Are you a security and privacy schizo who uses Arch for fun and playing games?
But you still somehow have friends?
And those friends play exclusively kernel-anticheat-invasive games?
I hear you.
Here are 3 magic commands, mon ami:
sudo sbctl create-keys
sudo sbctl enroll-keys --microsoft
sudo sbctl sign-all
Doesn’t work? Let’s unpack.
Prereq
First, let’s confirm you’re booting UEFI with TPM2:
sudo bootctl | head
You want to see something like this:
System:
Firmware: UEFI 2.90 (American Megatrends 5.35)
Firmware Arch: x64
Secure Boot: enabled (user)
TPM2 Support: yes
Measured UKI: no
Boot into FW: supported
Current Boot Loader:
Product: systemd-boot 258.3-1-arch
Then install sbctl:
sudo pacman -S sbctl
Setup Mode
Check your current Secure Boot state:
sbctl status
Before setup, you want to see:
WARNING: Setup Mode: Enabled
WARNING: Secure Boot: Disabled
After setup, you want:
Installed: ✓ sbctl is installed
Owner GUID: xxx-yyy-zzz
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft
If you don’t see Setup Mode: Enabled, go into your BIOS and reset all Secure Boot keys. That should kick most motherboards into setup mode. Also make sure you’re loading your Arch system through UEFI, not CSM.
Details
Different vendors hide this in different places and some of them are genuinely stupid about it.
AMI/ASUS: Security -> Secure Boot -> Key Management -> Reset to Setup Mode (or “Delete All Secure Boot Variables”). Not “Reset”; specifically the one that wipes keys.
MSI: Settings -> Security -> Secure Boot -> Restore Factory Keys / Reset Secure Boot to factory defaults. Then also make sure Secure Boot Mode is set to Custom, not Standard; Standard locks you out of enrolling your own keys.
Gigabyte: Boot -> Secure Boot -> Secure Boot Mode -> Setup Mode. If you don’t see this option, your board might be in “deployed mode”: you’ll need to clear keys from Key Management first.
General rule: you’re looking for anything that says “clear keys”, “delete all variables”, “restore factory defaults” under the Secure Boot submenu. Don’t touch the ones at the top BIOS level; those reset everything.
After clearing, save and reboot into your Arch system. sbctl status should now show Setup Mode: Enabled.
If it still doesn’t: double-check you’re not booting via CSM. CSM is legacy BIOS emulation and Secure Boot is strictly a UEFI thing; they cannot coexist.
The 3 Commands
Once you’re in setup mode:
sudo sbctl create-keys
sudo sbctl enroll-keys --microsoft # drop --microsoft if you're never booting into MegaSlop Windows
sudo sbctl sign-all
Then:
sudo bootctl update
Reboot and check that Secure Boot is actually on. If it loads: voilà.
Paranoid? Good. Run this:
sbctl verify
Everything you care about should show ✓. If something’s unsigned and you recognize it: sign it manually with sbctl sign -s /path/to/that.efi. If you don’t recognize it, google it first.
Automatic Signing on Kernel Updates
Here’s the part that surprised me: you don’t have to do anything.
When you install sbctl, it ships a pacman hook at /usr/share/libalpm/hooks/zz-sbctl.hook that automatically runs sbctl sign-all -g after every relevant package transaction: kernel updates, bootloader updates, anything touching /boot, /efi, or EFI binaries.
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = boot/*
Target = efi/*
Target = usr/lib/modules/*/vmlinuz
...
[Action]
Description = Signing EFI binaries...
When = PostTransaction
Exec = /usr/bin/sbctl sign-all -g
You update your kernel, it signs automatically. That’s it.
Dracut handles UKI generation on its own; sbctl’s hook handles signing after the fact. They cooperate without you having to wire them together manually.
For the curious: Dracut actually has its own native signing config; you might stumble across this in
/etc/dracut.confor/etc/dracut.conf.d/:# uefi_secureboot_cert=/etc/efi-keys/db.crt # uefi_secureboot_key=/etc/efi-keys/db.keyI went down that road initially. It works, but it means managing key paths manually and making sure Dracut can find them at build time. The sbctl hook approach is just cleaner: it’s one layer instead of two, and it handles everything regardless of how your UKI gets generated. Left those lines commented out and never looked back.
To someone who’d say “it’s too short (that’s what she said!) to be a guide”: I’m the kind of person who forgets how I did things, and I use my own notes to recreate the miracles I’ve somehow pulled off. This is those notes.
You’re welcome to leave a comment or shoot me an email at blog[at]domainyourereadingiton.com