Secureboot on Arch Linux

Posted on Jan 06, 2020 by Vincent TruchseƟ

After reading this really good article about Secure-Boot on ArchLinux by Matthew Bentley, I decided to simply go for it on my arch-machine.

If you have an Interest in Secure-Boot I strongly recommend you to read it.

Since some things have changed over time I made some changes to Matthew’s original howto.

The esp mountpoint

Originally I was using Systemd-boot with the esp mounted under /boot. I didn’t want my initramfs, kernel-image and microcode just lay unsigned on an unencrypted boot-partition so I changed the mountpoint to /boot/esp and copied those files to /boot.

The signing script

Because of some changes in the pacman-hook (we’ll get to this afterwards) the script doesn’t get the path of the kernel-image as parameter anymore, so I simply changed it to find them on its own.

#!/bin/bash

for F in $(find /boot -name "vmlinuz-*")
do
	F=$(echo $F | sed 's/^\///') # Remove '/' in beginning of path
	FILE=$(echo $F | sed 's/boot\///')
	BOOTDIR=/boot
	CERTDIR=/root/keys
	KERNEL=$F
	INITRAMFS="/boot/intel-ucode.img /boot/initramfs-$(echo $FILE | sed 's/vmlinuz-//').img"
	EFISTUB=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
	BUILDDIR=_build
	OUTIMG=/boot/esp/$(echo $FILE | sed 's/vmlinuz-//').img
	CMDLINE=/etc/cmdline

	mkdir -p $BUILDDIR

	cat ${INITRAMFS} > ${BUILDDIR}/initramfs.img

	/usr/bin/objcopy \
		--add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
		--add-section .cmdline=${CMDLINE} --change-section-vma .cmdline=0x30000 \
		--add-section .linux=${KERNEL} --change-section-vma .linux=0x40000 \
		--add-section .initrd=${BUILDDIR}/initramfs.img --change-section-vma .initrd=0x3000000 \
		${EFISTUB} ${BUILDDIR}/combined-boot.efi

	/usr/bin/sbsign --key ${CERTDIR}/DB.key --cert ${CERTDIR}/DB.crt --output ${BUILDDIR}/combined-boot-signed.efi ${BUILDDIR}/combined-boot.efi

	cp ${BUILDDIR}/combined-boot-signed.efi ${OUTIMG}

done

Due to the different mountpoint of the esp the OUTIMG variable had to be changed as well.

The Pacman Hook

The linux-* packages do not provide any files under /boot anymore. Because of this the Target directive in Matthew’s article won’t trigger anymore. After googling a bit and looking into the changes made to other kernel-related hooks I changed Target directive to usr/lib/modules/*/vmlinuz. This is also the reason why the script above has to use find.

Tags: linuxarchboot