sbctl is a Secure Boot key and binary manager tailored for Linux users. It helps create, enroll, and manage Secure Boot keys, and sign your EFI binaries — including bootloaders and kernels.
⚠️ Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates. This is the case in many Lenovo Thinkpad X, P and T series laptops which uses the Lenovo CA certificate to sign UEFI applications and firmware.
sudo pacman -S sbctl
⚠️ Make sure you have SecureBoot disabled and delete the keys from the bios!
sudo sbctl create-keysThis generates the Platform Key (PK), Key Exchange Key (KEK), and Signature Database (db).
sudo sbctl enroll-keys -mThis updates your firmware’s Secure Boot key database with your own keys, while also keeping Microsoft’s keys (required for some hardware like GPUs).
To sign the GRUB bootloader:
sudo sbctl sign /boot/efi/EFI/GRUB/grubx64.efiSign your kernel:
sudo sbctl sign /boot/vmlinuz-linuxSign GRUB core and fallback loaders (if used):
sudo sbctl sign /boot/efi/EFI/BOOT/BOOTX64.EFI
sudo sbctl sign /boot/grub/x86_64-efi/core.efi
sudo sbctl sign /boot/grub/x86_64-efi/grub.efi📌 Tip: To sign everything automatically:
sudo sbctl sign --all-
Reboot and enter your firmware setup.
-
Enable Secure Boot.
-
Save changes and reboot.
Check status of your Secure Boot and signed binaries:
sbctl statusIf you end up in GRUB rescue mode, your firmware may have limited support for user-managed Secure Boot keys.
When running sbctl status, if you see:
Your firmware has quirks
...you may need to follow vendor-specific instructions provided by sbctl.