So, I’ve installed Manjaro quite while ago, and I let secure boot disabled during installation. Dang! Is there a way to keep (most of) my system and enable secure boot and LUKS after the fact?

  • Illecors@lemmy.cafe
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    1 year ago

    It depends on a single variable - does your motherboard support manipulating the secure boot keys? I’ve only done it on prebuilt dells and dell laptops, but some other manufacturers also allow it.

    The procedure is very simple, but has many steps. Don’t get discouraged! I remember ArchWiki having a very thorough guide that worked for me.

    The gist of it is you provide UEFI firmware the cert to trust and then use the keys to sign your kernel image. I’ve never had to deal with signing the modules (mostly nVidia related, I think), but the procedure would be the same.

        • Illecors@lemmy.cafe
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          My bad, private repo. Here’s the content:

          #!/bin/zsh
          
          # 2022.09.26
          
          # Generate
          dracut --quiet --zstd --kver 6.0.2-gentoo --filesystems btrfs --early-microcode --uefi --uefi-splash-image $HOME/Nextcloud/Pictures/gentoo.full.height.nvme.bmp --uefi-stub /usr/lib/systemd/boot/efi/linuxx64.efi.stub --no-machineid --stdlog 4 --force --kernel-cmdline "rd.luks=1 rd.lvm=0 rd.md=0 rd.dm=0 rd.fstab=1 root=UUID=f5f8d75d-8aa8-4cea-83f9-3489a92a23e0 rd.luks.key=/luks.key:UUID=8E55-4050 rd.luks.uuid=5f5ab8ff-f1ea-4c09-960a-73f9bf5b7698 rootflags=noatime,discard=async,subvol=@snapshots/root/2022-10-18_102847 rootfstype=btrfs quiet delayacct i915.enable_guc=3"
          
          # Sign
          sbsign --key secure-boot/db.key --cert secure-boot/db.crt --output /boot/EFI/Linux/linux-6.0.2-gentoo.signed.efi /boot/EFI/Linux/linux-6.0.2-gentoo.efi
          
          # Change boot order
          efibootmgr --create --disk /dev/sdb --loader EFI/Linux/linux-6.0.2-gentoo.signed.efi --label Gentoo-6.0.2-signed --part 3 --verbose
          
          
          • Illecors@lemmy.cafe
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            I have since replaced the hardcoded values with variables, but evidently haven’t pushed the changes to gitlab. Having said that - not having variables might make it easier to understand in this case.

    • snake_cased@lemmy.mlOP
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      I think, I can install keys in my AMI bios. So, basically, I’d create some keys, sign the kernel with it, reboot, install them keys in UEFI, enable secure boot, and, fingers crossed, I’d boot?

      • Illecors@lemmy.cafe
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        You might have to enable Audit mode or similar - again, depends on the manufacturer - to generate the keys. But yes, essentially that’s the gist of it.