Secure Boot on Framework 13 AMD using EndeavourOS

Guide to setting up secure boot. Tested on my Framework 13 AMD using EndeavourOS.

Dependencies

The following packages are needed to set up secure boot.

  1. sbctl Foxboron/sbctl “a user-friendly secure boot key manager capable of setting up secure boot” 2.dracut-ukify (AUR) aur.archlinux.org/packages/dracut-ukify “modern way to generate a unified kernel image using systemd-ukify.”
  2. sbsigntools archlinux.org/packages/extra/x86_64/sbsigntools/ tool used by dracut-ukify to sign UKI

Creating Keys, Enrolling Keys and Signing Files

This part is a quick summary of the instruction in the GitHub readme of the project Foxboron/sbctl?tab=readme-ov-file#key-creation-and-enrollment.

!WARNING! You can brick your system by doing this. I am not responsible for any damage done. The information provided is for general informational purposes only. I am not responsible for any errors or omissions, or for any loss or damage you may incur. Use the information at your own risk.

To enroll your keys you have to put your device into setup mode. This means deleting all existing keys on your framework laptop. You can undo this by using the “Restore Secure Boot to Factory Settings” option.

  1. Press the power button and spam the F2 key to enter the bios
  2. Select the “Administer Secure Boot” menu
  3. Enable the option to “Erase all Secure Boot Settings”
  4. Confirm and reboot using F10

You are now in setup mode. Perform the following steps to create and enroll your keys, all steps have to be run as sudo or root!

  1. Run sbctl status to confirm you are in setup mode
  2. Use sbctl create-keys to create your keys, these will be saved in /usr/share/secureboot
  3. Now run sbctl enroll-keys -m -f to enroll your keys, as well as the microsoft (-m) and firmware keys (-f). The firmware keys are needed in case you want to install bios updates in the future. I dont know if you NEED the microsoft keys.
  4. Run sbctl status to check the Owner GUID is set and the vendor keys exist

Now you can sign the needed files. The files can vary from system to system. The files might be under different directories on your system.

  1. List files that need to be signed using sbctl verify
  2. sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI
  3. sbctl sign -s /efi/EFI/arch/fwupdx64.efi didnt exist on my system
  4. sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
  5. Run sbctl verify again to verify the files have been signed

Now you can setup dracut-ukify to create a UKI on rebuild of the kernel.

  1. Edit the file /etc/dracut-ukify.conf
  2. Add the following two lines, this tells dracut-ukify where to find your keys for signing the kernel
    1. uefi_secureboot_cert="/usr/share/secureboot/keys/PK/PK.pem"
    2. uefi_secureboot_key="/usr/share/secureboot/keys/PK/PK.key"
  3. Reinstall your kernel using sudo pacman -Syu linux linux-headers or whatever kind of kernel you use
  4. sbctl verify should now include the signed kernel

You can now enable secure boot in the bios again.

Last modified 2024.07.19