 'Manjaro'. Other than that, I've tested this full process and can verify it works on 6.6.32-1-MANJARO.

@Jai-JAP
Copy link
Author

Jai-JAP commented Jun 10, 2024

There's an error in the signing commands, cp /boot/efi/EFI/Majaro/grubx64.efi /boot/efi/EFI/boot/ 'Majaro' should be 'Manjaro'. Other than that, I've tested this full process and can verify it works on 6.6.32-1-MANJARO.

Thanks for reporting that. I have fixed it now.

@hywol
Copy link

hywol commented Jun 26, 2024

Thanks :)
Is this works at every Arch-based Distros?

@Jai-JAP
Copy link
Author

Jai-JAP commented Jun 26, 2024

Thanks :) Is this works at every Arch-based Distros?

Should work on any Arch derivatives (maybe with minimal changes) as this guide is based on the Arch wiki but is tested only on Manjaro.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment