sbctl (Secure Boot Manager)

sbctl intends to be a user-friendly secure boot key manager capable of setting up secure boot, offer key management capabilities, and keep track of files that needs to be signed in the boot chain.

Usage

Install the necessary packages:

pacman -S sbctl sbsigntools

Check that Secure Boot “Setup Mode” is “Enabled” in UEFI:

sbctl status

Create your own signing keys:

sbctl create-keys

Sign the systemd bootloader:

sbctl sign -s \
  -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed \
  /usr/lib/systemd/boot/efi/systemd-bootx64.efi

Enroll your custom keys:

sbctl enroll-keys
 
# Enroll and include Microsoft Keys
sbctl enroll-keys --microsoft

Sign EFI files:

sbctl sign -s /boot/EFI/Linux/arch-linux.efi
sbctl sign -s /boot/EFI/Linux/arch-linux-fallback.efi
sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
sbctl sign -s /efi/EFI/Boot/bootx64.efi

Verify signature of EFI files:

sbctl verify

Resign everything:

sbctl sign-all

Knowledge Base

Explorer

sbctl

sbctl (Secure Boot Manager)

Usage

Graph View

Table of Contents