A Linux Secure-boot guide

A Linux Secure-boot guide

Secure-boot is a part of the UEFI standard in which only signed binaries can be loaded by the UEFI. Normally this relies apron the Microsoft key, and since we do not have the private Microsoft key, it is normally disabled, and it not the Linux users friend. BUT, we can add our own keys, and sign our own modules, and sometimes even remove the Microsoft keys. with this only binaries WE sign with OUR own key can boot on the PC. This is a very good security measure to protect your PC particularly when using hardware encryption, so you know only the binaries you have signed will execute when they ask for your password.

In order to keep this as basic as possible, this will be a summary of the steps needed to be taken, as when i tried it took me many hours to follow due to at sometimes hard to follow instructions.
The more in depth guides available for those who wish to know more, and both of these were my primary references

OK, to begin, we need to generate the UEFI keys
We need the following packages

  • Efitools
  • Openssl
  • Sbsign --used later for signing the modules
    All available in most distros repos.

1) Generate the keys
Now using the following script
- http://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
Which was from the guide i added above, we can generate the keys we need, just mark the script as executable and run it

2)Enrolling the keys to UEFI
Now we need to add the keys to the UEFI. Sadly there is no interface standard in UEFI for enrolling keys, and i know mine did not support it, so I recommend use of the KeyTool binary. This is a small tool used for enrolling keys.
- http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#keytool

Now we place this on a usb in the EFI system partition, a small Fat 32 partition labeled as EFi system partition, more found here
- https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface#EFI_System_Partition
Whats important to know is a binary placed in /EFI/BOOT/bootx64.efi in the efi system partition will be auto-loaded when that device is USB booted
Also whilst we are here we add the newly generated UEFI keys on that efi system partition as well

First boot into the UEFI shell and clear secure-boot keys, differs for each setup utility, this puts it into setup mode. Now we boot the USB and KeyTool opens, click add new keys, and one at a time enroll the new DB KEK and PK. When you reboot you will have to temporally disable secure-boot, as none of our binaries will boot due to being unsigned.

Once booted we sign binaries we want to boot by the UEFI with the keys. These involve the bootloader, such as grub or rEFInd, but i recommend booting the kernel directly as an efi stub, which is explained here
- https://wiki.archlinux.org/index.php/EFISTUB
This way you only have to sign the kernel image

3) Signing the binaries
Signing binaries you want to boot is all you have to do

sudo sbsign --key /path/to/DB.key --cert /path/to/DB.crt --output /path/to/vmlinuz-signed /path/to/vmlinuz-origional

That’s it when you reboot the UEFI should load your signed kernel. What you should do is take the secure-boot keys off your computer and store them in a safe place, on a SD card, under the bed.

This goes very well with forced module signing in the kernel, so only signed kernel modules can be loaded, for the ultra secure system, if people are interested I can write a tutorial. Also please put a UEFI password so people can not change your boot device or change the keys.

If there are any questions, anyone need any help please comment bellow, I hope this has helped, as to figure it out when i did, it took a whole night and a lot of coffee.


Thank you for this, i can see you put a ton of effort into this guide.