secure boot custom

The Feature

This feature installs and sets up secure boot with custom keys. The feature will also configure dracut to automatically sign the unified kernel binary when it is run. A pacman hook is also installed which automatically signs any rEFInd and systemd bootloaders whenever they are upgraded. A full install will also sign the EFI binaries in the boot partition.

Advantages Over secure-boot-shim or secure-boot-preloader

Since secure-boot-custom uses custom keys, it offers more security since only you know the private keys and they are yours. As a result, only binaries signed by your keys will be able to boot on your computer. For more info, check out Rod Smith's article

Configuration

To use existing custom keys, copy the following keys to the following paths: PEM-encoded Platform Key Private Key: conf/secure-boot-custom/PK/PK.key PEM-encoded Platform Key Public Certificate: conf/secure-boot-custom/PK/PK.crt PEM-encoded Key Exchange Key Private Key: conf/secure-boot-custom/KEK/KEK.key PEM-encoded Key Exchange Key Public Certificate: conf/secure-boot-custom/KEK/KEK.crt PEM-encoded Database Key Private Key: conf/secure-boot-custom/db/db.key PEM-encoded Database Key Public Certificate: conf/secure-boot-custom/db/db.crt

If you do not have existing keys, new ones will be generated for you.

If you want to use your existing keys, you must provide all of the above keys.

Note: The file names are case-sensitive.

Online Resources

• http://www.rodsbooks.com/efi-bootloaders/secureboot.html
• http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
• https://wiki.archlinux.org/index.php/Unified\_Extensible\_Firmware\_Interface/Secure\_Boot