From Funtoo
Jump to navigation Jump to search

Generating and Installing Secure Boot Certificates

Enter the firmware setup utility and put secure boot in setup mode.

Install efitools and sbsigntools:

root # emerge -av app-crypt/efitools app-crypt/sbsigntools

Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive.


If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.

Create the directory in which you will keep the keys:

root # mkdir -p 700 /etc/kernel/sbkeys
root # cd /etc/kernel/sbkeys

Save old secure boot certificates:

root # efi-readvar -v PK  -o old_PK.esl
root # efi-readvar -v KEK -o old_KEK.esl
root # efi-readvar -v db  -o old_db.esl
root # efi-readvar -v dbx -o old_dbx.esl

Generate new certificates valid for 10 years:

root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/"  -keyout PK.key  -out PK.crt  -days 3650 -nodes -sha256
root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256
root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/"  -keyout db.key  -out db.crt  -days 3650 -nodes -sha256

Prepare certificate lists:

root # cert-to-efi-sig-list PK.crt  PK.esl
root # cert-to-efi-sig-list KEK.crt KEK.esl
root # cert-to-efi-sig-list db.crt  db.esl

If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:

root # cat old_KEK.esl >>KEK.esl
root # cat old_db.esl  >>db.esl

Sign the certificate lists:

root # sign-efi-sig-list -k PK.key  -c PK.crt  PK  PK.esl      PK.auth
root # sign-efi-sig-list -k PK.key  -c PK.crt  KEK KEK.esl     KEK.auth
root # sign-efi-sig-list -k KEK.key -c KEK.crt db  db.esl      db.auth
root # sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth

Remount the efivars partition read-write:

root # mount -o remount,rw /sys/firmware/efi/efivars

Install the certificates into EFI:

root # efi-updatevar -f old_dbx.auth dbx 
root # efi-updatevar -f db.auth      db
root # efi-updatevar -f KEK.auth     KEK
root # efi-updatevar -f PK.auth      PK