You are not logged in.

#1 2015-09-27 22:35:32

anon1054572
Member
Registered: 2012-04-14
Posts: 17

Secure boot and kernel updates [solved]

Hi all,

I see that I could run Arch without disabling secure boot if I use the Linux Foundation's preloader which is signed with Microsoft's key. I would just like to check that I understand correctly that :

1. I would have to add a hash to the database stored on the ESP after each kernel update.

2. The alternative is to use Shim, and manually sign every new kernel binary with my own key. The advantage being that I add just one key to the ESP instead of making a huge mess over time. This method is not supported, but shim and sbsigntool can be found on the AUR.



Just as a note, the reason I'm even considering keeping secure boot enabled is that I have to dual boot to use some specialized software for work that I can't run in wine.

Last edited by anon1054572 (2015-10-04 09:11:49)

Offline

#2 2015-10-04 09:11:19

anon1054572
Member
Registered: 2012-04-14
Posts: 17

Re: Secure boot and kernel updates [solved]

Update : I have decided to disable secure boot.

Offline

#3 2015-10-04 13:36:38

Head_on_a_Stick
Member
From: The Wirral
Registered: 2014-02-20
Posts: 9,003
Website

Re: Secure boot and kernel updates [solved]

anon1054572 wrote:

I would just like to check that I understand correctly that :

1. I would have to add a hash to the database stored on the ESP after each kernel update.

I have had several kernel updates with Secure Boot enabled and every time the Preloader detects the unbootable kernel image and offers to open the Hashtool to enrol the new image.

I think you also have to re-enrol (and rename) loader.efi whenever systemd-boot is updated.


Jin, Jîyan, Azadî

Offline

Board footer

Powered by FluxBB