Making Secure Boot Work Again

Bringing secure boot back with the ZFS root setup.

Based on the work in Make Secure Boot Yours, but with some simplifications because there's new tools in systemd to help.

Make keys and certs and add them to EFI

This is the same as we did in Make Secure Boot Yours.

Sign systemd-boot

Also the same as we did in Make Secure Boot Yours.

Configure ukify to sign

Edit the /etc/kernel/uki.conf

[UKI]
SignKernel=yes
SecureBootPrivateKey=/etc/kernel/secure-boot-key.pem
SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
SecureBootSigningTool=sbsign

Copy those keys in:

cp /etc/sb_keys/db.key /etc/kernel/secure-boot-key.pem
cp /etc/sb_keys/db.crt /etc/kernel/secure-boot-certificate.pem

And then we will rebuild the kernel image to get signed kernels installed

update-initramfs -ck all

And it should work.

PreviousInstall to ZFS root file system without distro installer's help NextHybrid Encryption With CachyOS

Last updated 10 months ago

hashtagMake keys and certs and add them to EFI

hashtagSign systemd-boot

hashtagConfigure ukify to sign

Make keys and certs and add them to EFI

Sign systemd-boot

Configure ukify to sign