Skip to content

secure boot shim

Jump to bottom
Mihir Lad edited this page May 31, 2020 · 1 revision

The Feature

This feature installs and sets up secure boot with shim using MOK keys. The feature will also configure dracut to automatically sign the unified kernel binary when it is run. A pacman hook is also installed which automatically signs any rEFInd and systemd bootloaders whenever they are upgraded. A full install will also sign the EFI binaries in the boot partition.

Advantages Over secure-boot-custom or secure-boot-preloader

Since secure-boot-shim uses only one set of Machine Owner Keys, it offers more convenience than secure-boot-custom which requires 3 pairs of keys. Since shim-signed is already signed my Microsoft's keys, this is a more compatible option for BIOSs where you cannot change the secure boot keys. In addition, since shim can sign EFI binaries while the system is running, it is more convenient than preloader where you would have to re-enroll the EFI binary hashes after boot loader upgrades or kernel upgrades. For more info, check out Rod Smith's article

Configuration

To use existing custom keys, copy the following keys to the following paths: PEM-encoded MOK Key Private Key: conf/secure-boot-shim/MOK/MOK.key PEM-encoded MOK Key Public Certificate: conf/secure-boot-shim/MOK/MOK.crt

If you do not have existing keys, new ones will be generated for you.

If you want to use your existing keys, you must provide all of the above keys.

Note: The file names are case-sensitive.

Online Resources

Clone this wiki locally