So, I’ve installed Manjaro quite while ago, and I let secure boot disabled during installation. Dang! Is there a way to keep (most of) my system and enable secure boot and LUKS after the fact?
So, I’ve installed Manjaro quite while ago, and I let secure boot disabled during installation. Dang! Is there a way to keep (most of) my system and enable secure boot and LUKS after the fact?
It depends on a single variable - does your motherboard support manipulating the secure boot keys? I’ve only done it prebuilt dells and dell laptops, but some other manufacturers also allow it.
The procedure is very simple, but has many steps. Don’t get discouraged! I remember ArchWiki having a very thorough guide that worked for me.
The gist of it is you provide UEFI firmware the cert to trust and then use the keys to sign your kernel image. I’ve never had to deal with signing the modules (mostly nVidia related, I think), but the procedure would be the same.
I think, I can install keys in my AMI bios. So, basically, I’d create some keys, sign the kernel with it, reboot, install them keys in UEFI, enable secure boot, and, fingers crossed, I’d boot?
You might have to enable
Audit modeor similar - again, depends on the manufacturer - to generate the keys. But yes, essentially that’s the gist of it.I had it scripted at some point - this is the file
Good luck!
That’s a 404 …
My bad, private repo. Here’s the content:
#!/bin/zsh # 2022.09.26 # Generate dracut --quiet --zstd --kver 6.0.2-gentoo --filesystems btrfs --early-microcode --uefi --uefi-splash-image $HOME/Nextcloud/Pictures/gentoo.full.height.nvme.bmp --uefi-stub /usr/lib/systemd/boot/efi/linuxx64.efi.stub --no-machineid --stdlog 4 --force --kernel-cmdline "rd.luks=1 rd.lvm=0 rd.md=0 rd.dm=0 rd.fstab=1 root=UUID=f5f8d75d-8aa8-4cea-83f9-3489a92a23e0 rd.luks.key=/luks.key:UUID=8E55-4050 rd.luks.uuid=5f5ab8ff-f1ea-4c09-960a-73f9bf5b7698 rootflags=noatime,discard=async,subvol=@snapshots/root/2022-10-18_102847 rootfstype=btrfs quiet delayacct i915.enable_guc=3" # Sign sbsign --key secure-boot/db.key --cert secure-boot/db.crt --output /boot/EFI/Linux/linux-6.0.2-gentoo.signed.efi /boot/EFI/Linux/linux-6.0.2-gentoo.efi # Change boot order efibootmgr --create --disk /dev/sdb --loader EFI/Linux/linux-6.0.2-gentoo.signed.efi --label Gentoo-6.0.2-signed --part 3 --verboseI have since replaced the hardcoded values with variables, but evidently haven’t pushed the changes to gitlab. Having said that - not having variables might make it easier to understand in this case.