How to Configure and Enable Secure Boot for Arch Linux

This guide will walk you through the process of configuring and enabling Secure Boot for Arch Linux.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

Secure Boot is a UEFI firmware feature designed to ensure that only trusted, signed software can run on your system during the boot process. It’s a critical security measure that can help protect your system from low-level attacks such as bootkits and rootkits. However, enabling Secure Boot on Linux, particularly on a distribution like Arch Linux, may seem complicated due to the way Linux interacts with UEFI and the lack of default support for Secure Boot. This article will guide you through configuring and enabling Secure Boot on Arch Linux, explaining the process in detail and providing the necessary steps.

What is Secure Boot?

Secure Boot is part of the UEFI (Unified Extensible Firmware Interface) specification and aims to secure the boot process. When Secure Boot is enabled, the system checks the digital signatures of the bootloader, the kernel, and any other boot components to ensure they are trusted. If any component is unsigned or altered in any way, Secure Boot will prevent the system from booting.

On systems that support Secure Boot, this feature can help mitigate the risk of unauthorized software running during the boot process. For example, malicious software like bootloaders and rootkits that attempt to gain control before the operating system starts can be blocked. While Secure Boot is commonly used in Windows, Linux distributions like Arch Linux do not natively support it out of the box. As a result, configuring Secure Boot on Arch Linux requires some additional setup.

Prerequisites

Before you can configure Secure Boot on Arch Linux, make sure the following conditions are met:

  1. UEFI Firmware: Ensure that your system has UEFI firmware. You can check if your system is running in UEFI mode by using the following command:

    ls /sys/firmware/efi

    If the directory exists, you’re running in UEFI mode.

  2. Secure Boot Supported: Verify that your system’s UEFI firmware supports Secure Boot. This option can usually be found in the UEFI settings (BIOS) menu.

  3. Arch Linux Installation: Secure Boot requires a signed bootloader, so you’ll need a working Arch Linux installation with a bootloader that supports Secure Boot. GRUB is the most common choice for this purpose.

  4. Signing Tools: To enable Secure Boot, you’ll need tools to sign your bootloader and kernel. This includes sbsigntools for signing files and mokutil to manage the Machine Owner Key (MOK).

Step-by-Step Guide to Enable Secure Boot on Arch Linux

Step 1: Prepare Your System

  1. Backup Your Data: Enabling Secure Boot involves modifying your bootloader and kernel. It’s always a good idea to back up important data before proceeding.

  2. Install Required Packages: You will need a few utilities to configure and manage Secure Boot, such as efibootmgr, sbsigntools, and mokutil. Install these packages on your Arch Linux system:

    sudo pacman -S efibootmgr sbsigntools mokutil

Step 2: Enable Secure Boot in UEFI

  1. Enter the UEFI Setup: Reboot your system and enter the UEFI settings by pressing the appropriate key (usually F2, F12, ESC, or DEL) during the boot process.

  2. Enable Secure Boot: Find the Secure Boot option in the UEFI settings (often located under the “Boot” or “Security” tab) and enable it. Make sure to save the changes before exiting.

  3. Choose Key Management Mode: In some UEFI systems, Secure Boot requires you to either use the default keys or add your own. If prompted, choose the option that allows you to manage your own keys (this is important if you intend to sign your own bootloader and kernel).

Step 3: Configure the Bootloader (GRUB)

In most cases, Arch Linux uses GRUB as the bootloader. However, to work with Secure Boot, the bootloader must be signed with a key that is trusted by the UEFI firmware.

  1. Install GRUB: If you haven’t already installed GRUB on your Arch Linux system, you can install it by running the following:

    sudo pacman -S grub

  2. Install GRUB for UEFI: After installing GRUB, install the UEFI version of the bootloader:

    sudo grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --recheck

    Ensure that the EFI system partition is mounted at /boot before running the command.

  3. Generate the GRUB Configuration: Generate the GRUB configuration file to include entries for your installed kernels:

    sudo grub-mkconfig -o /boot/grub/grub.cfg

  4. Sign the GRUB Bootloader: Secure Boot requires that the bootloader is signed. Use sbsign (from the sbsigntools package) to sign the GRUB binary. First, create a directory to store the signing keys:

    mkdir -p ~/secure_boot
cd ~/secure_boot

    Then, generate a new key pair for signing:

    openssl req -new -newkey rsa:2048 -days 3650 -nodes -keyout db.key -out db.csr
openssl x509 -req -in db.csr -out db.crt -signkey db.key

    The db.key is your private key, and db.crt is your public key. Now, sign the GRUB bootloader:

    sbsign --key db.key --cert db.crt --output /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi

  5. Enroll the Key: To allow your system to accept the signed bootloader, you need to enroll the key into the UEFI firmware using the mokutil command:

    sudo mokutil --import db.crt

    This will create a request for you to enroll the key upon reboot. Follow the on-screen instructions to set a password and complete the enrollment process.

Step 4: Sign the Linux Kernel

In addition to signing the bootloader, you must also sign the Linux kernel so it can be loaded by Secure Boot.

  1. Sign the Kernel: Use the sbsign tool to sign the kernel. You can find your kernel image (usually located in /boot) and sign it:

    sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux.signed /boot/vmlinuz-linux

  2. Configure GRUB to Use the Signed Kernel: Update your GRUB configuration to boot the signed kernel:

    sudo grub-mkconfig -o /boot/grub/grub.cfg

Step 5: Reboot and Enroll the Key

After completing the steps above, reboot your system. During boot, you will be prompted to enroll the MOK (Machine Owner Key) that you created earlier. This step ensures that the system recognizes and trusts the custom keys you’ve used to sign the bootloader and kernel.

  1. Enroll MOK: Follow the instructions to enroll the key. You’ll need to provide the password you set earlier.

  2. Finish Booting: Once the key is enrolled, your system will continue booting, and Secure Boot will now be enabled.

Step 6: Verify Secure Boot Status

Finally, you should verify that Secure Boot is working as expected. You can check the status using the following command:

mokutil --sb-state

If Secure Boot is enabled, the output will indicate that Secure Boot is active.

Troubleshooting

  1. Boot Failures: If the system doesn’t boot after enabling Secure Boot, ensure that the keys are correctly enrolled, and the bootloader and kernel are properly signed. You can disable Secure Boot temporarily to troubleshoot and then re-enable it once the issue is resolved.

  2. Unsigned Modules: If you’re using kernel modules that are unsigned, Secure Boot will prevent them from loading. You will need to either sign the modules or disable Secure Boot for those specific modules.

  3. MOK Enrollment Issues: If the MOK enrollment fails, you may need to manually re-enroll the key using the mokutil tool.

Conclusion

Enabling Secure Boot on Arch Linux provides an extra layer of security by ensuring that only trusted, signed software can run during the boot process. While Arch Linux does not natively support Secure Boot, you can configure it manually by signing your bootloader and kernel and enrolling the appropriate keys into the UEFI firmware.

By following the steps outlined in this article, you can successfully enable Secure Boot on your Arch Linux system, ensuring that it is protected from certain types of low-level attacks and boot-level malware.


< How to Install Arch Linux with Btrfs