Open The-Compiler opened 7 years ago
Not a bug, but a feature in this case. This script does not sign either the kernel or initramfs you boot. What it does sign is the bootloader. It is meant as protection of the bootloader .efi code which unlocks an encrypted /boot partition (where kernel/initramfs reside; using it without an encrypted /boot makes no big sense).
It is meant as "feature" because it leaves you the freedom to boot different kernels/initramfs, modify the kernel boot line, update the system kernels, etc. without having to worry about boot breakage due to failing secureboot verification.
If you are looking for a script that helps automating signing the kernel/initramfs with Arch, have a look at
https://github.com/andreyv/sbupdate https://bentley.link/secureboot/ (disclaimer: I have not used either yet)
I'm trying to set
cryptboot
up on Archlinux with a Thinkpad x1 Yoga.Key enrollment and signing seemed to have completed successfully, but when I run
mkinitcpio -p linux
outside of cryptboot and reboot, I still can boot successfully without any errors. This shouldn't happen, should it?