secure-boot-systemd-arch.md

What is this

This is a tutorial on implementing "not that secure" secure boot on your ArchLinux machine with systemd-bootand shim.

This tutorial is for you if:

• You are using ArchLinux with systemd-boot boot manager.

• You don't really care about "security stuffs" but somehow you have to dual-boot Windows with secure boot on, so that:

  • Your Windows is safer than ever before and some games requiring secure boot would happily run. (bruh)

  • You do not want to enroll keys/enroll hashes/sign the kernel images at every Linux kernel updates.

So what this tutorial tries to achieve is allowing both your Windows and ArchLinux system to boot with secure boot turned on in your machine's UEFI BIOS without signing the systemd-boot or the linux kernel images.

This tutorial is adapted from archwiki

Overview

We will be using shim (Shim.efi) with mokutil (Shim.efi Machine Owner Key management tool) to achieve our goal. Assuming your current boot procedure with secure boot off is:

1. The machine boots into systemd-boot, and you then select either ArchLinux or Windows to boot.
2. systemd-boot loads the selected entry.

The eventual procedure with secure boot on would be:

1. The machine boots into signed shimx64.efi with secure boot on.
2. shimx64.efi loads systemd-boot without checking its signature or hash.
3. You then select either ArchLinux or Windows for systemd-boot to load.

Guide

0. Check your ESP (EFI system partition) and its mount scheme

Execute lsblk -f and check its output. We have to check the ESP's device, partition number, and its mount point. An example output is:

NAME        FSTYPE FSVER LABEL        UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1                                                                                   
├─nvme0n1p1 vfat   FAT32 SYSTEM       EE9A-1E6B                                           
├─nvme0n1p2                                                                               
├─nvme0n1p3 ntfs                      261C9B4B1C9B14C1                                    
├─nvme0n1p4 vfat   FAT32 EOS-NEW-EFI  675E-C49C                               1.8G     9% /efi
├─nvme0n1p5 ntfs                      30B09C0CB09BD6A6                                    
├─nvme0n1p8 btrfs        eos-new-root f70ffb9a-cadd-4ce9-8fc1-35696923fabf  115.8G    79% /var/cache
│                                                                                         /home
│                                                                                         /var/log
│                                                                                         /
└─nvme0n1p9 btrfs                     9de3ed85-0c4f-484d-988c-5cf75f6d88c1                

Your ESP should have FSTYPE vfat with FSVER FAT32. And since you are using systemd-boot, it should be mounted at /efi. Here, we see that the ESP is at device nvme0n1, partition number 4 (from p4).

1. Install packages

Install shim-signed (AUR) and mokutil with any AUR helper (e.g. yay):

yay -S shim-signed mokutil

2. Setup the necessary efi files under your ESP

NOTE: At this step, you should still have secure boot off.

First switch to root user and cd into the systemd-boot directory under the ESP mount point (/efi):

sudo su
cd /efi/EFI/systemd

Copy shim efi files:

cp /usr/share/shim-signed/shimx64.efi . # This is the shim loader
cp /usr/share/shim-signed/mmx64.efi .   # This is the MokManager

The shimx64.efi would expect and run a efi file named grubx64.efi by default, so make a copy of your systemd-boot bootloader:

cp systemd-bootx64.efi grubx64.efi

3. Setup a boot entry for your UEFI BIOS and conduct a boot test

NOTE: At this step, you should still have secure boot off.

Now we've set up all needed efi files. We then first need to manully add a boot entry for the UEFI BIOS so we could let the machine boot into shimx64.efi. Assuming your ESP is at /dev/nvme0n1p4 (make sure to adapt this command to your own ESP device and partition number):

efibootmgr --unicode --disk /dev/nvme0n1 --part 4 --create --label "Shim" --loader '\EFI\systemd\shimx64.efi'

Now you should see a new boot entry named "Shim" when you run efibootmgr like this:

# efibootmgr

BootCurrent: 0001
Timeout: 1 seconds
BootOrder: 0002,0001,0006,0000,0007
...
Boot0002* Shim  HD(4,GPT,688a5dbc-f7f8-4526-b387-d62e723fccff,0x2583a800,0x400000)/\EFI\systemd\shimx64.efi
...

Reboot your machine with systemctl reboot --firmware-setup to enter the UEFI BIOS, go to the boot menu, and you should see a boot entry named "Shim". Select it to boot.

If everything is set up correctly, you should be able to boot into your systemd-boot menu without noticing any difference. Boot into your ArchLinux system to make sure everything is working fine and continue to the next step.

4. Disable shim boot validation and conduct a boot test

NOTE: At this step, you should still have secure boot off.

We now tell shimx64.efi to stop validating systemd-boot and the linux kernel images so that we could boot them without signing them while secure boot is on:

sudo mokutil --disable-validation

You should see a message like this:

password length: 8~16
input password: 

Input a password that you could remember later, and confirm it. At next reboot, shim would automatically start the MokManager, and we will use it to confirm the disabling of validation. MokManager would ask you to input the required digits of the password you just set so make sure you remember it. Say I have set the password to password.

After this, reboot your machine with systemctl reboot --firmware-setup, enter the UEFI BIOS boot menu, and select the "Shim" boot entry again, then:

• You should enter a "Shim UEFI key management" screen automatically. Press any key as prompted.
• At the next "Perform MOK management" screen, select "Change Secure Boot state".
• At the next "Change Secure Boot state" screen, it will now ask you to input specific digits of the password you set earlier Input the requested digit (e.g. if it asks for password character "1", input p for the password password), and press Enter. This process may ask for multiple characters.
• Eventually you will reach a "Disable Secure Boot" screen. Select "Yes". Note this actually disables shim validation, not secure boot itself.
• Select "Reboot" at the next screen.

Now your machine should reboot fine. Boot into your ArchLinux system to make sure everything is working fine and continue to the next step.

5. Enable secure boot in your UEFI BIOS and final boot test

Now reboot into the UEFI BIOS once again with systemctl reboot --firmware-setup, but this time enable secure boot in the BIOS settings. Save and exit the BIOS settings, and select the "Shim" boot entry again in the boot menu. If everything is set up correctly, you should be able to boot into your systemd-boot menu again without noticing any difference. Boot into your ArchLinux and run sudo bootctl status to confirm that secure boot is on:

# bootctl status

System:
      Firmware: UEFI 2.80 (American Megatrends 5.29)
 Firmware Arch: x64
   Secure Boot: enabled (deployed)
  TPM2 Support: no
  Measured UKI: no
  Boot into FW: supported
...

You can now also boot into your Windows system to confirm that it is working fine as well. If both systems boot fine, congratulations! You have successfully set up "not that secure" secure boot on your ArchLinux machine with systemd-boot and shim.

Final notes

1. If you ever want to re-enable shim validation, just run sudo mokutil --enable-validation. But after this you would need to sign systemd-boot and the linux kernel images for your Linux system to boot with secure boot on.
2. The shim-signed should not be updating very often, but when systemd-boot gets updated, you may need to repeat step 2 to copy the new systemd-bootx64.efi to grubx64.efi.