Thank you for your tutorials! :) I have few questions to you about this one. 1. Can I use this script after I have made basic installation of Archlinux? 2. After reboot 4:56 there's no need to go to BIOS and chose Secure Boot option there, right? 3. Should I sign a kernel after each update of it?
@@Theoldenmage Thank you! This is what I thought about #2 - signer makes it automatically for me. But what about questions 1 and 3? Eh... it seems I have to try it on qemu. But there's a problem - I can't enable Secure Boot option at the start. IDK why. So, question #3 remains: Should I sign a kernel after each update?
I think your video is excellent and I thank you a lot for it, but this method is so wrong! How is my system protected if the keys to sign a new kernel are available to this sbctl tool in userspace? Why doesn't arch provide a kernel signed with their own private key so I can just add their public key to my secure-boot database by allowing it on the bios settings, once? I don't understand!!!
did you run "cat /etc/mkinitcpio.d/linux.preset" and then read the "default_uki" line?, maybe the cat output from the video is the same for you too, but it still doesn't work ig. Then there's something special about your bootloader setup, exploring your boot or efi dirs and researching more about these files could help, but that's about all I know, sry.
Are you using VirtualBox or Hyper-V? I tried doing this on Hyper-V Manager on Windows 11. I got the PXE over IPv4 message when I tried to boot with Secure boot enabled.
@@marcitrixie I would recommend against doing this if you dual boot windows. Just disable secure boot when booting into linux and turn it back on (if you want/need) when booting back into Windows. sbctl can brick laptops if you are not careful or do not know what you are doing.
I wonder if this will work with windows 10, or 11 with bitlocker enabled on the partition windows is installed on. If we reset the secure boot keys in the first step, does that tamper with the bitlocker encryption key?
Bro which command to run vmlinuz one or default uki one i am confused as one guy here said his pc died after this command , when j boot through refind i see vmlinuz there for my arch linux it means i use the vmlinuz one?
after I type bootctl install it says mount point /boot which backs the random seed file is world accessible, which is a security hole and random seed file '/boot/loader/random-seed is world accessible which is a security hole
because it has wrong file permissions. If you just `sudo mount "efi part" "mount loc"` the default file permission will be set to "root" and has "0777" file and folder permission. You need to use `sudo mount -o fmask=0137,dmask=0027 "efi part" "mount loc"` so files will be set to "0640" and folders set to "0750" which will be sufficient permissions.
wtf, I did this on my dual boot notebook with win11 and arch linux and after the tutorial now it stays with a black screen, not even white back light on the lcd screen, only turned off, I cant see the BIOS like this or do litellary anythinf
@@Walian-rw1go I'm frightened to ask, which caveat? I still can access the arch terminal because I remember the keys orders to select, is there anything that I can do from the terminal?
@@Walian-rw1gops: when I tried to sign the keys to the same directory "/efi/EFI/Linux/arch-linux.efi" it says that the directory does not exist, then I signed on "ALL_kver="/boot/vmlinuz-linux"
@@Walian-rw1go I think I don't, I just followed the steps from the video, but I remember that when I verified the sbctl, there was a giant list and only one item marked right, I'm scared that was something that I've done to the bios
I wouldn't say useless because you can do secure boot, which probably help if you are dual-booting windows 11. But self signing a kernel you did not even build yourself and keeping the private keys to sign them in the same system, that doesn't seem "secure" boot at all. I can't believe this is a recommended or preferred way of doing things. Why doesn't Arch sign with their own private key and provide the public counterpart to add to the sb database (either directly or via shim) so we can just trust their kernels like we do with Microsoft.
Great vid. One thing, don't endorse doing partial updates with pacman -Sy sbctl.
Could you expand on the partial updates part? Doesn't -Sy just mean "install one package"?
Dude your a lifesaver, was baffled by this for weeks :D
will this work on a dualboot? or if i boot the os on another computer?
sul mio dual boot non ha funzionato
Thank you for your tutorials! :) I have few questions to you about this one.
1. Can I use this script after I have made basic installation of Archlinux?
2. After reboot 4:56 there's no need to go to BIOS and chose Secure Boot option there, right?
3. Should I sign a kernel after each update of it?
I'd imagine so for #1, 2, not needed, the signer enables it for you, and as for three, it auto signs it for you, it's all shown in the video
@@Theoldenmage Thank you! This is what I thought about #2 - signer makes it automatically for me. But what about questions 1 and 3? Eh... it seems I have to try it on qemu. But there's a problem - I can't enable Secure Boot option at the start. IDK why.
