Skip to content
Athena OS

Secure Boot

Secure Boot is a UEFI feature that protects the system during startup by allowing only software components (such as bootloaders, kernels, and drivers) that are digitally signed with trusted keys to run. It prevents unauthorized or malicious code—like rootkits or modified bootloaders—from executing before the operating system starts.

When enabled, the firmware verifies each boot component against a trusted certificate database before loading it. If a file is unsigned or tampered with, the firmware blocks it and displays a Secure Boot violation error.

Athena Arch supports Secure Boot in UEFI. Its deployment is managed automatically by Aegis installer that will detect if the system is UEFI and will create the proper certificates and sign the boot and kernel files needed for this process.

Key Enrollment

Section titled “Key Enrollment”

The ISO Live Environment must be currently run with no Secure Boot. When Athena OS Arch-base is installed, the user must enable Secure Boot from BIOS settings.

At first reboot, it gets a MOK (Machine Owner Key) request for enrolling the Secure Boot certificate previously created for you by Aegis.

MOK

Press any key on your keyboard, and then select Enroll MOK.

MOK Enroll

Press on Continue.

MOK Continue

Press on Yes to confirm the enrollment.

MOK Confirm

Insert the root password you defined during the installation.

MOK Password

Finally, select Reboot.

MOK Reboot

After reboot, you should be able to access to Athena through Secure Boot.

Once you land on Athena environment, you can remove the MOK certificate from EFI partition:

Terminal window
sudo rm -rf /boot/efi/EFI/MOK.cer

File Revalidation

Section titled “File Revalidation”

During the updates of packages involving kernel and GRUB, files signed by Secure Boot key could change and be not valid and trusted anymore. So, they need to be signed again.

Athena OS performs signing automatically for you, but in the worst scenario these files are not re-validated, and at boot you get an error like policy violated, you can boot by ISO Live Environment, mount the root and boot partitions to their proper mount points and run:

Terminal window
sudo arch-chroot /mnt


sbsign --key /etc/secureboot/keys/MOK.key --cert /etc/secureboot/keys/MOK.crt --output /boot/vmlinuz-linux-lts /boot/vmlinuz-linux-lts
sbsign --key /etc/secureboot/keys/MOK.key --cert /etc/secureboot/keys/MOK.crt --output /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi
cp /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/BOOT/grubx64.efi

TPM Measurements

Section titled “TPM Measurements”

In Athena OS, Secure Boot is tightly integrated with the TPM to strengthen system integrity verification.

During boot, the Secure Boot state and certificates are measured by the firmware and stored in the TPM’s Platform Configuration Registers (PCRs), specifically PCR 7 and PCR 9.

  • PCR 7 records the Secure Boot policy itself, the platform and key database (PK, KEK, and db) used to validate EFI binaries.
  • PCR 9 records additional Secure Boot–related data measured by the kernel and EFI environment, including EFI Load Options and initramfs integrity, ensuring the kernel and its boot parameters match a trusted state.

When LUKS encryption is bound to the TPM (for example, through systemd-cryptenroll), these PCR values become part of the unsealing policy.
That means:

  • If Secure Boot is disabled, modified, or an untrusted bootloader/kernel is used, the PCR measurements will change.
  • The TPM will then refuse to release the decryption key, prompting for your manual LUKS passphrase instead.

This link between Secure Boot and TPM guarantees that only some specific measured systems (verified and trusted) boots and automatically unlock encrypted volumes.