[Enjoy Arch] Secure Boot on Arch Linux with systemd

This artical foucus on how to generate your own key and use it to sign the kernel and bootloader. If you want to learn more about how this mechanism work, you can read Dealing with Secure Boot by Rodbooks.

Generate UUID & Keys

Generating the keys used to verify your bootloader is quiet complex. Fortunately, Rodbook (Hello again!) offers a great bash script which can automatically generate everything we need.

(Source can be foung HERE)

Just make a new folder, create a new .sh file containing the script and run it. Don’t forget to copy your keys to a FAT32 disk (or your EFI partition if you have a BIG EFI partition)

Add keys to UEFI

We can use KeyTool to manage Secure Boot keys, but we need to turn on Setup Mode first.

In a modern ThinkPad, you can simply access BIOS-Security-Secure Boot and select Enter Setup Mode. It would not reboot, but you’re already in setup mode.

Then we need KeyTool to add our self signed key to UEFI. First copy KeyTool.efi to /boot/EFI/KeyTool.efi and add KeyTool to systemd-boot.

vim /boot/loader/entries/keytool.conf

At next boot, select KeyTool. You should see the KeyTool main menu. Select Edit Keys. Add your keys follow this order: db -> KEK -> PK.

Then just reboot your system and enter linux. Time to sign your kernel and bootloaders.

Sign Bootloader and Kernels

Add a pacman hook to your system.
vim /etc/pacman.d/hooks/99-secureboot.hook

The sbsign.sh is here:

If you just use my script directly, just copy DB.crt to /root/SecureBoot/OwnKeys and place sbsign.sh at the folder too.

Then just reinstall the linux package and pacman-hook will automatically sign kernel and bootloader for you.

Then reboot to BIOS and turn on Secure Boot. Enjoy the feeling of secure!


  1. limorg说道:

    Ridiculous. Why systemd-boot can't sign their systemd-bootx64.efi for the users once and for all?


电子邮件地址不会被公开。 必填项已用*标注