2026 05 Uki Secure Boot
I switch to uki + secure boot on ASUS R556L.
- In order to use secure book, you have to switch to uki.
- The process is to use kernel-install to build uki, secure boot and add kernel-install hook for pacman
- mkinitcpio is used to produce ramdisk initramfs-linux.img.
- sytemd-ukify is used to build uki from vmlinuz-linux and initramfs-linux.img.
- system-ukify is used to sign uki.
- systemd-boot is used to install private key on UEFI.
- kernel-install use mkinitcpio and ukify to install/remove kernel.
- uki with kernel-instal and systemd-ukify
- kernel-install is part of systemd, no need to install it.
- install systemd-ukify: pacman -S systemd-ukify
- create /etc/kernel/install.conf and update it according to wiki.
- copy /usr/lib/kernel/uki.conf to /etc/kernel/uki.conf and update it according to wiki.
- create /etc/kernel/cmdline with cmd option “root=UUID=xxx-xxxx rw”
- kernel-install(configuration file is /etc/kernel/install.conf) then use ukify (configuration file is /etc/kernel/uki.conf) to create uki and sign it.
- create uki manually: kernel-install add $(uname -r) /boot/vmlinuz-linux
- create uki manually: ukify build –linux=/boot/vmlinuz-linux –initrd=/boot/initramfs-linux.img –cmdline=“quiet rw”
- create uki automatically with pacman: follow wiki
- secure boot
- follow guideline
- generate signing keys -> sign the boot loader -> configure the ESP for auto-enrollment
- reboot and switch to bios -> enable secure boot -> delete old key -> reboot -> you will see enroll new key
- if bootloader could start, then boot load could work.
- sign uki
- uki couldn’t start if not signed, you also need to sign uki kernel throught kernel-install or ukify
- kernel-install: kernel-install add $(uname -r) /boot/vmlinuz-linux
- ukify: ukify build –config=/etc/kernel/uki.conf –linux=/boot/vmlinuz-linux –initrd=/boot/initramfs-linux.img –cmdline=“quiet rw”