So, question #3 remains: Should I sign a kernel after each update?
Thank you man!
Good video. Big thanks! I use and like Manjaro :)
This video is a life saver
I think your video is excellent and I thank you a lot for it, but this method is so wrong! How is my system protected if the keys to sign a new kernel are available to this sbctl tool in userspace? Why doesn't arch provide a kernel signed with their own private key so I can just add their public key to my secure-boot database by allowing it on the bios settings, once? I don't understand!!!
im getting "/efi/EFI/Linux/arch-linux.efi does not exist" error..
did you run "cat /etc/mkinitcpio.d/linux.preset" and then read the "default_uki" line?, maybe the cat output from the video is the same for you too, but it still doesn't work ig. Then there's something special about your bootloader setup, exploring your boot or efi dirs and researching more about these files could help, but that's about all I know, sry.
Check what files need to be signed for secure boot to work:
# sbctl verify
@@giulioluizvalcanaia It says failed to fine EFI partition
@@Habibaadil-fp3iq I have the same problem. Did you manage to solve it? How?
Use the other one 4:02 i encountered same error so i used /boot/vmlinuz-linux and everything worked out for me
Are you using VirtualBox or Hyper-V? I tried doing this on Hyper-V Manager on Windows 11. I got the PXE over IPv4 message when I tried to boot with Secure boot enabled.
His UEFI looks like VirtualBox idk how Hyper-V UEFI looks.
qemu
And linux boot manager only gets me to windows 11
My laptop has pre-installed windows. Doing this won't effect it right?
same question here
@@marcitrixie I would recommend against doing this if you dual boot windows. Just disable secure boot when booting into linux and turn it back on (if you want/need) when booting back into Windows. sbctl can brick laptops if you are not careful or do not know what you are doing.
@@dcarpenter85 yeah solved a problem buying cheap but relatively high performance laptop :D
I wonder if this will work with windows 10, or 11 with bitlocker enabled on the partition windows is installed on.
If we reset the secure boot keys in the first step, does that tamper with the bitlocker encryption key?
Bro which command to run vmlinuz one or default uki one i am confused as one guy here said his pc died after this command , when j boot through refind i see vmlinuz there for my arch linux it means i use the vmlinuz one?
Hi I'm getting failed to parse pem block when try to enroll keys or reset
Thanks for making this video working with Kali Linux but I can't get windows 11 on boot menu.
after I type bootctl install it says mount point /boot which backs the random seed file is world accessible, which is a security hole and random seed file '/boot/loader/random-seed is world accessible which is a security hole
because it has wrong file permissions. If you just `sudo mount "efi part" "mount loc"` the default file permission will be set to "root" and has "0777" file and folder permission. You need to use `sudo mount -o fmask=0137,dmask=0027 "efi part" "mount loc"` so files will be set to "0640" and folders set to "0750" which will be sufficient permissions.
@@thelazt16 thank you
Wow!I thought it was difficult
wtf, I did this on my dual boot notebook with win11 and arch linux and after the tutorial now it stays with a black screen, not even white back light on the lcd screen, only turned off, I cant see the BIOS like this or do litellary anythinf
Did you read my caveat about installing the M$ vendor key?
@@Walian-rw1go I'm frightened to ask, which caveat? I still can access the arch terminal because I remember the keys orders to select, is there anything that I can do from the terminal?
@@Walian-rw1gops: when I tried to sign the keys to the same directory "/efi/EFI/Linux/arch-linux.efi" it says that the directory does not exist, then I signed on "ALL_kver="/boot/vmlinuz-linux"
Did you uncomment the lines to generate the UKI efi file?
@@Walian-rw1go I think I don't, I just followed the steps from the video, but I remember that when I verified the sbctl, there was a giant list and only one item marked right, I'm scared that was something that I've done to the bios
Tysm ❤
are you doing this on quemu?
Yessir
will it work if i use dual boot
Have u tried it?
why do you only have 300 subs
Can I use this in manjaro
Yes it should work in manjaro. software.manjaro.org/package/sbctl
I just bricked my system by omitting -m. What do I do?
Disable Secure Boot in BIOS
Thats useless...
I wouldn't say useless because you can do secure boot, which probably help if you are dual-booting windows 11. But self signing a kernel you did not even build yourself and keeping the private keys to sign them in the same system, that doesn't seem "secure" boot at all. I can't believe this is a recommended or preferred way of doing things. Why doesn't Arch sign with their own private key and provide the public counterpart to add to the sb database (either directly or via shim) so we can just trust their kernels like we do with Microsoft.