ARCH LINUX: SYSTEMD-BOOT + SECURE BOOT + LUKS + UKI (SBCTL/MKINITCPIO)

1. ###############################################################################
2. # ARCH LINUX: SYSTEMD-BOOT + SECURE BOOT + LUKS + UKI (SBCTL/MKINITCPIO)
3. # BASIC PROCEDURE (FOR RECOVERY, MIGRATION, NEW MACHINE, ETC.)
4. ###############################################################################
5. # Provides:
6. # - Secure booting via systemd-boot, Secure Boot with custom keys
7. # - Encrypted root support via LUKS (passphrase prompt during boot)
8. # - Automatic signing of kernel and loader
9. # - Ready for dualboot with Windows (optionally preserve MS keys)
10. #
11. # Notes:
12. # 1. Always back up your data and old UEFI keys before modifying Secure Boot!
13. # 2. In BIOS, set "Clear Secure Boot keys" or "Delete all keys"
14. #    (see below "BIOS/UEFI Preparation")
15. ###############################################################################
16.  
17. # === BIOS/UEFI PREPARATION ===
18. # 1. Reboot the PC and enter UEFI/BIOS (usually F2/F10/Del/Esc immediately after startup).
19. # 2. Find the "Secure Boot" / "Security" section:
20. #    - Look for: "Clear Secure Boot keys" or "Delete all keys"
21. #      (sometimes: "Restore Factory Keys" -> DO NOT USE! Must be clear/delete)
22. #    - Confirm to switch firmware into "Setup Mode" (no Platform Key = keys can be modified)
23. #    - Leave Secure Boot enabled, or enable it after keys are enrolled.
24. # 3. Save and reboot into Linux.
25.  
26. # === SYSTEM PROCEDURE ===
27.  
28. # 1. Ensure the system is booting in UEFI mode!
29. ls /sys/firmware/efi/efivars
30.  
31. # 2. Prepare partitions:
32. #    - ESP (EFI, type EF00, min. 300 MB, FAT32, mountpoint /efi)
33. #    - root (e.g., LUKS, BTRFS, EXT4, etc.)
34. mount /dev/nvme0n1p1 /efi
35.  
36. # 3. Install systemd-boot into the ESP:
37. bootctl install --esp-path=/efi
38.  
39. # 4. Create Secure Boot keys using sbctl:
40. sbctl create-keys
41.  
42. # 5. Enroll keys into UEFI firmware:
43. #    - Recommended: with Microsoft keys for Windows dualboot:
44. sbctl enroll-keys -m
45. #    - Without MS keys (only your own, NOT RECOMMENDED if dualbooting Windows):
46. # sbctl enroll-keys
47.  
48. # 6. Check status:
49. sbctl status
50.  
51. # 7. Create loader configuration (if missing):
52. cat > /efi/loader/loader.conf <<EOF
53. default  arch.conf
54. timeout  3
55. console-mode max
56. EOF
57.  
58. # 8. Create a boot entry for Arch (example with BTRFS, adjust UUIDs accordingly, NOT used for unified kernel):
59. cat > /efi/loader/entries/arch.conf <<EOF
60. title   Arch Linux
61. linux   /vmlinuz-linux
62. initrd  /initramfs-linux.img
63. options root=UUID=xxxx-xxxx-xxxx rw rootflags=subvol=@ cryptdevice=UUID=yyyy-yyyy-yyyy-yyyy:luksroot:allow-discards loglevel=3 quiet
64. EOF
65.  
66. # (for unified kernel image, loader entry is not needed – see below)
67.  
68. # 9. In mkinitcpio preset, enable UKI (unified kernel image) generation:
69. cat > /etc/mkinitcpio.d/linux.preset <<EOF
70. ALL_kver="/boot/vmlinuz-linux"
71. PRESETS=('default' 'fallback')
72.  
73. default_image="/boot/initramfs-linux.img"
74. default_uki="/efi/EFI/Linux/arch-linux.efi"
75.  
76. fallback_image="/boot/initramfs-linux-fallback.img"
77. # fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
78. fallback_options="-S autodetect"
79. EOF
80.  
81. # 10. If you previously used a keyfile for LUKS unlocking and want to return to passphrase:
82. #    - Remove FILES=(/root/secrets/crypto_keyfile.bin) from /etc/mkinitcpio.conf -> passphrase will be prompted for disk decryption
83. #    - Remove cryptkey=... from kernel options (see loader/entries/arch.conf or /etc/kernel/uki.conf)
84.  
85. # 11. Regenerate initramfs and unified kernel image, sign, and verify:
86. mkinitcpio -P
87. sbctl sign -s /efi/EFI/Linux/arch-linux.efi  # not strictly needed, mkinitcpio should do this (just to be sure)
88. sbctl verify
89.  
90. # 12. (If using systemd-boot-update.service, manually sign the loader so it's .efi.signed)
91. sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
92. bootctl update
93.  
94. # 13. Add PACMAN HOOK for signing the loader on every systemd update!
95. mkdir -p /etc/pacman.d/hooks
96.  
97. cat > /etc/pacman.d/hooks/80-secureboot-loader-sign.hook <<EOF
98. [Trigger]
99. Operation = Install
100. Operation = Upgrade
101. Type = Path
102. Target = usr/lib/systemd/boot/efi/systemd-boot*.efi
103.  
104. [Action]
105. Description = Signing systemd-boot EFI binary for Secure Boot
106. When = PostTransaction
107. Exec = /usr/bin/sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
108. Depends = sbctl
109. NeedsTargets
110. EOF
111.  
112. # 14. Reboot and test Secure Boot (enable it in UEFI setup), boot, and LUKS passphrase prompt.
113. reboot
114.  
115. # 15. Check status:
116. bootctl status
117. sbctl verify
118.  
119. ###############################################################################
120. # NOTES:
121. # - Each kernel update automatically regenerates and signs UKI (if pacman hooks/sbctl post hooks are in place).
122. # - If Secure Boot fails, verify signatures of all EFI binaries!
123. # - Use sbctl verify to see an overview of signed files.
124. # - If dualbooting Windows, DO NOT delete MS keys from UEFI!
125. # - If you want clean LUKS passphrase input, **do not use cryptkey** and omit keyfile in mkinitcpio.
126. # - If using an XBOOTLDR partition, adjust paths in preset and loader.conf accordingly.
127. ###############################################################################
128.