maximbaz / arch-secure-boot Goto Github PK

Hi Maximbaz,

Above all I would like to thank you for this great tool !

I have some suggestions if you would like to make this project more popular. I was thinking about why people don't use secure boot while it's available in every machine sold nowadays. And came to the conclusion that most people are just afraid when they hear "private keys", "public keys" or encryption in general :)
But your tool is good enough to remove thinking about those "scary" things from people minds.
So my proposals are:

1. Improve documentation. It just does not provide enough information how this tool works. While at the same time you wrote a great post with all of the details. So please attach this information to the readme --> Antynea/grub-btrfs#92 (comment)

2. Not everobody uses snapper. Personally I have very bad experience with it. So make the tool conditional - with or without snapper.

And getting to the problem that I have personally. I know you might have no idea why it is happening to me but, hey - it's worth asking. When I enter my Lenovo IdeaPad uefi I just don't see any other entries except of linux-secure-boot. And I have no way to choose anything else while at the same time all the images on /efi are created and in place:

root@i5 ~# ll /efi/EFI/arch/
total 107M
-rwxr-xr-x 1 root root 1008K Jul 30 19:50 secure-boot-linux-efi-shell.efi
-rwxr-xr-x 1 root root 39M Jul 30 19:50 secure-boot-linux-recovery-lts.efi
-rwxr-xr-x 1 root root 44M Jul 30 19:50 secure-boot-linux-recovery.efi
-rwxr-xr-x 1 root root 23M Jul 30 19:50 secure-boot-linux.efi

Big thanks for you work once again !
Any ideas ?

Hey it's been a while :)

After a kernel upgrade, I'm unable to boot and get the following error:

Nov 01 14:15:38 laptop bootctl[563]: No ESP found, not initializing random seed.
Nov 01 14:15:38 laptop systemd-pcrphase[564]: Extended PCR index 11 with 'sysinit' (banks sha1, sha256).
Nov 01 14:15:40 laptop apparmor.systemd[357]: Restarting AppArmor
Nov 01 14:15:40 laptop apparmor.systemd[357]: Reloading AppArmor profiles
Nov 01 14:15:40 laptop systemd-fsck[366]: fsck.fat 4.2 (2021-01-31)
Nov 01 14:15:40 laptop systemd-fsck[366]: /dev/sda2: 11 files, 40218/140690 clusters
Nov 01 14:15:40 laptop mount[497]: mount: /efi: unknown filesystem type 'vfat'.
Nov 01 14:15:40 laptop mount[497]:        dmesg(1) may have more information after failed mount system call.

I've had this issue a few times now, I'm not sure where it comes from to be honest, but I thought I would write it here in case you have any clue what's going on.

To fix this error I have to boot into a livecd and run arch-secure-boot generate-efi.

Here are the pacman logs that caused the issue:

