GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → maximbaz → arch-secure-boot

maximbaz / arch-secure-boot

Licence: ISC license
UEFI Secure Boot for Arch Linux + btrfs snapshot recovery

Programming Languages

shell
77523 projects
Makefile
30231 projects
NSIS
403 projects

Labels

archlinuxuefisnapperbtrfssecure-bootuefi-bootbtrfs-snapshots

Projects that are alternatives of or similar to arch-secure-boot

arch-btrfs-install-guide
Arch Linux installation guide with btrfs and snapper, this guide is based on the information from unicks.eu guide https://www.youtube.com/watch?v=TKdZiCTh3EM, and Arch Linux UEFI step-by-step installation guide https://www.youtube.com/watch?v=dOXYZ8hKdmc from ALU.
Stars: ✭ 32 (-46.67%)
Mutual labels:  archlinux, snapper, btrfs, btrfs-snapshots
Znx
Operating system manager.
Stars: ✭ 127 (+111.67%)
Mutual labels:  uefi, btrfs
UEFI MULTI
UEFI_MULTI - Make Multi-Boot USB-Drive
Stars: ✭ 33 (-45%)
Mutual labels:  uefi, uefi-boot
arch-config
Scripts and Ansible playbook to setup Arch Linux on ZFS.
Stars: ✭ 36 (-40%)
Mutual labels:  archlinux, btrfs
uefi-elf-bootloader
UEFI ELF Bootloader example
Stars: ✭ 40 (-33.33%)
Mutual labels:  uefi, uefi-boot
SnowFlake
Technology is free, SnowFlakeOS
Stars: ✭ 38 (-36.67%)
Mutual labels:  uefi, uefi-boot
simonpi
A quick & dirty script to emulate Raspberry PI family devices on your laptop.
Stars: ✭ 61 (+1.67%)
Mutual labels:  archlinux, uefi-boot
go-uefi
Linux UEFI library written in pure Go.
Stars: ✭ 78 (+30%)
Mutual labels:  uefi, secure-boot
Dotfiles
Configuration for Arch Linux, sway, kitty, kakoune, zsh and more + scripted installation guide
Stars: ✭ 385 (+541.67%)
Mutual labels:  archlinux, btrfs
Mkinitcpio Systemd Tool
Provisioning tool for systemd in initramfs (systemd-tool)
Stars: ✭ 60 (+0%)
Mutual labels:  archlinux, btrfs
meta-secure-core
OpenEmbedded layer for the use cases on secure boot, integrity and encryption
Stars: ✭ 80 (+33.33%)
Mutual labels:  uefi, secure-boot
rusnapshot
Simple and handy btrfs snapshoting tool. Supports unattended snapshots, tracking, restoring, automatic cleanup and more. Backed with SQLite.
Stars: ✭ 27 (-55%)
Mutual labels:  btrfs, btrfs-snapshots
Ventoy
A new bootable USB solution.
Stars: ✭ 29,413 (+48921.67%)
Mutual labels:  uefi, secure-boot
Arch
These are easy, in-depth instructions on how to install Arch Linux.
Stars: ✭ 16 (-73.33%)
Mutual labels:  archlinux, uefi
MultiOS-USB
Boot operating systems directly from ISO files
Stars: ✭ 106 (+76.67%)
Mutual labels:  uefi, uefi-boot
sicherboot
Unmaintained systemd-boot integration with secure boot support; consider https://github.com/Foxboron/sbctl instead.
Stars: ✭ 31 (-48.33%)
Mutual labels:  uefi, secure-boot
AiliceOS
AiliceOS: Build an x86_64 and UEFI OS using Rust
Stars: ✭ 59 (-1.67%)
Mutual labels:  uefi
pacwatch
A pacman wrapper which helps you watch important package updates.
Stars: ✭ 24 (-60%)
Mutual labels:  archlinux
AttestationSamples
A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the system properties from the sample as supplementary information.
Stars: ✭ 25 (-58.33%)
Mutual labels:  secure-boot
dotfiles
🧊 My dotfiles for Arch Linux
Stars: ✭ 15 (-75%)
Mutual labels:  archlinux
View All Similar Projects ➔

UEFI Secure Boot for Arch Linux + btrfs snapshot recovery

Highly opinionated setup that provides minimal Secure Boot for Arch Linux, and a few recovery tools.

Bootloaders (such as GRUB or systemd-boot) are intentionally not supported, as they significantly increase the amount of code that runs during boot, therefore increasing the attack surface.

Installation

The package is available on AUR: arch-secure-boot

Configuration

See the available configuration options in the top of the script.

Add your overrides to /etc/arch-secure-boot/config.

Most notably, set KERNEL=linux-hardened if you use hardened Linux.

Commands

  • arch-secure-boot generate-keys generates new keys for Secure Boot
  • arch-secure-boot enroll-keys adds them to your UEFI
  • arch-secure-boot generate-efi creates several images signed with Secure Boot keys
  • arch-secure-boot add-efi adds UEFI entry for the main Secure Boot image
  • arch-secure-boot generate-snapshots generates a list of btrfs snapshots for recovery
  • arch-secure-boot initial-setup runs all the steps in the proper order

Generated images

  • secure-boot-linux.efi - the main image
    • vmlinuz-linux + initramfs-linux + *-ucode + hardcoded cmdline
  • secure-boot-linux-efi-shell.efi - UEFI shell that is used to boot into a snapshot
    • because built-in UEFI shells are known to be buggy
  • secure-boot-linux-recovery.efi - recovery image that can be a used to boot from snapshot
    • vmlinuz-linux + initramfs-linux-fallback
  • secure-boot-linux-lts-recovery.efi - recovery LTS image that can be used to boot from snapshot
    • vmlinuz-linux-lts + initramfs-linux-lts-fallback

fwupdx64.efi image is also being signed.

Initial setup

  • BIOS: Set admin password, disable Secure Boot, delete all Secure Boot keys
  • Generate and enroll keys
  • Generate EFI images and add the main one (only!) to UEFI
  • BIOS: Enable Secure Boot

Recovery instructions

  • BIOS: use admin password to boot into efi-shell image
  • Inspect recovery script using edit FS0:\recovery.nsh (if FS0 is not your hard disk, try other FSn)
  • Run the script using FS0:\recovery.nsh
  • Once recovered, remove efi-shell entry from UEFI

Related links:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].