arch-secure-boot.sh (1406B)
1 #!/bin/sh 2 ### PRE RUN INSTRUCTIONS ### 3 # clear secure boot keys in uefi/enter setup mode 4 5 echo "In UEFI, clear the secure boot keys and disable secure boot. Then boot into this OS." 6 echo "Rebooting..." 7 echo "Press CTRL-C to cancel within 5 seconds..." 8 sleep 5 9 loginctl reboot --firmware-setup 10 11 # reinstalls grub, replace esp with your boot directory 12 echo "Reinstalling grub..." 13 grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=Artix --modules="tpm" --disable-shim-lock 14 15 16 # remove existing files with 'pacman -Rcns' 17 # TODO: get which aur helper exists on system 18 echo "Cleaning existing secure boot files..." 19 pacman -Rcns sbctl || paru -Rcns sbctl-git 20 pacman -S sbctl || paru -S sbctl-git 21 22 # generate keys 23 echo "Creating secure boot keys with:" 24 echo "\t sbctl create-keys" 25 sbctl create-keys 26 27 # enroll keys to hardware 28 echo "Enrolling Microsoft secure boot keys with:" 29 echo "\t sbctl enroll-keys -m" 30 sbctl enroll-keys -m 31 32 # outputs files to sign from database 33 echo "Files to be signed:" 34 sbctl list files 35 36 # sign those files 37 # TODO: auto sign files 38 echo "Signing EFI files with:" 39 echo "\t sbctl sign -s" 40 sbctl sign -s # <- vmlinuz and files from the above command 41 42 # checks if all are signed 43 echo "Verifying signed EFI files with:" 44 echo "\t sbctl verify" 45 sbctl verify # its okay if it doesnt work it wont break anything if ESP drive not found 46 47 echo "Reboot to UEFI and enable secure boot!"