Create & sign a unified Kernel EFI
Go to file
2023-07-19 17:42:12 +03:00
999-sign-kernel.hook update hook 2022-06-06 11:55:59 +03:00
cmdline update script 2022-05-30 11:16:15 +03:00 Revert "create TPM2 PCR signature" 2023-07-19 17:42:12 +03:00 Revert "create TPM2 PCR signature" 2023-07-19 17:42:12 +03:00

Create and sign a unified EFI executable


This script ( combines the Linux kernel and initrd images and creates a unified image which is then signed for secure boot. The image is created under /efi/EFI/Linux/linux.efi.

The script makes a number of assumptions about the system. Notably:

  • The system is based on Arch Linux
  • The system has boot parameters in /etc/cmdline (minimal example provided in this repo - modify to your needs)
  • The system has secure boot keys in /etc/secureboot
  • The system has the sbsigntools and binutils packages installed
  • The system is using the stock kernel (kernel in /boot/vmlinuz-linux and initramfs in /boot/initramfs-linux.img)

Fortunately, the script is minimal - it's easy to understand and modify to your specific scenario. Specifically, the VARIANT variable defined at the top of the script is probably of most interest to you - this can be used to specify custom kernel builds, a la VARIANT="-zen".

You'll also need to actually use efibootmgr or similar to create the EFI boot entry. Something like so:

efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "Arch" --loader '\EFI\Linux\linux.efi' --verbose

A convenience pacman hook is provided. This can be copied over:

mkdir -p /etc/pacman.d/hooks/
cp 999-sign-kernel.hook /etc/pacman.d/hooks/

Use case

I have full disk crypto set up using LUKS2. The entire rootfs is encrypted, including boot. Decryption is handled by systemd, using the sd-encrypt mkinitcpio hook. I leverage secure boot and EFISTUB to combine the entire boot chain into one EFI executable and sign it, thus preventing any tampering of the boot chain before I boot into the root filesystem.