[2023-10-30T19:16:44+0100] [PACMAN] Running '/usr/bin/pacman -S -y -u --config /etc/pacman.conf --'
[2023-10-30T19:16:44+0100] [PACMAN] synchronizing package lists
[2023-10-30T19:16:45+0100] [PACMAN] starting full system upgrade
[2023-10-30T19:16:56+0100] [ALPM] running '05-snap-pac-pre.hook'...
[2023-10-30T19:16:57+0100] [ALPM-SCRIPTLET] ==> root: 574
[2023-10-30T19:16:57+0100] [ALPM] running '60-mkinitcpio-remove.hook'...
[2023-10-30T19:16:57+0100] [ALPM] transaction started
[2023-10-30T19:16:57+0100] [ALPM] upgraded bash (5.1.016-4 -> 5.2.015-5)
[2023-10-30T19:16:57+0100] [ALPM] upgraded containerd (1.7.7-1 -> 1.7.8-1)
[2023-10-30T19:16:57+0100] [ALPM] upgraded krb5 (1.20.1-1 -> 1.20.1-2)
[2023-10-30T19:16:57+0100] [ALPM] upgraded libnghttp2 (1.57.0-1 -> 1.58.0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded docker (1:24.0.6-1 -> 1:24.0.7-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded fzf (0.42.0-1 -> 0.43.0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded gpgme (1.23.0-1 -> 1.23.1-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded libyuv (r2322+3aebf69d-1 -> r2426+464c51a0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded libavif (1.0.1-3 -> 1.0.1-4)
[2023-10-30T19:16:58+0100] [ALPM] upgraded linux-firmware-whence (20230804.7be2766d-2 -> 20230918.3672ccab-1)
[2023-10-30T19:16:59+0100] [ALPM] upgraded linux-firmware (20230804.7be2766d-2 -> 20230918.3672ccab-1)
[2023-10-30T19:17:00+0100] [ALPM] upgraded shadow (4.14.1-1 -> 4.14.2-1)
[2023-10-30T19:17:02+0100] [ALPM] upgraded linux-hardened (6.5.8.hardened1-1 -> 6.5.9.hardened1-1)
[2023-10-30T19:17:07+0100] [ALPM] upgraded linux-hardened-headers (6.5.8.hardened1-1 -> 6.5.9.hardened1-1)
[2023-10-30T19:17:08+0100] [ALPM] upgraded restic (0.16.0-1 -> 0.16.1-1)
[2023-10-30T19:17:08+0100] [ALPM] transaction completed
[2023-10-30T19:17:09+0100] [ALPM] running '20-systemd-sysusers.hook'...
[2023-10-30T19:17:09+0100] [ALPM] running '30-systemd-daemon-reload.hook'...
[2023-10-30T19:17:09+0100] [ALPM] running '30-systemd-tmpfiles.hook'...
[2023-10-30T19:17:10+0100] [ALPM] running '30-systemd-udev-reload.hook'...
[2023-10-30T19:17:11+0100] [ALPM] running '30-systemd-update.hook'...
[2023-10-30T19:17:11+0100] [ALPM] running '60-depmod.hook'...
[2023-10-30T19:17:13+0100] [ALPM] running '90-mkinitcpio-install.hook'...
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux-hardened.preset: 'default'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Using default configuration file: '/etc/mkinitcpio.conf'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET]   -> -k /boot/vmlinuz-linux-hardened -g /boot/initramfs-linux-hardened.img --microcode /boot/intel-ucode.img
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Starting build: '6.5.9-hardened1-1-hardened'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET]   -> Running build hook: [base]
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET]   -> Running build hook: [consolefont]
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET]   -> Running build hook: [keymap]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET]   -> Running build hook: [udev]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET]   -> Running build hook: [autodetect]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET]   -> Running build hook: [modconf]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET]   -> Running build hook: [block]
[2023-10-30T19:17:16+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'xhci_pci'
[2023-10-30T19:17:17+0100] [ALPM-SCRIPTLET]   -> Running build hook: [plymouth]
[2023-10-30T19:17:18+0100] [ALPM-SCRIPTLET]   -> Running build hook: [encrypt]
[2023-10-30T19:17:20+0100] [ALPM-SCRIPTLET]   -> Running build hook: [filesystems]
[2023-10-30T19:17:20+0100] [ALPM-SCRIPTLET]   -> Running build hook: [keyboard]
[2023-10-30T19:17:22+0100] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2023-10-30T19:17:22+0100] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-hardened.img'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Image generation successful
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux-hardened.preset: 'fallback'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Using default configuration file: '/etc/mkinitcpio.conf'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> -k /boot/vmlinuz-linux-hardened -g /boot/initramfs-linux-hardened-fallback.img -S autodetect --microcode /boot/intel-ucode.img
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Starting build: '6.5.9-hardened1-1-hardened'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> Running build hook: [base]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> Running build hook: [consolefont]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> Running build hook: [keymap]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET]   -> Running build hook: [udev]
[2023-10-30T19:17:24+0100] [ALPM-SCRIPTLET]   -> Running build hook: [modconf]
[2023-10-30T19:17:24+0100] [ALPM-SCRIPTLET]   -> Running build hook: [block]
[2023-10-30T19:17:25+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'aic94xx'
[2023-10-30T19:17:25+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'bfa'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qed'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qla1280'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qla2xxx'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'wd719x'
[2023-10-30T19:17:27+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'xhci_pci'
[2023-10-30T19:17:30+0100] [ALPM-SCRIPTLET]   -> Running build hook: [plymouth]
[2023-10-30T19:17:31+0100] [ALPM-SCRIPTLET]   -> Running build hook: [encrypt]
[2023-10-30T19:17:33+0100] [ALPM-SCRIPTLET]   -> Running build hook: [filesystems]
[2023-10-30T19:17:34+0100] [ALPM-SCRIPTLET]   -> Running build hook: [keyboard]
[2023-10-30T19:17:39+0100] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2023-10-30T19:17:40+0100] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-hardened-fallback.img'
[2023-10-30T19:17:41+0100] [ALPM-SCRIPTLET] ==> Image generation successful
[2023-10-30T19:17:42+0100] [ALPM] running 'gdk-pixbuf-query-loaders.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'post-20-dash-symlink.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'texinfo-install.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'zz-snap-pac-post.hook'...
[2023-10-30T19:17:42+0100] [ALPM-SCRIPTLET] ==> root: 575
[2023-10-30T19:17:42+0100] [ALPM] running 'zzz-arch-secure-boot-generate-snapshots.hook'...

