Last active
August 5, 2022 04:53
-
-
Save PIPIPIG233666/e9588b5013a982b3be2de525e0fe4679 to your computer and use it in GitHub Desktop.
Arch Linux Secure Boot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo mount /dev/nvme1n1p3 /boot/efi | |
| yay -S shim-signed sbsigntools | |
| sudo mv /boot/efi/EFI/BOOT/BOOTx64.EFI /boot/efi/EFI/BOOT/grubx64.efi | |
| sudo cp /usr/share/shim-signed/shimx64.efi /boot/efi/EFI/BOOT/BOOTx64.EFI | |
| sudo cp /usr/share/shim-signed/mmx64.efi /boot/efi/EFI/BOOT/ | |
| sudo efibootmgr --verbose --disk /dev/nvme1n1 --part 2 --create --label "Shim" --loader /EFI/BOOT/BOOTx64.EFI | |
| openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt | |
| openssl x509 -outform DER -in MOK.crt -out MOK.cer | |
| sudo sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/BOOT/grubx64.efi /boot/efi/EFI/BOOT/grubx64.efi | |
| sudo sbsign --key MOK.key --cert MOK.crt --output /boot/vmlinuz-linux-holoiso /boot/vmlinuz-linux-holoiso | |
| sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="tpm" --sbat /usr/share/grub/sbat.csv | |
| sudo cp MOK.cer /boot/efi | |
| sudo sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/grub/grubx64.efi /boot/efi/EFI/grub/grubx64.efi | |
| sudo cp /boot/efi/EFI/grub/grubx64.efi /boot/efi/EFI/BOOT/grubx64.efi | |
| sudo reboot bootloader |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
^
/etc/pacman.d/hooks/999-sign_kernel_for_secureboot.hook