I read the section on the Limine wiki page that says:
To prevent this you should first embed the b2sum checksum of every resource file in the configuration. Limine file paths have an optional field containing the b2sum checksum of the file. This field can be specified by appending the # character and then the 128 characters checksum:
boot():/path#checksum
To protect the config file you should embed its b2sum in the EFI executable with limine enroll-config command.
It seems like Limine supports checksum verification. Could this be sufficient and work in the same way as Secure Boot?
The b2sum checksum is part of the standard GNU coreutils and is enabled by default when installing limine-dracut-support.
No, the b2sum checksum and Secure Boot are not the same in terms of security.
What the checksum can do:
The Limine checksum only protects against booting a corrupted kernel file (e.g., bitrot or bitflip that could kill your system or filesystem) and tells you understand why its booting is blocked.
What the checksum can’t do:
It cannot stop someone from installing or booting a random ISO in your device without your permission (signing).
Secure Boot does both.
It protects against booting any corrupted kernel files if their hash values do not match, similar to the checksum, but it has even more functions.
It prevents others from installing or booting an ISO on your device without permission. This is especially useful if your mobile devices is stolen or other some situations.
(Ideally, if Secure Boot always blocks random people from using your lost device with encryption, they might give up and return it or throw it as unusable.)
SB should work with any bootloader when using UEFI, Limine itself doesn’t care about SB setup.
If you use limine-dracut-support, there is DRACUT_UKI option which automatically generates a UKI (Unified Kernel Image) instead of separate initramfs and kernel files.
Why? because UKI is easier to work with since it requires only one signature and is verified by SB during booting.
However, limine-dracut-support doesn’t automatically sign the UKI with your own certificate(like your permission) after each kernel install or update.
I think sbctl is probably user-friendly. I would plan to implement automatic signing installed UKI via sbctl with your own SB keys when I have more time.
Note: All old bootable snapshots do not have your signature (before enabling SB) and would be blocked by SB. You can easily disable SB manually.
That sounds interesting. I have another notebook and will set up Secure Boot with Limine.
I don’t want anyone to use or wipe my operating system on it without my permission. Does Secure Boot help that?
I will wait patiently for your solution. Thanks!
Does this also affect new snapshots, or is it only a problem for old ones?
SB alone can’t handle everything in your case if your notebook gets stolen.
You need a combination of SB, encrypted partitions (e.g., LUKS2), and a password for accessing UEFI settings. Here’s why:
Someone could boot into your system or snapshot if it has your signing key trusted by SB.
To prevent this, use LUKS2 encryption with a strong passphrase.
They try to boot another ISO from a USB drive to delete your system and install their own. SB can block this..
They might try to disable SB in the firmware settings.
To stop this, set an admin password to access the firmware.
If the thief isn’t tech-savvy, they might get frustrated, give up, and throw your notebook away (or return it because it’s unusable for them, if you’re lucky).
However, a clever thief could remove parts from your device, like the disk, to use in another computer, wipe your system, and install their own OS. But this scenario is probably very rare in the real world, maybe around 0.1% probability.
If the new snapshots are signed with your own key, they will be trusted and allowed to boot by SB as long as the signatures match.
Update:
I spent about 2 hours implementing and testing that in limine-dracut-support-git as a test version.
Here are few steps to setup SB for Limine
Enable SB and (clear existing SB keys) in your firmware settings.
Install sbctl as an optional dependency for limine-dracut-support-git.
Generate your own SB keys:
sudo sbctl create-keys
# Alternatively, if sbctl doesn’t detect your ESP path, run
ESP_PATH=</path to ESP> sudo sbctl create-keys
Enroll your custom keys (gives full control and blocks anything from booting without your permission)
sudo sbctl enroll-keys --custom
Enable automatic generation of UKI when updating or installing kernel version.
Set DRACUT_UKI=yes in /etc/limine-entry-tool.conf
Update Limine:
sudo limine-update
This will sign the Limine EFI and the UKI with your key.
Reboot into your firmware, enable SB, and test it by trying to boot an any ISO or Windows to see if it gets blocked.
Notes:
After setup, you can create new root snapshots that include a signed UKI. These snapshots will be allowed to boot under SB without any further configuration.
If you need multiple bootable different systems, manually sign their EFI files you trust. That is your control.
Wow, it works! secure boot successfully blocks Windows boot and all ISOs on my USB. It allows my system and new snapshots to boot. Exactly what I wanted!
If all goes well, I’ll definitely set up secure boot with Limine on my other notebook!
I never imagined your guide would be this simple and straightforward. Other guides are so complicated, overwhelming and confusing. I’m amazed at how easy you made it.
Thank you so much for your effort and help!
By the way, I noticed a new part of limine-entry-tool.conf that mentions:
### UKI (Unified Kernel Image):
### Automatically create UKIs in '/<ESP>/EFI/Linux/' using Dracut for UEFI. (yes|no)
###
### - Advantages:
### * UKIs are automatically detected by bootloaders like 'systemd-boot' and 'rEFInd' without extra configuration.
### - Disadvantages:
### * UKIs take up more ESP space compared to separate 'initramfs' and 'vmlinuz' files, especially with multiple Limine snapshots.
###
### Additional notes:
### - Duplicate 'initramfs' and 'vmlinuz' files are removed during 'dracut-rebuild' or 'limine-update' when creating a UKI.
### - To boot directly from firmware without a bootloader, you must manually register the UKI in the firmware. (Caution)
DRACUT_UKI=yes
If I’m not mistaken, this means I install systemd-boot, and it will be able to load the same UKI and snapshots created by Limine?
Yes, the limine-entry-tool creates UKIs in specific location that is fully compatible with systemd-boot. This allows systemd-boot to automatically load the UKIs without any manual configuration.
However, systemd-boot does not support bootable snapshots, which can only be handled by limine-snapper-sync.
You can have both Limine and systemd-boot on the same ESP that gives you one more advantage:
Increased reliability of your boot system → Improved chance of recovery if one of them fails, without needing chroot.
Note:
Do not forget to sign the systemd-boot EFI file after installation, or it will be blocked by SB.
sudo sbctl sign /<path to ESP>/EFI/systemd/systemd-bootx64.efi
Finally, I set up secure boot with Limine on my notebook, it works exactly as I expected. Hopefully, this will make thieves cry!
It is great to know that both bootloaders complement each other so well, reduce potential issues to almost zero, and make troubleshooting much easier than GRUB with BTRFS. Thanks!