Securing an Arch Linux Install

Per the discussion in FDE, TPM, Secure Boot, and Linux, I’ve written up a guide for locking down an Arch Linux system using Secure Boot. I’ve implemented this on my Framework and it works great. It’s still a work in progress, so any and all feedback appreciated!


Impressive progress so far. Thank you for sharing your knowledge! I hope to try this after the Batch 2 shipments.

If you’re using the i7-1185G7, hit F10 on boot to configure AMT. Specifically, you’re going to want to set a password then likely disable it. Otherwise, secure boot is moot. Unfortunately, there doesn’t appear to be a way to do this from the bios.

1 Like

This works for you as written? There are some things that just don’t seem right that I did differently when I was going through my install. For example, the sd-encrypt hook in mkinitcpio should require the command line{UUID}=cryptlvm instead of the cryptdevice line in your write-up.

If it works as written I won’t bother writing up suggested changes; otherwise I’d be happy to make some suggestions.

1 Like

@JoshuaB it did work when I wrote it, but I’ve received a lot of feedback and am in the process of revising. If you have suggestions I’d welcome them!

@mbernhard Thanks for the effort of documenting.

Maybe this guide is of interest to you.

Is the process for Ubuntu similar to this? I’m trying to figure out how to get TPM + FDE to work on my machine, but I can’t figure it out.

@smn that’s super cool. Am I correct in understanding that you have to manually re-sign on kernel and initramfs updates? Or does dracut have a hook that’s called by pacman to automatically regen and sign?

@blowfish you should really be looking at safeboot if you want to use Ubuntu. The tooling there is pretty good, if a bit brittle, and handles everything you need to do all in one package, which is super nice.

@mbernhard Yes, the dracut hook makes sure dracut signs the UEFI bins it generates. However I have not yet gone for this since I’m not sure how to re-enroll the framework KEK and DB to allow for firmware updates later.

Thank you @mbernhard ! I’ll take a look

@mbernhard where should I move the generated Keys to? I can’t see the keys in the firmware if they are in /etc/efi-keys, and I also cannot see the keys after copying them to /boot.

You might have a separate EFI system partition. If you lsblk, do you see a mountpoint for both /boot and /boot/EFI? If so, /boot/EFI is the EFI system partition, so that’s where the keys need to go.

@mbernhard Thanks for your reply! And it turns out the problem is solved by moving only .cer keys to the esp as the firmware only recognizes .cer among all 4 formats (.auth, .esl, .crt, .cer).
Also, have you dealt with dynamic kernel modules (dkms)? I cannot figure out a way to use the custom keys to sign them upon every load. modprobe always returns a segfault or just gets stuck.

unfortunately I haven’t played around with dkms much. It kind of seems like an open problem, even amongst safeboot and other projects.