├── README.md └── manjaro-secure-boot.sh /README.md: -------------------------------------------------------------------------------- 1 | # Manjaro-secure-boot 2 | Setup secure boot setup for Manjaro and enable dual boot with WIndows 11 3 | 4 | ## After running the script 5 | Now, Go to your UEFI-BIOS to manually enrool the keys 6 | Copy \"Keys\" folder with \"*.auth\" keys to a FAT formatted file system (you can use EFI system partition). 7 | Then enroll : 8 |     Platform Key (PK)       : Keys/PK/PK.auth 9 |     Key Exchange Key (KEK)  : Keys/KEK/KEK.auth 10 |     Signature Database (db) : Keys/db/db.auth 11 |     #Then Append Signature Database (db) with Microsoft key. 12 |     Signature Database (db) : Keys/Win/add_MS_db.auth  {Append} 13 | -------------------------------------------------------------------------------- /manjaro-secure-boot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "Installing efitools & sbsigntools" 4 | #sudo man pacman -Syu efitools 5 | #sudo man pacman -Syu sbsigntools 6 | sudo pacman -Syu efitools 7 | sudo pacman -Syu sbsigntools 8 | echo "Installation Complete. efitools & sbsigntools have installed" 9 | 10 | echo "Creating folder \"Secure_Boot_Key\" in Home directory" 11 | mkdir -p ~/Secure_Boot_Key/backup_key 12 | 13 | echo "Creating Backups for old keys in \"back_up\" folder" 14 | #Backup old keys 15 | cd ~/Secure_Boot_Key/backup_key || exit 16 | efi-readvar -v PK -o old_PK.esl 17 | efi-readvar -v KEK -o old_KEK.esl 18 | efi-readvar -v db -o old_db.esl 19 | efi-readvar -v dbx -o old_dbx.esl 20 | 21 | 22 | cd ~/Secure_Boot_Key || exit 23 | echo " 24 | Create a GUID for owner identification:" 25 | #Create a GUID for owner identification: 26 | uuidgen --random > GUID.txt 27 | 28 | echo " 29 | Creating Platform key:" 30 | #Platform key: 31 | openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt 32 | openssl x509 -outform DER -in PK.crt -out PK.cer 33 | cert-to-efi-sig-list -g "$(cat GUID.txt)" PK.crt PK.esl 34 | sign-efi-sig-list -g "$(cat GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth 35 | 36 | #Sign an empty file to allow removing Platform Key when in "User Mode": 37 | sign-efi-sig-list -g "$(cat GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth 38 | 39 | echo " 40 | Creating Key Exchange Key:" 41 | #Key Exchange Key: 42 | openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt 43 | openssl x509 -outform DER -in KEK.crt -out KEK.cer 44 | cert-to-efi-sig-list -g "$(cat GUID.txt)" KEK.crt KEK.esl 45 | sign-efi-sig-list -g "$(cat GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth 46 | 47 | echo " 48 | Creating Signature Database key:" 49 | #Signature Database key: 50 | openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db.crt 51 | openssl x509 -outform DER -in db.crt -out db.cer 52 | cert-to-efi-sig-list -g "$(cat GUID.txt)" db.crt db.esl 53 | sign-efi-sig-list -g "$(cat GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth 54 | 55 | #Replace keys : if you wanted to replace your db key with a new one: 56 | #cert-to-efi-sig-list -g "$(cat GUID.txt)" new_db.crt new_db.esl 57 | #sign-efi-sig-list -g "$(cat GUID.txt)" -k KEK.key -c KEK.crt db new_db.esl new_db.auth 58 | 59 | #Add Key : If instead of replacing your db key, you want to add another one to the Signature Database 60 | #sign-efi-sig-list -a -g "$(cat GUID.txt)" -k KEK.key -c KEK.crt db new_db.esl new_db.auth 61 | 62 | echo " 63 | Signing EFI binaries" 64 | #Signature Database key: 65 | #Signing EFI binaries 66 | sudo sbsign --key ~/Secure_Boot_Key/db.key --cert ~/Secure_Boot_Key/db.crt --output /boot/vmlinuz-* /boot/vmlinuz-* 67 | sudo sbsign --key ~/Secure_Boot_Key/db.key --cert ~/Secure_Boot_Key/db.crt --output /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/bootx64.efi 68 | 69 | 70 | echo " 71 | Creating Pacman Hook fro auto