Manjaro Xface version.
- TPM module installed in the motherboard (that is set to TPM 2.0 mode from the BIOS).
- refind
- sbsigntools
- shim or shim-signed
- tpm2-tss-engine
- tpm2-tools (optional)
- patch
sudo -i
sudo pacman -S refind sbsigntools tpm2-tss-engine tpm2-tools patch
sudo pamac install shim
or
sudo pamac install shim-signed
# Patch refind-install script
curl -o- https://gist.githubusercontent.com/heri16/6df9ae37ae51496fe376debaca45540b/raw/refind-install.patch | patch /usr/bin/refind-install
# Install reFind EFI Bootloader to ESP partition (encrypted keys without TPM)
# refind-install --shim /usr/share/shim/shimx64.efi --localkeys --encryptkeys --yes
# Install reFind EFI Bootloader to ESP partition (encrypted keys on TPM)
refind-install --shim /usr/share/shim/shimx64.efi --localkeys --encryptkeys --engine tpm2tss --yes
efibootmgr
# Sign Linux kernel
sbsign --engine tpm2tss --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output "/boot/vmlinuz-linux" "/boot/vmlinuz-linux"
sbverify --list "/boot/vmlinuz-linux"
sbsign --engine tpm2tss --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output "/boot/vmlinuz-linux-lts" "/boot/vmlinuz-linux-lts"
sbverify --list "/boot/vmlinuz-linux-lts"
# Sign Manjaro's Grub2 EFI Bootloader (optional)
sbsign --engine tpm2tss --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output "/boot/efi/EFI/Arch/grubx64.efi" "/boot/efi/EFI/Arch/grubx64.efi"
sbverify --list "/boot/efi/EFI/Arch/grubx64.efi"
sudo cp /usr/share/shim/shimx64.efi /boot/efi/EFI/Arch/shimx64.efi
sudo cp /usr/share/shim/mmx64.efi /boot/efi/EFI/Arch/mmx64.efi
sudo cp /usr/share/shim/fbx64.efi /boot/efi/EFI/Arch/fbx64.efi
sudo efibootmgr -c -d /dev/nvme0n1 -p 1 -L "manjaro-secureboot" -l "\boot\efi\EFI\Arch\shimx64.efi"
# Reboot into BIOS
Then, reboot into BIOS to enable SecureBoot.
Once in MokManager add refind_local.cer
to MoKList. refind_local.cer
can be found inside a directory called keys in the rEFInd's installation directory, e.g. esp/EFI/refind/keys/refind_local.cer
.
sudo openssl req -new -x509 -newkey rsa:2048 -keyout /boot/efi/EFI/refind/keys/refind_local.key -out /boot/efi/EFI/refind/keys/refind_local.crt -nodes -days 3650 -subj "/CN=Manjaro kernel signing key/"
sudo openssl x509 -in /boot/efi/EFI/refind/keys/refind_local.crt -out /boot/efi/EFI/refind/keys/refind_local.cer -outform DER
sudo sbsign --key /boot/efi/EFI/refind/keys/refind_local.key --cert /boot/efi/EFI/refind/keys/refind_local.crt --output /boot/efi/EFI/Arch/grubx64.efi /boot/efi/EFI/Arch/grubx64.efi
sudo sbsign --key /boot/efi/EFI/refind/keys/refind_local.key --cert /boot/efi/EFI/refind/keys/refind_local.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux
sudo sbsign --key /boot/efi/EFI/refind/keys/refind_local.key --cert /boot/efi/EFI/refind/keys/refind_local.crt --output /boot/vmlinuz-linux-lts /boot/vmlinuz-linux-lts
Make pacman sign the kernel automatically on kernel updates.
sudo -i
sudo pamac install x11-ssh-askpass
sudo mkdir /usr/share/libalpm/
sudo mkdir /usr/share/libalpm/scripts/
sudo mkdir /usr/local/share/libalpm/
sudo mkdir /usr/local/share/libalpm/scripts/
sudo mkdir /etc/pacman.d/
sudo mkdir /etc/pacman.d/hooks/
curl -o- https://gist.githubusercontent.com/heri16/6df9ae37ae51496fe376debaca45540b/raw/90-mkinitcpio-install.hook.patch | patch -o "/etc/pacman.d/hooks/90-mkinitcpio-install.hook" /usr/share/libalpm/hooks/90-mkinitcpio-install.hook
curl -o- https://gist.githubusercontent.com/heri16/6df9ae37ae51496fe376debaca45540b/raw/mkinitcpio-install.patch | patch -o "/usr/local/share/libalpm/scripts/mkinitcpio-install" /usr/share/libalpm/scripts/mkinitcpio-install
These are the steps that worked for me, without having to install any new packages:
Check the disk designation in the program: sudo pacman -S gpart
Boot into Manjaro installer
Open terminal
sudo manjaro-chroot -a (and select system to mount)
grub-install /dev/nvme0n1 (it's sda for me; make sure you choose the right drive!)
grub-install --recheck /dev/nvme0n1 ## You name HDD
update-grub
exit
reboot
- https://wiki.archlinux.org/index.php/REFInd#Using_shim
- https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Signing_the_kernel_and_boot_manager
- https://superuser.com/questions/1557668/undo-sbsign-on-executable-remove-an-attached-image-signature
- https://github.com/tpm2-software/tpm2-tss-engine