This documents how to install Arch Linux on a ThinkPad T450s, with full disk encryption and UEFI secure boot. It assumes you're familiar with installing Arch Linux, but new to encryption/secure boot. It does not install a bootloader (UEFI comes with one built in), and assumes you are not going to dual boot another OS.
(The instructions here should work fine for other devices too - just ignore the ThinkPad-specific bits)
My T450s has issues with using hdparm
to wipe the disk, so instead we will use the drive erase utility provided by Lenovo. This section is mostly copied from this tutorial.
- Install unetbootin
- Format a USB drive as FAT32
- Use unetbootin to install FreeDOS on the USB drive
- Download and extract the ThinkPad Drive Erase Utility
- Copy
DrvErase.exe
to${USB_DRIVE}/DrvErase.exe
- Copy
BootX64.efi
to${USB_DRIVE}/EFI/BOOT/BootX64.efi
- Boot into the USB drive and select the first erase option
Reboot the system and enter the BIOS. Navigate to Security -> Secure Boot -> Clear All Secure Boot Keys. This basically disables secure boot until we are able to enroll our keys, at which point it will automatically re-enable itself.
While you're here, ensure that you are booting in UEFI mode with CSM disabled. Also, make sure that you have a supervisor password enabled in the BIOS, or else secure boot is useless (anyone can just turn it off)!
Follow https://gist.github.com/apsun/1f7b1da40b028a9ed1e0409ca8c3b3cc, up to but not including the unified kernel image step.
We want to bundle the kernel, initramfs, microcode, and cmdline into a single binary that we can sign with sbsign
, and boot this binary directly from the UEFI boot manager. This lets us avoid adding a bootloader to our boot chain, which reduces attack surface.
Install the following packages with pacman
:
Also install sbkeys and sbupdate-git from the AUR. How to do this is left as an exercise to the reader.
cd
to /etc/efi-keys
and run sbkeys
to generate all of the secure boot keys (it will output them to the current directory, ensure permissions are set such that only root
can access these). If you want, you can uninstall sbkeys
after this step.
Next, find the UUID of your /dev/sda2
partition (blkid
will show it). Edit /etc/sbupdate.conf
, and update the kernel cmdline to tell it how to decrypt the root filesystem:
CMDLINE_DEFAULT="cryptdevice=UUID=${YOUR_PARTITION_UUID}:cryptroot root=/dev/mapper/cryptroot rw quiet"
Run sbupdate
, which will generate a unified kernel image and sign it with the keys that sbkeys
generated. This will be output to /boot/EFI/Arch/linux-signed.efi
. You can verify that it worked by running sbverify --list /boot/EFI/Arch/linux-signed.efi
. If you want to install other kernels or customize your boot, you can play around with /etc/sbupdate.conf
(remember to run sbupdate
afterwards).
Finally, configure the UEFI boot manager to boot this image by running efibootmgr --create --disk /dev/sda --part 1 --label "Arch Linux" --loader "EFI\\Arch\\linux-signed.efi" --verbose
.
Be aware that everything in this unified kernel image is unencrypted. Some tutorials have you embed a keyfile in the initramfs and enroll that in LUKS; this only works if your initramfs is encrypted (i.e. you have a separate bootloader and an encrypted /boot
with the initramfs). Since our /boot
is just the EFI system partition, which is unencrypted, do not store anything sensitive in it (except to complete the next section).
On my T450s, sbkeysync
fails with permission errors. We will use KeyTool.efi
instead to enroll the keys.
- Copy all of the
*.auth
keys from/etc/efi-keys
to your ESP partition (/boot
) - Copy
/usr/share/efitools/efi/KeyTool.efi
to/boot
- Reboot your system into the Arch Linux live USB. Instead of booting the installer, enter the UEFI shell.
- Change to the ESP partition (the shell works like Windows cmd.exe, type
FS1:
for example to switch to theFS1
partition). There might be multiple partitions, just try them all until you find the one with your keys andKeyTool.efi
. - Run
KeyTool.efi
, chooseEdit Keys
, and add the DB, KEK, and PK keys in that order. PK must be added last, as secure boot will turn itself back on after you enroll that key. - Exit the UEFI shell, reboot the system, and unplug the USB drive. You should be greeted with a prompt to enter your decryption passphrase. Once booted, run
bootctl
to verify that secure boot is enabled. - Important: Delete your keys and
KeyTool.efi
from/boot
(remember, the EFI system partition isn't encrypted). You should use a secure erase tool likeshred
to ensure that the keys cannot be recovered.
Your system is now ready to use!