UEFI Secure Boot for Arch Linux + Recovery via BTRFS snapshots
This is a fork of a @maximbaz's highly opinionated setup that provides minimal Secure Boot for Arch Linux, plus recovery tools. Thanks to @maximbaz for the great approach that doesn't rely on a heavy bootloader.
This repo could be interesting for you if...
- you're using the BTRFS filesystem in combination with snapper
- you want to enable Secure Boot e.g. to avoid evil-maid attacks
Differences of this fork
This fork...
- might be even more opinionated (uses sbctl for signing, mkinitcpio for UKI)
- transfers responsibility to programs that have one job at which they are good at
- should only be used if you understand the content of every single file and action
- is not tested thouroughly right now (use at own risk)
Background
While I previously used grub-btrfs for recovery, I decided against Grub, as it turned out to be particularly buggy in combination with TPM and Secure Boot (see Antynea/grub-btrfs#190). Summarizing the issue, it causes booting a snapshot to fail if a certain amount of text is displayed in a submenu and the TPM module is enabled (which is needed for Secure Boot).
This bug also shows how complex a fully-fledged bootloader such as Grub is and all the disadvantages that come with this complexity. I haven't looked at Grub's source code to understand what could cause the issue. Instead I invested my time to switch to the approach in this repository, after reading @maximbaz's comment.
Requirements
- edk2-shell
- sbctl
- efibootmgr
sudo pacman -S edk2-shell sbctl efibootmgr
Configuration
See the available configuration options in the top of the script.
Add your overrides to /etc/arch-secure-boot/config
.
Commands
arch-secure-boot generate-keys
generates new keys for Secure Bootarch-secure-boot enroll-keys
adds them to your UEFIarch-secure-boot generate-efi
creates recovery UKIs signed with Secure Boot keysarch-secure-boot add-efi
adds UEFI entry for the main Secure Boot imagearch-secure-boot generate-snapshots
generates a list of btrfs snapshots for recoveryarch-secure-boot initial-setup
runs all the steps in the proper order with manual intervention
Initial setup
- BIOS: Set admin password, disable Secure Boot, delete all Secure Boot keys
- Generate and enroll keys
- Generate EFI images and add the main one (only!) to UEFI
- BIOS: Enable Secure Boot
- BIOS: Lock boot order and settings
Recovery instructions
- BIOS: use admin password to boot into
efi-shell
image - Recovery will automatically start (via
startup.nsh
) - Follow instructions on screen, remember snapshot-id (first number in each line)
- Inspect recovery script using
edit recovery.nsh
- Run the script using
recovery.nsh <snapshot-id>
- Optional (depends on BIOS): Once recovered, remove
efi-shell
entry from UEFI