Arch Linux

diego-treitos

Member

Registered: 2020-02-16

Posts: 2

Official support for secureboot

I have Arch installed in my laptop with "full" disk encryption. To achieve better security and ensure that the boot system cannot be tampered, I wanted to enable secureboot and use signed boot software (kernels, grub, etc).

To my surprise I saw that this is not available in Arch and that I have to use AUR to install the basic software like shim or preloader. Being AUR an unsafe source of software it totally defeats the purpose of using secureboot in my opinion.

Are there any plans to officially support secureboot in Arch?

WorMzy

Forum Moderator

From: Scotland

Registered: 2010-06-16

Posts: 11,845

Website

Re: Official support for secureboot

Vaguely, kind of, maybe, yes?

https://bugs.archlinux.org/task/53864
https://lists.archlinux.org/pipermail/a … 29705.html

I'm not sure why you've decided that AUR == unsafe. You should always check the PKGBUILDs before running them, but 9/10 they're doing exactly what the PKGBUILDs in the official repositories do (just to varying degrees of well-writtenness).

---

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

diego-treitos

Member

Registered: 2020-02-16

Posts: 2

Re: Official support for secureboot

Hi WorMzy, thank you for the links. It seems that some thought was given to it but it seems nothing is being done. I am glad that they are looking to how debian is doing it.

Regarding AUR I do not say that it is directly unsafe, but more that it does have some security concerns that make it unsuitable for critical packages like the ones for secureboot. Maybe I do not have a deep understanding of AUR but here are my main worries about it:

1. It is not covered by any security advisory like https://security.archlinux.org/advisory. So vulnerabilities might or might not be patched or they might not be patched in a proper way.
2. It is just impossible to review all PKGBUILDs of all installed AUR packages and their dependencies each time you update the system. Depending on your installation you could have to check a hundred PKGBUILDS for each update with several lines for each diff. It is mostly likely that one day you just skip some check, either willingly or by mistake.
3. It is very tedious to look for the original sources or each one of the packages and their dependencies. Again, if a package has 30 dependencies, you will have to dig around to check that the source for each library is the right one, and recheck for each update. I believe at the end of the day people blindly trust the dependencies.
4. I understand (maybe I am wrong) that anybody can retake orphaned packages so in a way anybody can end up sending software to you so you depend on points 2 and 3 to be safe...
5. Tools that are used to install AUR (most AUR users use them) are not always safe to use or were designed with security in mind: https://github.com/trizen/trizen/issues/209

So yes, I limit my use of AUR a lot and I think I only have a couple of packages from AUR.  Maybe it is that Arch is not the distro for me.

In any case I think that the packages required to use Secure Boot should be obtained in the safest way possible. If not, it defeats the purpose of Secure Boot.