Secure Boot: Difference between revisions
Move Lanzaboote section to its own page. Fix grammar on remaining secure boot info. Minor wording change to put Lanzaboote and Limine on the same level |
Add "Checking Secure Boot Status" section |
||
| Line 12: | Line 12: | ||
<!--T:12--> | <!--T:12--> | ||
It is recommended to set a BIOS password and enable full disc encryption to prevent attacks which can bypass Secure Boot. | It is recommended to set a BIOS password and enable full disc encryption to prevent attacks which can bypass Secure Boot. | ||
[[Category:Security]] | [[Category:Security]] | ||
[[Category:Booting]] | [[Category:Booting]] | ||
</translate> | |||
== Checking Secure Boot status == | |||
The easiest way to check if your machine has Secure Boot enabled is through the use of [[Systemd]]'s <code>bootctl</code>. There is no need to be using [[Systemd/boot|systemd-boot]] as your bootloader for this command to work. <syntaxhighlight lang="console"> | |||
$ bootctl status | |||
System: | |||
Firmware: UEFI 2.80 (American Megatrends 5.25) | |||
Firmware Arch: x64 | |||
Secure Boot: enabled (user) | |||
TPM2 Support: yes | |||
Measured UKI: yes | |||
Boot into FW: supported | |||
... | |||
</syntaxhighlight>The system above has secure boot enabled and enforced. Other values include <code>disabled (setup)</code> for Setup Mode, <code>disabled (disabled)</code> or <code>disabled (unsupported)</code>. The unsupported tag only appears if your device firmware does not support Secure Boot at all. | |||
If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined here. </translate> | |||