You are not logged in.

#1 2021-07-13 23:29:05

Registered: 2021-07-13
Posts: 2

EFI + Secure boot + Full Disk Encryption + /boot partition encrypted

Hello there,

It's my first time posting from this account (but I'm pretty sure I already asked questions back in the time (around 2010-2012) tongue

Anyway, long story short, I got a new laptop (Dell XPS 13 9310) so I wanted to give Arch a try after all these years without it.

Since my laptop support EFI, Secure Boot, and TPM 2.0, I would like to use all these features to make my laptop the most secure possible (and learning along the path).

What I got right now: Archlinux installed, up-to-date, in UEFI mode.

Here is my partitions layout:
/dev/nvmen0p1 : EFI partition (ESP)
/dev/nvmen0p2 : LUKS-1 encrypted volume with "/boot" partition (EXT4 once decrypted)
/dev/nvmen0p3 : 16GB partition on which I'm willing to make Intel Rapid Storage Technology (IRST, an hybrid suspend approach) working later on
/dev/nvmen0p4 : LUKS-2 encrypted volume (LVM2 once decrypted, with a volume group named myVolGroup, as in the tutorial, with 2 embedded virtual volume for / and /home, both in btrfs)

Actually, without Secure Boot, I can boot the whole system.
Here is the boot flow:
1) EFI/BIOS kicks in
2) GRUB is loaded from ESP and is able to ask me for the /boot partition password
3) Linux kernel and initramfs are loaded and booted from the decrypted /boot partition. The password of the root partition is then asked.
4) Once all the rest is loaded, I'm prompted with a tty login
5) I can login, and launch sway (i3-like on wayland)

So, as we can see, everything is fine: I got everything hardware related working (screen brightness, graphics, WiFi, audio, etc)

I'm now trying to add Secure Boot on top of it.

I did follow the Arch wiki tutorial and tried first by managing my own keys and enrolling them in UEFI/BIOS.
In this setup, I'm able to sbsign grubx64.efi and it can boot.
But the next step don't pass: I got this error:
"error: verification requested but nobody cares: (cryptouuid/myUUID/grub/x86_64-efi/normal.mod."

So I was thinking that I needed to sign the GRUB modules. But it can't be done straightforward as they're not PE file.
So I did use the grub-mkstandalone command to try to gather all modules embedded in a sole binary that I can sign.
It did work but I got the same error on the linux-signed.efi which is a unified kernel image (kernel + initramfs) that I was trying to chainload. Chainloading a unified kernel image
I did sign this unified kernel image to no avail: I got the same error.

I'm now trying to do this with a signed bootloader (shim) to eliminate any error that could be linked to me not generating/enrolling the keys in the good way.
I did resign grub and vmlinux with the MOK key, and did enroll this key after a reboot.
Grub is thus loading, asking me my password: no problem.
But after decrypting the boot partition I got this error again:
"error: verification requested but nobody cares: (cryptouuid/myUUID/grub/x86_64-efi/normal.mod."

What is the best way to achieve Secure Boot on this setup?

I would prefer to be able to use my own PK/KEK/DB keys but if I'm forced to use shim, it would be "ok" also.

Thanks by advance!

EDIT: I just found this but it doesn't seem to work...I got error about shim_lock protocol not found when strying to load vmlinux.
But I did retry the SHIM setup (did resign vmlinux and grub with MOK key) and it's working...I can see it from "bootctl status"

Anyway, I would like to be able to do it with my own keys. Do you have an idea?

EDIT2: I did grub-install again with the 2 new options (--modules="tpm" and --disable-shim-lock) and now it seem to work and is also validated after a reboot and shim removed from ESP and package shim-signed removed.
So I guess it's working yikes !

Last edited by Stygmatik (2021-07-14 00:08:07)


#2 2021-07-14 14:00:29

Registered: 2021-07-14
Posts: 1

Re: EFI + Secure boot + Full Disk Encryption + /boot partition encrypted

arch does not support secure boot


#3 2021-07-14 15:55:38

Registered: 2021-07-13
Posts: 2

Re: EFI + Secure boot + Full Disk Encryption + /boot partition encrypted

Well...I guess that's why it's documented.

