You are not logged in.

Pages: 1

#1 2014-01-11 21:45:40

Infinity
Member
From: EU
Registered: 2013-12-16
Posts: 18

Secure Boot - Worth the trouble?

Alright, I'm first going to explain my situation a little bit.

I've bought a new laptop recently. It's a Dell Inspiron 15R, and it came without an operating system. I am planning to use it exclusively for linux, and I want to use Arch. Now the thing is that I have this habbit of using "full" disk encryption on every of my machines. I have successfully set up several LUKS+LVM installations in the past, some of which I had to setup everything manually (e.g without the distro installer). But all of these installations were performed on the old MBR partition types.

Now I can't help but notice that the laptop also offers UEFI boot option besides the legacy MBR. So I was wondering... If I choose to install Arch linux with "full" disk encryption by using UEFI, how easy/hard it is, and what do I gain, if I go through the trouble of setting up secure boot along? I mean I've found an option in "bios" to erase the TPM keys, so the laptop must be unlocked. The thing is I can't seem to find any article discussing the secure boot setup in the Arch Wiki, and the documentation on this subject is rather scarse. I did find some useful information though.

Particularly these two articles:
https://wiki.archlinux.org/index.php/Un … ecure_Boot
http://www.rodsbooks.com/efi-bootloader … eboot.html

Obviously I'll have to set up the system in a way that the system verifies the boot loader, then the kernel, and finally the initramfs (or initcpio) since that is needed for decrypting the rootfs. Although I would prefer to use kernels from the repos over having to compile my own. Has anyone been able to setup secure boot like this on an Arch installation? Share your experience.

Best regards!

Offline

#2 2014-01-11 22:16:08

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: Secure Boot - Worth the trouble?

I don't use secureboot myself.  Though I have looked into it a bit.  I am a gummiboot user, so I would have to use the prebootloader, which can be found in the official repos and doesn't seem incredibly difficult to use.  In fact it would be the easier of the two since you just register the bootloader and kernel themselves instead of the key.  But ultimately, every time there is a kernel update, you would have to go through and re-register the kernel.  So I decided it was not worth the time or effort.

Using the shim loader would end up being even more of a manual process since you would have to manually sign everything every time you updated.  Though I am sure you could automate this process.

Offline

#3 2014-01-11 23:06:12

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,138
Website

Re: Secure Boot - Worth the trouble?

You can set up the arch installation without Secure Boot initially, and enable Secure Boot after you are up and running.

Offline

#4 2014-01-12 08:32:04

Infinity
Member
From: EU
Registered: 2013-12-16
Posts: 18

Re: Secure Boot - Worth the trouble?

Do I have to boot the ISO image in UEFI mode to install in EFI mode?

Offline

#5 2014-01-12 08:50:59

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Secure Boot - Worth the trouble?

Yes.

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#6 2014-01-12 10:40:42

mcloaked
Member
From: Yorkshire, UK
Registered: 2012-02-02
Posts: 1,240

Re: Secure Boot - Worth the trouble?

I would like to know the answer to this question also, as I have a new machine with Windows 8.1 (UEFI of course), and at some point I would like to have dual boot with Arch on it - if Arch could be booted with secure boot as well as Win 8.1 that would be nice but I was taking time to research this before any attempt to go that route. The other question I have is whether there is any possibility of being able to boot Windows with secure boot but being able to boot Arch (in UEFI mode) without secure boot, and also without having to turn secure boot on and off in the bios when swapping between the two O/Ses?

Mike C

Offline

#7 2014-01-12 10:55:34

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,138
Website

Re: Secure Boot - Worth the trouble?

Infinity wrote:

Do I have to boot the ISO image in UEFI mode to install in EFI mode?

jasonwryan wrote:

Yes.

No, you do not have to boot in UEFI mode to install in UEFI mode.

wiki wrote:

Note: On some UEFI systems the only possible way to launch UEFI application on boot (if it does not have custom entry in UEFI boot menu) is to put it in this fixed location: <EFI SYSTEM PARTITION>/EFI/boot/bootx64.efi (for 64-bit x86 system)

rodsbooks wrote:

This directory holds a boot loader file, bootx64.efi, which serves as the fallback boot loader if none is specified in the firmware's flash storage.

For copying the UEFI application to this path, it is not necessary to boot in UEFI mode.

Offline

Pages: 1

Board footer

Powered by FluxBB