Making Secure Boot Work Again

Bringing secure boot back with the ZFS root setup.

Based on the work in Make Secure Boot Yours, but with some simplifications because there's new tools in systemd to help.

Make keys and certs and add them to EFI

This is the same as we did in Make Secure Boot Yours.

Sign systemd-boot

Also the same as we did in Make Secure Boot Yours.

Configure ukify to sign

Edit the /etc/kernel/uki.conf

[UKI]
SignKernel=yes
SecureBootPrivateKey=/etc/kernel/secure-boot-key.pem
SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
SecureBootSigningTool=sbsign

Copy those keys in:

cp /etc/sb_keys/db.key /etc/kernel/secure-boot-key.pem
cp /etc/sb_keys/db.crt /etc/kernel/secure-boot-certificate.pem

And then we will rebuild the kernel image to get signed kernels installed

update-initramfs -ck all

And it should work.

PreviousInstall to ZFS root file system without distro installer's help NextHybrid Encryption With CachyOS

Last updated 5 months ago