It seems that for some reason the 95-arch-secure-boot-generate-efi hook is not being triggered. Therefore the signed UKI is not being updated and the system becomes unbootable. I'm not sure why it becomes unbootable though, might be due to systemd, I found the following in my kernel logs:

Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'crypto_user'
Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'dm-multipath'
Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'pkcs8_key_parser'

I'm wondering if Operation = Upgrade in the pacman hook is enough. Here's how dracut-hook from the AUR does it:

[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/dracut/*
Target = usr/lib/systemd/systemd

[Action]
Description = Updating initramfs...
When = PostTransaction
Exec = /usr/share/libalpm/scripts/dracut-install
NeedsTargets

We can see that they use both Operation = Install and Operation = Upgrade, and that they also trigger the hook when systemd is being updated.

#21 might be related

Let me know what you think :)

Hi, in order for nvidia to work on grub or systemd the wiki tell us to add nvidia-drm.modeset=1:

sudo sed -i 's/\(GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 nvidia-drm.modeset=1"/' /etc/default/grub

is this required/ possible with arch-secure-boot?

Thank you

Currently the pacman hook will re-sign all the EFI binaries if a single one of them is updated.

It would be nice to only sign what has been updated.

alpm-hooks provides a NeedsTargets which according to the man page does the following:

Causes the list of matched trigger targets to be passed to the running hook on stdin.

Currently the hook looks like this :

Instead we could do something like this :

Exec = /usr/bin/arch-secure-boot generate-efi --from-stdin

Or maybe just the standard trailing -.

That way generate-efi would be able to sign only the updated EFI image, instead of signing them all.

To consider: an update of *-ucode.img must trigger the recreation of $NAME-unsigned.efi + signing it

problem : initial-setup failed with "cat: '/boot/*-ucode.img': No such file or directory"

OS: Arch Linux
Kernel: x86_64 Linux 5.14.8-arch1-1

full output :

➜  ~ arch-secure-boot initial-setup
Generating Secure Boot keys...
Generating a RSA private key
.........................................................................................................++++
........................++++
writing new private key to 'PK.key'
-----
Generating a RSA private key
...............................................................................................................................++++
.......................................................++++
writing new private key to 'KEK.key'
-----
Generating a RSA private key
..................................++++
.....++++
writing new private key to 'db.key'
-----
Generating EFI images...
cat: '/boot/*-ucode.img': No such file or directory

== Command ==
/usr/bin/arch-secure-boot generate-efi

== Config ==
ESP=/boot/efi
EFI=/EFI/arch
KERNEL=linux
NAME=secure-boot-linux
CMDLINE=/proc/cmdline

== Command ==
/usr/bin/arch-secure-boot initial-setup

== Config ==
ESP=/boot/efi
EFI=/EFI/arch
KERNEL=linux
NAME=secure-boot-linux
CMDLINE=/proc/cmdline

Hello Maxim,

I would like to know if excluding /usr/lib/modules from the root snapshots is necessary to use arch-secure-boot, ensuring the ability to boot from snapshots and maintain consistency between the kernel and their modules versions across all snapshots.

Additionally, I would like to ask if there are any other BTRFS subvolumes that need to be created to facilitate booting from snapshots using UKI?

Apologies if my questions aren't exactly specific to your project, and thank you in advance for your answers.

https://aur.archlinux.org/packages/arch-secure-boot

This says linux-lts as a dependency

but I use linux and I do not want to use another (and less than 6.2 because I need the ntfs3 update) kernel

Can I use arch-secure-boot with linux/linux-mainline/linux-zen, etc.?

