Per the discussion in FDE, TPM, Secure Boot, and Linux, I’ve written up a guide for locking down an Arch Linux system using Secure Boot. I’ve implemented this on my Framework and it works great. It’s still a work in progress, so any and all feedback appreciated!
If you’re using the i7-1185G7, hit F10 on boot to configure AMT. Specifically, you’re going to want to set a password then likely disable it. Otherwise, secure boot is moot. Unfortunately, there doesn’t appear to be a way to do this from the bios.
This works for you as written? There are some things that just don’t seem right that I did differently when I was going through my install. For example, the sd-encrypt hook in mkinitcpio should require the command line rd.luks.name={UUID}=cryptlvm instead of the cryptdevice line in your write-up.
If it works as written I won’t bother writing up suggested changes; otherwise I’d be happy to make some suggestions.
@smn that’s super cool. Am I correct in understanding that you have to manually re-sign on kernel and initramfs updates? Or does dracut have a hook that’s called by pacman to automatically regen and sign?
@blowfish you should really be looking at safeboot if you want to use Ubuntu. The tooling there is pretty good, if a bit brittle, and handles everything you need to do all in one package, which is super nice.
@mbernhard Yes, the dracut hook makes sure dracut signs the UEFI bins it generates. However I have not yet gone for this since I’m not sure how to re-enroll the framework KEK and DB to allow for firmware updates later.
@mbernhard where should I move the generated Keys to? I can’t see the keys in the firmware if they are in /etc/efi-keys, and I also cannot see the keys after copying them to /boot.
You might have a separate EFI system partition. If you lsblk, do you see a mountpoint for both /boot and /boot/EFI? If so, /boot/EFI is the EFI system partition, so that’s where the keys need to go.
@mbernhard Thanks for your reply! And it turns out the problem is solved by moving only .cer keys to the esp as the firmware only recognizes .cer among all 4 formats (.auth, .esl, .crt, .cer).
Also, have you dealt with dynamic kernel modules (dkms)? I cannot figure out a way to use the custom keys to sign them upon every load. modprobe always returns a segfault or just gets stuck.