max goodfellow's awful things
Posted on

Secureboot with Limine

Disclaimer: this is largely a reminder for myself, since I suspect this is not the most stable solution. Follow at your own peril.

I wanted to finally setup secureboot, exclusively to make booting back into Windows for multiplayer games less annoying (Highguard, upcoming Marathon). Previously I would just go into the bios and turn secureboot on and off manually between booting from Linux to Windows and vice versa.

Fortunately it isn't very complex to setup, using sbctl. Most of the info here is pulled directly from the sbctl docs, as well as the CachyOS docs on secureboot.

Install sbctl (pacman -S sbctl). Run sbctl status and confirm that it works, then reboot into the bios.

If you like, you can systemctl reboot --firmware-setup into the bios, which is handy if your device doesn't otherwise expose an obvious way to open it. (My old Surface laptop doesn't tell me a button to press, and it's annoying to look it up every time.)

In the bios, you're turning on secureboot setup mode, which seems to basically just wipe all existing keys. Then boot back into Linux, run sbctl status again, and confirm that setup mode is enabled.

Now, run sbctl create-keys --microsoft, then sbctl enroll-keys, and then rerun sbctl status and confirm sbctl is installed and setup mode is disabled.

Here I diverged from the CachyOS instructions, and manually signed the Limine bootloader .efi, using sbctl sign -s /boot/EFI/not the real path/limine.efi. Only the Limine efi needs to be signed.

On my Surface, which uses systemd-boot, I just signed everything listed when running sbctl verify. You can also run verify after you're done, to confirmed signing worked properly.

At this point you should be able to reboot into the bios, enable secureboot, and boot into Linux with no issues. Then you can do a final check with sbctl status, which should show you a load of nice checkmarks, and indicate that secureboot is enabled.

To be perfectly clear, I strongly suspect this is a fragile way to setup secureboot. That is why I've written this post, to document the process I followed so I have better odds of fixing it later.

I'll try to remember to update this post if/when I run into issues. Or indeed, if this actually works fine through bootloader/kernel updates - sbctl does include a pacman hook, so maybe it'll handle it for me. I'm not sure, especially with Limine.

Related posts