• Stars
    star
    129
  • Rank 279,262 (Top 6 %)
  • Language
    Shell
  • License
    ISC License
  • Created over 4 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

UEFI Secure Boot for Arch Linux + btrfs snapshot recovery

UEFI Secure Boot for Arch Linux + btrfs snapshot recovery

Highly opinionated setup that provides minimal Secure Boot for Arch Linux, and a few recovery tools.

Bootloaders (such as GRUB or systemd-boot) are intentionally not supported, as they significantly increase the amount of code that runs during boot, therefore increasing the attack surface.

Installation

The package is available on AUR: arch-secure-boot

Configuration

See the available configuration options in the top of the script.

Add your overrides to /etc/arch-secure-boot/config.

Most notably, set KERNEL=linux-hardened if you use hardened Linux.

Commands

  • arch-secure-boot generate-keys generates new keys for Secure Boot
  • arch-secure-boot enroll-keys adds them to your UEFI
  • arch-secure-boot generate-efi creates several images signed with Secure Boot keys
  • arch-secure-boot add-efi adds UEFI entry for the main Secure Boot image
  • arch-secure-boot generate-snapshots generates a list of btrfs snapshots for recovery
  • arch-secure-boot initial-setup runs all the steps in the proper order

Generated images

  • secure-boot-linux.efi - the main image
    • vmlinuz-linux + initramfs-linux + *-ucode + hardcoded cmdline
  • secure-boot-linux-efi-shell.efi - UEFI shell that is used to boot into a snapshot
    • because built-in UEFI shells are known to be buggy
  • secure-boot-linux-recovery.efi - recovery image that can be a used to boot from snapshot
    • vmlinuz-linux + initramfs-linux-fallback
  • secure-boot-linux-lts-recovery.efi - recovery LTS image that can be used to boot from snapshot
    • vmlinuz-linux-lts + initramfs-linux-lts-fallback

fwupdx64.efi image is also being signed.

Initial setup

  • BIOS: Set admin password, disable Secure Boot, delete all Secure Boot keys
  • Generate and enroll keys
  • Generate EFI images and add the main one (only!) to UEFI
  • BIOS: Enable Secure Boot

Recovery instructions

  • BIOS: use admin password to boot into efi-shell image
  • Inspect recovery script using edit FS0:\recovery.nsh (if FS0 is not your hard disk, try other FSn)
  • Run the script using FS0:\recovery.nsh
  • Once recovered, remove efi-shell entry from UEFI

Related links:

More Repositories

1

dotfiles

Configuration for Arch Linux, Hyprland, kitty, kakoune, zsh and more + scripted installation guide
Shell
817
star
2

wluma

Automatic brightness adjustment based on screen contents and ALS
Rust
643
star
3

yubikey-touch-detector

A tool to detect when your YubiKey is waiting for a touch (to send notification or display a visual indicator on the screen)
Go
412
star
4

lightline-ale

ALE indicator for the lightline vim plugin
Vim Script
248
star
5

rebuild-detector

Detects which Arch Linux packages need to be rebuilt
Shell
213
star
6

browser-fingerprint-protector

Prevents browser fingerprinting by spoofing your plugins, languages and user agent
JavaScript
71
star
7

docker-arch-build-aur

Build AUR packages (useful for building *-bin packages via Travis / Shippable)
Shell
28
star
8

snap-pac-grub

Pacman hook to update GRUB entries for grub-btrfs after snap-pac made snapshots
Makefile
21
star
9

wl-clipboard-manager

Clipboard manager for Wayland
Shell
16
star
10

cerebro-pass

Cerebro plugin for pass.
JavaScript
14
star
11

restclient.kak

HTTP REST client for Kakoune
KakouneScript
10
star
12

dmenu-term

dmenu as a terminal with fuzzy filter
Shell
9
star
13

lightline-trailing-whitespace

A trailing whitespace component for the lightline vim plugin
Vim Script
7
star
14

docker-joypixels-fonts-build

Build EmojiOne font files (today only Android / Linux)
Python
3
star
15

pkgbuilds

Shell
3
star
16

update-ipsets

Dockerfile
2
star
17

pkgbuild-brave-vaapi

Shell
2
star
18

container-tab-flow

Firefox extension: stay within the current container when closing a tab
JavaScript
1
star
19

maximbaz.github.io

HTML
1
star
20

iptables-exporter

Rust
1
star
21

LegoRobot

Managing LEGO robot via Bluetooth
C#
1
star
22

emacs-smart-home-end

Enables easy navigation with `Home' and `End' keys across wrapped lines (in Visual Line Mode).
Emacs Lisp
1
star
23

helm-echoip

Shell
1
star