PURPOSE

As I mentioned in an edit to my Arch Linux Laptop Setup article, systemd has matured enough upstream that the sbctl tool (written by a member of the Arch community) is no longer necessary. However, as of this writing (August 29, 2025, systemd version v257), the systemd-native tool, systemd-sbsign does not retain the Microsoft Third-Party CA certificates, so I will need to follow the instructions for enrolling the OptionROM hashes in the TPM2.

Unfortunately, a UEFI firmware update caused the TPM2 to no longer unlock my LUKS2 volume containing my root filesystem. With two children under three years old, I don't have a whole lot of time to fix this. Over the last several weeks, I tried a few different things, but nothing worked.

A couple of weeks ago I had some time, and I somehow lost the Microsoft and Lenovo certificates, so the system wouldn't boot. Luckily Lenovo has built into its firmware a way to restore the default certs, so these instructions can be backed out if I get into another state where this ThinkPad X1 Carbon 11th gen won't boot.

PREREQUISITES

• a system with UEFI BIOS, in EFI mode
• a Trusted Platform Module, version 2 (TPM2)
• a way to put the UEFI BIOS into Setup Mode

PROCEDURE

1. Back up the existing EFI variables. I didn't do this previously; I don't recall if it was part of the Arch Wiki when I set this up almost two years ago, or I just glossed over it. Follow the instructions on the UEFI/Secure Boot article for using your own keys.

   for var in PK KEK db dbx ; do 
       efi-readvar -v ${var} -o old_${var}.esl
   done
   

2. Reboot into the UEFI BIOS firmware, and disable Boot Order Lock. This is necessary since fwupd won't actually update the firmware if this is enabled.
3. Upgrade the ThinkPad firmware using fwupd:

   systemctl start fwupd.service
   fwupdmgr update
   fwupdmgr upgrade
   

4. Reboot. Wait until the firmware upgrade is complete.
5. Reboot again, and enter the UEFI BIOS firmware setup utility.
6. Re-enable the TPM2 in the UEFI BIOS firmware setup menu, and clear it.
7. Enter Setup Mode within the UEFI BIOS firmware menu. At least for this ThinkPad, I get the message that the Platform Key (PK) has been removed.
8. Boot into the Arch ISO, set my layout to colemak, unlock the LUKS2 container, mount the root volumes and subvolumes as necessary, enable the swap file, and enter arch-chroot:

   loadkeys colemak
   cryptsetup luksOpen /dev/nvme0n1p2 top
   mount -o subvol=/root /dev/mapper/top /mnt
   mount -o subvol=/root/home /dev/mapper/top /mnt/home
   mount -o subvol=/root/swap /dev/mapper/top /mnt/swap
   mount -o subvol=/root/var /dev/mapper/top /mnt/var
   mount /dev/nvme0n1p1 /mnt/efi # _esp_
   swapon /mnt/swap/swapfile
   arch-chroot /mnt
   

9. Set up UKI (Unified Kernel Images). The /etc/kernel/uki.conf should have the following structure:

   [UKI]
   SecureBootSigningTool=systemd-sbsign
   SignKernel=true
   SecureBootPrivateKey=/etc/kernel/secure-boot-private-key.pem
   SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
   PCRBanks=sha384,sha512
   Microcode=/boot/intel-ucode.img
   
   [PCRSignature:initrd]
   PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem
   PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem
   Phases=enter-initrd
   
   [PCRSignature:system]
   PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-system.pem
   PCRPublicKey=/etcsystemd/tpm2-pcr-public-key-system.pem
   Phases=enter-initrd:leave-initrd
          enter-initrd:leave-initrd:sysinit
          enter-initrd:leave-initrd:sysinit:ready
   

   Generate the keys and certificates:

   ukify genkey --config /etc/kernel/uki.conf
   

   You should see the following output:

   Using config file: /etc/kernel/uki.conf
   Writing SecureBoot private key to /etc/kernel/secure-boot-private-key.pem
   Writing SecureBoot certificate to /etc/kernel/secure-boot-certificate.pem
   Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
   Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
   Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
   Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
   

10. Edit the file /etc/kernel/install.conf, and ensure the layout is uki:

    layout=uki
    

11. Gather the OptionROM sha256 hashes:

    count=1
    tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements \
    | grep -o 'Digest: "[a-f0-9]\{64\}"' \
    | sed 's/Digest: "//;s/"$//' \
    | while read -r digest; do
        digest-to-efi-sig-list ${digest} OpROM.${count}.esl
        count=$(( ${count} + 1 ))
    done
    cat OpROM.*.esl > OpROMs.esl
    

12. Create the owner.id (GUID) file:

    uuidgen --random | tee /etc/kernel/owner.id
    

13. Sign the OpROMs.esl to OpROMs.auth:

    sign-efi-sig-list -a -g "$(cat /etc/kernel/owner.id)" \
        -k /etc/kernel/secure-boot-private-key.pem \
        -c /etc/kernel/secure-boot-certificate.pem \
        db OpROMs.esl OpROMs.auth
    

14. Sign the systemd-boot bootloader:

    /usr/lib/systemd/systemd-sbsign sign \
        --private-key /etc/kernel/secure-boot-private-key.pem \
        --certificate /etc/kernel/secure-boot-certificate.pem \
        --output /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed \
        /usr/lib/systemd/boot/efi/systemd-bootx64.efi
    

15. Configure the bootloader for automatic enrollment

    bootctl install --secure-boot-auto-enroll yes \
        --certificate /etc/kernel/secure-boot-certificate.pem \
        --private-key /etc/kernel/secure-boot-private-key.pem
    

16. Edit /efi/loader/loader.cont and add the following:

    secure-boot-enroll force
    

17. Copy the OpROMs.auth file to the esp:

    cp OpROMs.auth /efi/loader/keys/auto/
    

18. Reinstall the kernel (I use linux-zen). Kernel-install will make calls to mkinitcpio (for building the initramfs) and ukify to build, install, and sign the the UKI in esp/Linux (I have the esp mounted at /efi; see above).
19. Enroll the TPM2 to unlock the LUKS2 container:

    systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2
    

    I will be prompted for the passphrase or recovery key.
20. Reboot, enter the firmware setup menu, and remove the Microsoft Third Party CA certificate.
21. Reboot again, and Secure Boot should be enabled with the UKI, and the TPM2 should unlock the LUKS2 container.

I drafted these instructions from the new section describing how to enable Secure Boot with systemd (as of v257), as well as how to add the digests of the Option ROMs (of which there are many on this ThinkPad).

RESULTS

WIP (Work In Progress)

CONCLUSION

WIP (Work In Progress)