Anyway, it's working now, but the initramfs isn't checked by grub.
Do some people know how it could be?

Another question, how could I automatically sign grub once modified/updated? (To avoid rebooting without sign and being stuck tongue)
I found a pacman hook (in wiki) to do it for kernel update but didn't get a chance to test it yet.



#4 2021-07-20 08:14:58

Registered: 2017-10-12
Posts: 22

Re: EFI + Secure boot + Full Disk Encryption + /boot partition encrypted

Hi Stygmatik,

I am also considering to enable secure boot and since you seem to have research a lot about it, I have some doubts I would like to ask you:

- To load the new keys do you need to firstly enable and boot archlinux in secure boot? This is not clear to me when I read the documentation … ecure_Boot. It seems to be a chicken and egg problem. For example, to remove old keys I need to enter system setup, enable secure boot and remove keys. However, then I can't boot to archlinux.

- In my setup, kernel and initramfs image is located in the ESP. So, to protect them I am considering to use one unified kernel image. Do you know if unified kernel images support 2 initrd? one would be the initramfs of kernel and the other one the intel-ucode with the firmware for Intel CPUs.



#5 2021-07-20 08:58:47

Registered: 2012-05-17
Posts: 4,447

Re: EFI + Secure boot + Full Disk Encryption + /boot partition encrypted

There is not really a chicken-egg problem. Basically you generate the certificates, then create and sign the arch linux image. Now you can import the keys in the UEFI menu (platform key last!) and enable secure boot.
Alternatively you can try to delete the platform key in the uefi menu with secure boot enabled which should put it in "setup mode" where booting without keys should work until you install them through the UEFI menu or one of the tools mentioned in the wiki.

Yes, you can use multiple initramfs images if you concatenate them first. That is also done by the sbupdate tool mentioned in the wiki and sbctl (it can concatenate the initramfs with one of either the intel or amd microcode images, but not both at once at the moment.)

It becomes only a bit more complicated if you want automated LUKS decryption with attested boot and TPM2. (The most troublesome thing would be automated resealing of the keys to kernel updates, there is no good tooling yet.)

Last edited by progandy (2021-07-20 09:29:38)

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |


#6 2021-08-01 11:26:44

Registered: 2021-07-28
Posts: 15

Re: EFI + Secure boot + Full Disk Encryption + /boot partition encrypted

Stygmatik wrote:

EDIT2: I did grub-install again with the 2 new options (--modules="tpm" and --disable-shim-lock) and now it seem to work and is also validated after a reboot and shim removed from ESP and package shim-signed removed.
So I guess it's working yikes !

I tried to activate Secure Boot on my laptop and ran into the same issues. Seems --modules="tpm" and --disable-shim-lock fixed it for me as well and Secure Boot works. I also see Secure boot enabled in dmesg.
I used this for signing:
can also be found in AUR:
The issue is that you should first generate grub with

grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="tpm" --disable-shim-lock

and then sign with:

cryptboot-efikeys sign /efi/EFI/GRUB/grubx64.efi


cryptboot update-grub

does not add the required --modules="tpm" --disable-shim-lock to the grub generation.
The cryptboot package also has convenient mount/unmount switches which work, but update-grub/upgrade don't add the required extra options. Maybe the package will add extra config options at some point.
You can also create and enroll keys with 

cryptboot-efikeys create
cryptboot-efikeys enroll

Just make sure to set the correct values in /etc/cryptboot.conf

actually it should be doable to add --modules="tpm" and --disable-shim-lock to cryptboot. … tboot#L116

after installing cryptboot edit it in /usr/bin/cryptboot and modify the following line this way:

grub-install --target=x86_64-efi --boot-directory="$BOOT_DIR" --efi-directory="$EFI_DIR" --bootloader-id="$EFI_ID_GRUB" --modules="tpm" --disable-shim-lock

then you can just use

cryptboot upgrade

Last edited by qu@rk (2021-08-02 01:26:28)


Board footer

Powered by FluxBB