Secure Boot

# Execute the following instructions as root

# 2. Install sbctl
pacman -S sbctl

# 3. Create a keypair
#    The private key in this keypair is used to sign all
#    EFI code loaded at boot, which means that without the
#    signature, you will not be able to boot into Linux.
#    MAKE SURE YOU DO NOT LOSE THE PRIVATE KEY.
sbctl create-keys

# Modify permissions
chattr -i /sys/firmware/efi/efivars/{PK,KEK,db}*
# 4. Enroll your keys while keeping Microsoft's keys.
#    Experimentally, Option ROM devices can be supported
#    using `sbctl enroll-keys --tpm-eventlog`, but I have
#    not tested this and IT COULD LEAD TO EQUIPMENT LOSS.
sbctl enroll-keys --microsoft

# 5. Sign each of the EFI files that may appear somewhere
#    in the boot chain. The following files are specific
#    to my configuration, double check that you sign everything
#    you need to for your setup.
sbctl sign -s /boot/EFI/Linux/linux.efi
sbctl sign -s /boot/EFI/Linux/fallback.efi
sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi
sbctl sign -s /boot/EFI/Boot/bootx64.efi
sbctl sign -s /boot/EFI/Microsoft/bootmgfw.efi
sbctl sign -s /boot/EFI/Microsoft/bootmgr.efi
sbctl sign -s /boot/EFI/Microsoft/memtest.efi

# 6. Verify that all the files you need are signed
sbctl list-files

# 7. Verify that the sbctl pacman hook works on a kernel upgrade.
#    Ensure that the string "Signing EFI binaries..." appears.
pacman -S linux