signing on updates" 72 | sudo mkdir -p /etc/pacman.d/hooks 73 | sudo cp /usr/share/libalpm/hooks/90-mkinitcpio-install.hook /etc/pacman.d/hooks/90-mkinitcpio-install.hook 74 | 75 | sudo mkdir -p /usr/local/share/libalpm/scripts/ 76 | sudo cp /usr/share/libalpm/scripts/mkinitcpio-install /usr/local/share/libalpm/scripts/mkinitcpio-install 77 | 78 | 79 | #com=" " 80 | #while [ $com != "done" ] 81 | #do 82 | echo " 83 | # ----- # ----- # ---- # 84 | Have to do by myself = 85 | Create a new tab in terminal for ease. 86 | 87 | sudo nano /etc/pacman.d/hooks/90-mkinitcpio-install.hook 88 | replace : Exec = /usr/share/libalpm/scripts/mkinitcpio-install 89 | with : Exec = /usr/local/share/libalpm/scripts/mkinitcpio-install 90 | 91 | sudo nano /usr/local/share/libalpm/scripts/mkinitcpio-install 92 | replace : install -Dm644 \"\${line}\" \"/boot/vmlinuz-\${pkgbase}\" 93 | with : sbsign --key ~/Secure_Boot_Key/db.key --cert ~/Secure_Boot_Key/db.crt --output \"/boot/vmlinuz-\${pkgbase}\" \"\${line}\" 94 | " 95 | # echo "Write \"done\"" 96 | # read com 97 | #done 98 | 99 | file=/etc/pacman.d/hooks/90-mkinitcpio-install.hook 100 | old="Exec = /usr/share/libalpm/scripts/mkinitcpio-install" 101 | new="Exec = /usr/local/share/libalpm/scripts/mkinitcpio-install" 102 | sudo cp $file $file.bak 103 | cat $file | sed "s|$old|$new|" | sudo tee $file 104 | 105 | 106 | file=/usr/local/share/libalpm/scripts/mkinitcpio-install 107 | old="install -Dm644 \"\${line}\" \"/boot/vmlinuz-\${pkgbase}\"" 108 | new="sbsign --key ~/Secure_Boot_Key/db.key --cert ~/Secure_Boot_Key/db.crt --output \"/boot/vmlinuz-\${pkgbase}\" \"\${line}\"" 109 | sudo cp $file $file.bak 110 | cat $file | sed "s|$old|$new|" | sudo tee $file 111 | 112 | 113 | echo "Downloading Microsoft Keys and preparing them" 114 | 115 | #wget https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt 116 | curl -O https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt 117 | curl -O https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt 118 | sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt 119 | sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt 120 | cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl 121 | sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db MS_db.esl add_MS_db.auth 122 | 123 | 124 | mkdir -p ~/Secure_Boot_Key/Keys/{db,dbx,KEK,PK,Win} 125 | cp ~/Secure_Boot_Key/PK.auth ~/Secure_Boot_Key/Keys/PK || exit 126 | cp ~/Secure_Boot_Key/KEK.auth ~/Secure_Boot_Key/Keys/KEK || exit 127 | cp ~/Secure_Boot_Key/db.auth ~/Secure_Boot_Key/Keys/db || exit 128 | cp ~/Secure_Boot_Key/add_MS_db.auth ~/Secure_Boot_Key/Keys/Win || exit 129 | 130 | 131 | echo "Installing Grub with TPM module" 132 | sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro --modules="tpm" 133 | sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro --modules="tpm" --disable-shim-lock 134 | sudo sbsign --key ~/Secure_Boot_Key/db.key --cert ~/Secure_Boot_Key/db.crt --output /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/Manjaro/grubx64.efi 135 | sudo update-grub 136 | 137 | 138 | 139 | com=" " 140 | while [ "$com" != "done" ] 141 | do 142 | echo " 143 | Now, Go to your UEFI-BIOS to manually enrool the keys 144 | Copy \"Keys\" folder with \"*.auth\" keys to a FAT formatted file system (you can use EFI system partition). 145 | Then enroll : 146 | Platform Key (PK) : Keys/PK/PK.auth 147 | Key Exchange Key (KEK) : Keys/KEK/KEK.auth 148 | Signature Database (db) : Keys/db/db.auth 149 | #Then Append Signature Database (db) with Microsoft key. 150 | Signature Database (db) : Keys/Win/add_MS_db.auth {Append} 151 | 152 | #To copy you can use, 153 | cp -r ~/Secure_Boot_Key/Keys /Location 154 | " 155 | echo "Write \"done\"" 156 | read -r com 157 | done 158 | --------------------------------------------------------------------------------