Highly opinionated setup that provides minimal Secure Boot for Arch Linux, and a few recovery tools.
Bootloaders (such as GRUB or systemd-boot) are intentionally not supported, as they significantly increase the amount of code that runs during boot, therefore increasing the attack surface.
The package is available on AUR: arch-secure-boot
See the available configuration options in the top of the script.
Add your overrides to /etc/arch-secure-boot/config.
Most notably, set KERNEL=linux-hardened if you use hardened Linux.
arch-secure-boot generate-keysgenerates new keys for Secure Bootarch-secure-boot enroll-keysadds them to your UEFIarch-secure-boot generate-eficreates several images signed with Secure Boot keysarch-secure-boot add-efiadds UEFI entry for the main Secure Boot imagearch-secure-boot generate-snapshotsgenerates a list of btrfs snapshots for recoveryarch-secure-boot initial-setupruns all the steps in the proper order
secure-boot-linux.efi- the main imagevmlinuz-linux+initramfs-linux+*-ucode+ hardcodedcmdline
secure-boot-linux-efi-shell.efi- UEFI shell that is used to boot into a snapshot- because built-in UEFI shells are known to be buggy
secure-boot-linux-recovery.efi- recovery image that can be a used to boot from snapshotvmlinuz-linux+initramfs-linux-fallback
secure-boot-linux-lts-recovery.efi- recovery LTS image that can be used to boot from snapshotvmlinuz-linux-lts+initramfs-linux-lts-fallback
fwupdx64.efi image is also being signed.
- BIOS: Set admin password, disable Secure Boot, delete all Secure Boot keys
- Generate and enroll keys
- Generate EFI images and add the main one (only!) to UEFI
- BIOS: Enable Secure Boot
- BIOS: use admin password to boot into
efi-shellimage - Inspect recovery script using
edit FS0:\recovery.nsh(ifFS0is not your hard disk, try otherFSn) - Run the script using
FS0:\recovery.nsh - Once recovered, remove
efi-shellentry from UEFI