Arch Linux

StopkaPeter

Member

From: Slovakia

Registered: 2019-05-20

Posts: 24

Installation and setup systemd-boot, UKI and sbctl

Installation is very simple, and the code looks like this:

### BOOTLOADER

# Install Systemd-boot Bootloader
bootctl --esp-path=/efi install

# Change ESP Permision
sed -i "/\/efi/s/dmask=0022/dmask=0077/" /etc/fstab
sed -i "/\/efi/s/fmask=0022/fmask=0077/" /etc/fstab

### UKI

# Kernel Command-line
echo "quiet rw bgrt_disable" > /etc/kernel/cmdline

# Setup Mkinitcpio Config
sed -i "/^HOOKS=/s/udev/systemd/" /etc/mkinitcpio.conf
sed -i "/^HOOKS=/s/consolefont/sd-vconsole/" /etc/mkinitcpio.conf

# Create Mkinitcpio Preset for UKI
cat <<EOL > /etc/mkinitcpio.d/linux.preset
ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"

PRESETS=('default' 'fallback')

default_uki="/efi/EFI/Linux/arch-linux.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"

fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"
EOL

### SECURE BOOT

# Install Secure Boot Manager
pacman -S sbctl

# Create Signing Keys
sbctl create-keys

# Enroll Current Keys to EFI
sbctl enroll-keys -m

# Sign System-boot Loader
sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi

Wiki:
sbctl comes with a pacman hook that automatically signs all new files whenever the Linux kernel, systemd or the boot loader is updated.

This triggers the subsequent initcpio post hook, which automatically signs the UKI or kernel without them being directly written to the sbctl database.

/usr/lib/initcpio/post/sbctl

#!/usr/bin/bash

KERNEL_FILE="$1"
UKI_FILE="$3"

if ! [ "$(sbctl setup --print-state --json | awk '/installed/ { gsub(/,$/,"",$2); print $2 }')" = "true" ]; then
    echo "Secureboot key directory doesn't exist, not signing!"
    exit 0
fi

IMAGE_FILE="$KERNEL_FILE"
if [ -n "$KERNELDESTINATION" ] && [ -f "$KERNELDESTINATION" ]; then
    IMAGE_FILE="$KERNELDESTINATION"
fi
if [ -n "$UKI_FILE" ]; then
    IMAGE_FILE="$UKI_FILE"
fi

if [ -z "$IMAGE_FILE" ]; then
    echo "No kernel or UKI found for signing"
    exit 0
fi

echo "Signing $IMAGE_FILE"
sbctl sign "$IMAGE_FILE"

After that, another hook is triggered, which signs all the files that sbctl has in the database for signing.

Wiki:
Tip: If you use Systemd-boot and systemd-boot-update.service, the boot loader is only updated after a reboot, and the sbctl pacman hook will therefore not sign the new file. As a workaround, it can be useful to sign the boot loader directly in /usr/lib/, as bootctl install and update will automatically recognize and copy .efi.signed files to the ESP if present, instead of the normal .efi file. See bootctl(1).

sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi

/usr/share/libalpm/hooks/zz-sbctl.hook

[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = boot/*
Target = efi/*
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/modules/*/extramodules/*
Target = usr/lib/**/efi/*.efi*

[Action]
Description = Signing EFI binaries...
When = PostTransaction
Exec = /usr/bin/sbctl sign-all -g

Problems:
systemd-boot is updated only after a reboot, before system initialization, so the old version is loaded first, and only then is it updated to the new one.

Command bootctl --no-variables --graceful update only changes the files if a newer version exists; if the versions are the same, the update does not occur even if systemd-bootx64.efi is signed and the file in /efi/EFI/systemd/ is not. As a temporary solution after arch installation, I recommend running the command bootctl --esp-path=/efi install again, which forcefully overwrites the newly signed files, even if they are the same version.

/usr/lib/systemd/system/systemd-boot-update.service

[Unit]
Description=Automatic Boot Loader Update
Documentation=man:bootctl(1)
ConditionPathExists=!/etc/initrd-release

DefaultDependencies=no
After=local-fs.target
Before=sysinit.target systemd-update-done.service
Conflicts=shutdown.target
Before=shutdown.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=bootctl --no-variables --graceful update

[Install]
WantedBy=sysinit.target

cryptearth

Member

Registered: 2024-02-03

Posts: 1,024

Re: Installation and setup systemd-boot, UKI and sbctl

unless you have a need for secureboot and do it properly down to every executeable - just disable it - it's broken by design and doesn't offer any benefit for linux anyway

Head_on_a_Stick

Member

From: The Wirral

Registered: 2014-02-20

Posts: 8,345

Website

Re: Installation and setup systemd-boot, UKI and sbctl

If you use mkintcpio to generate the UKI then it can be signed automatically without involving sbctl if you reference the SecureBoot keys in /etc/systemd/ukify.conf, like this:

SecureBootPrivateKey=/full/path/to/key
SecureBootCertificate=/full/path/to/certificate

Reference: https://man.archlinux.org/man/ukify.1

I've used this method for a while now and it seems to be very reliable.

---

Para todos todo, para nosotros nada