Arch Linux Secure Boot

gistfile1.txt

sudo mount /dev/nvme1n1p3 /boot/efi
yay -S shim-signed sbsigntools
sudo mv /boot/efi/EFI/BOOT/BOOTx64.EFI /boot/efi/EFI/BOOT/grubx64.efi
sudo cp /usr/share/shim-signed/shimx64.efi /boot/efi/EFI/BOOT/BOOTx64.EFI
sudo cp /usr/share/shim-signed/mmx64.efi /boot/efi/EFI/BOOT/
sudo efibootmgr --verbose --disk /dev/nvme1n1 --part 2 --create --label "Shim" --loader /EFI/BOOT/BOOTx64.EFI
openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt
openssl x509 -outform DER -in MOK.crt -out MOK.cer
sudo sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/BOOT/grubx64.efi /boot/efi/EFI/BOOT/grubx64.efi
sudo sbsign --key MOK.key --cert MOK.crt --output /boot/vmlinuz-linux-holoiso /boot/vmlinuz-linux-holoiso
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="tpm" --sbat /usr/share/grub/sbat.csv
sudo cp MOK.cer /boot/efi
sudo sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/grub/grubx64.efi /boot/efi/EFI/grub/grubx64.efi
sudo cp /boot/efi/EFI/grub/grubx64.efi /boot/efi/EFI/BOOT/grubx64.efi
sudo reboot bootloader

[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = linux
Target = linux-lts
Target = linux-hardened
Target = linux-zen
Target = linux-holoiso
Target = linux-xanmod-edge

[Action]
Description = Signing kernel with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /home/deck/MOK.key --cert /home/deck/MOK.crt --output {} {}; fi' ;
Depends = sbsigntools
Depends = findutils
Depends = grep

^
/etc/pacman.d/hooks/999-sign_kernel_for_secureboot.hook