Helpers for generating signed Arch Linux kernels for Secure Boot. And pacman hook for auto-generation.
Use sb-mkkeys to generate your own Secure Boot keys in the current directory.
Use sb-make-boot-img to combine the kernel intiramfs and boot args into a single
efi binary (see sb-make-boot-img -h for help).
Use sb-sign-binary to sign a binary using your keys (see sb-sign-binary -h for
help).
See How to install the efi keys.
The configuration file should be located at /etc/sbtools.conf and can be used
to prefill some of the tools arguments (they will be overriten if the command
line args are present).
the options are in the format: <name>=<path>
List of the different possible options:
cmd: Kernel command-line file.outdir: Efi binary output dir (only used by the pacman hook)out: Efi binary output file (not used by the pacman hook)osrel: osrel fileefistuf: efistub filekeysdir: Location of the Secure boot keyskernel: Location of the kernel to use (will break the pacman hook)initrd: Initramfs to useaddinitrd: Additional initramfs (like microcode).
For the pacman hook to work the configuration file /etc/sbtools.conf must be updtated accordingly to your setup.
The mandatory options needed to run the pacman hook are:
cmdoutdirkeysdirosrelefistuf
For each kernel /boot/vmlinuz-<NAME> the pacman-hook will generate
<OUTDIR>/<NAME>.efi with defined in the previously mentionned
configuration file.
The LZOP compression for the initramfs is not supported.