After upgrading to systemd 254 I was unable to boot anymore.

The following lines are new when doing generate-efi:

objcopy: secure-boot-linux-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-unsigned.efi:.cmdline: section below image base
objcopy: secure-boot-linux-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-unsigned.efi:.initrd: section below image base
 objcopy: secure-boot-linux-recovery-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-recovery-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-recovery-unsigned.efi:.initrd: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.initrd: section below image base

It has probably to do with /usr/lib/systemd/boot/efi/linuxx64.efi.stub but I do not know what currently. I created this issue as more users are probably going to stumble on this. I just downgraded systemd using pacman -U /var/cache/pacman/pkg/systemd-253.7-1-x86_64.pkg.tar.zst and run generate-efi again

I'm seeing signing errors when the hook runs:

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux -g /boot/initramfs-linux.img
==> Starting build: '6.9.1-arch1-1'
-> Running build hook: [systemd]
-> Running build hook: [autodetect]
-> Running build hook: [microcode]
-> Running build hook: [modconf]
-> Running build hook: [kms]
-> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: 'xhci_pci'
-> Running build hook: [sd-vconsole]
-> Running build hook: [block]
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
-> Running build hook: [filesystems]
-> Running build hook: [fsck]
==> WARNING: Possibly missing '/bin/sh' for script: /usr/bin/fsck.btrfs
==> Generating module dependencies
==> Decompressing zstd-compressed firmware files
-> Fixing firmware file symlinks
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux.img'
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/vmlinuz-linux
couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory
==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1

couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory repeats for every image, both linux and linux-lts, regular and fallback.

Configuration hasn't changed for weeks, I have just been upgrading daily.

Any idea what the problem might be?

Thanks for creating this resource I am seriously excited to possibly drop a lot of grub cruft I have been dealing with. My one issue that I am wondering if you have experience with is a system that also boots into windows. This style of booting from uefi directly is new to me and I am wondering how this would work. Does the windows side just work by creating its own uefi entry and there is no overlap, or would I have to get the same private key generated from scripts embedded into the windows filesystem somehow?

if you aren’t familiar with this then no worries, just seeing if it’s possible to know about this before diving in.

Would it make sense to add arch-secure-boot itself to 95-arch-secure-boot-generate-efi.hook ? Though I don't know how it would behave when arch-secure-boot is being installed for the first time.

People that have a broken install because of #17 must run arch-secure-boot generate-efi manually after they have upgraded arch-secure-boot package

Hey Maxim, for some time now I've been reading a lot about backups. Considering I'm using arch-secure-boot which comes with a snapper dependency, I've been wondering how that could interact with my backup strategy.

Initially, my plan was as follow:

• Daily incremental backup of my home folder to a remote server (I use restic for that)
• Weekly full backup of my home folder to a remote server (I do that with tar+gpg because I trust them more than restic)
• Daily incremental btrfs backup of all my system to an external drive (if it's plugged in)
• Monthly full system backup to an external drive (by using tar+gpg on a btrfs snapshot, in order to have atomic backups)

I haven't done the last two items yet, I'm not sure I want to trust btrfs for my backups, there are multiple examples on the internet of people having issues with it. However I have to admit that its incremental backup feature using btrfs send | btrfs receive is very appealing.

I'm looking for ideas, what do you do ? Do you use snapper only to boot into a previous state of your system or do you also use btrfs features for your backups ? What's your take on using btrfs as a backup utility ?

PS: sorry for hijacking your issue tracker for something unrelated :-)

Hey, thanks for this amazing tool ! This is a very small issue, it doesn't have any impact but I thought I would still let you know.

When using a hardened kernel, the recovery EFI image of the LTS kernel will be named secure-boot-linux-hardened-recovery-lts.efi which is a bit confusing because this not a hardened version.

Maybe instead of using $NAME-recovery-lts-unsigned.efi you could hardcode linux-recovery-lts-unsigned.efi ? It would require to change the loop logic though.

Hello,
I follow your great dotfiles and wanted to ask you, if you could add support for AMD ucode as well.
Something like that would probably be enough:
https://github.com/gdamjan/secure-boot/blob/master/secure-boot#L17

Thanks for all your great projects!

This is something present in grub-btrfs but I'd prefer a simpler tool because grub is too much of a black hole.