DEV Community: Marcos Junior

Enhancing Linux Security: Secure Boot and TPM-Based Disk Encryption on Manjaro Linux

Marcos Junior — Sun, 30 Mar 2025 19:04:51 +0000

Manjaro is a powerful and flexible Linux distribution, but by default, it does not enable Secure Boot or TPM-based disk encryption. These security features can significantly enhance system protection, ensuring that only trusted code runs during boot and that sensitive data remains encrypted.

In this guide, I'll walk through the process of setting up Secure Boot and TPM-based disk encryption on Manjaro, using tools such as sbctl and systemd-cryptenroll. Additionally, I'll explore some tweaks of my preference that might be useful.

The motivation for enabling this is the need of a secure and yet convenient disk encryption so I can move around with a portable computer without easy access to my data in case I lost it.

Why Secure Boot and TPM?

Secure Boot helps prevent unauthorized operating systems or bootloaders from running on your machine, adding an additional layer of security.
TPM-based disk encryption enhances data protection by leveraging the Trusted Platform Module (TPM) to unlock encrypted volumes automatically when the correct hardware is detected.

Prerequisites

Before proceeding, ensure you have:

A system with Secure Boot and TPM 2.0 enabled in the BIOS/UEFI settings. Make sure Secure Boot is in "Setup" mode.
Manjaro Linux installed with a default LUKS1 encrypted partition, but with a bigger EFI partition in case you want to include nvidia or other extra drivers.
Basic familiarity with terminal commands and administrative privileges
A backup of your important data, mistakes could lead to data loss.

I believe this tutorial might be valid for other Arch Based distributions that use the same tools, let me know if I am wrong.

Let's get started!

First, let's tweak with initramfs by changing some parameters in /etc/mkinitcpio.conf. This file is the one we need to change to include extra drivers and make sure the image is secure.

The first change, since we are going to put the initramfs in the unencrypted EFI, is to remove /crypto_keyfile.bin from the FILES section of the mkinitcpio.conf, or comment out the entire entry.

For the TPM, run sudo systemd-cryptenroll --tpm2-device=list to check your TPM driver. Mine is tpm_tis.

If you want to include nvidia drivers, make sure you have nvidia-dkms package installed and working.

Then, in the MODULES property, add the drivers you need:

MODULES=(crc32c-intel tpm_tis i915 nvidia nvidia_modeset nvidia_uvm nvidia_drm)

In the HOOKS parameter, change it to include system, sd-vconsole, and sd-encrypt. This will be useful for TPM unlock to work. Mine looks like this:

HOOKS=(base systemd udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth sd-vconsole sd-encrypt filesystems)

Since boot loaders can be problematic with encryptions, and the EFI is perfectly capable of booting the kernel directly, I believe ditching the boot loader is the way to go. But before doing that, make sure your computer Secure Boot is in Setup mode, by running sudo sbctl status. Install sbctl if you don't have it yet/

Let's now configure the Unified Kernel Image, which is a combination of the kernel and initramfs. It could get larger than the default 300mb EFI partition if you have multiple kernels and include the heavy nvidia drivers.

Open up /etc/mkinitcpio.d/linuxXXX.preset in your favourite text editor. Uncomment the default_uki and fallback_uki parameters, and make sure both paths are correct. In Manjaro, EFI filesystem is mounted in /boot/efi. It might be /efi in other distributions.

ALL_kver="/boot/vmlinuz-6.12-x86_64"

PRESETS=('default' 'fallback')

default_uki="/boot/efi/EFI/Linux/manjaro-6.12-x86_64.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-manjaro.bmp"

fallback_uki="/boot/efi/EFI/Linux/manjaro-6.12-x86_64-fallback.efi"
fallback_options="-S autodetect"

Make similar changes to other .preset files if you have other kernels.

Run sudo cat /proc/cmdline to check your current kernel command line, and then copy that into /etc/kernel/cmdline. This will be used as the kernel command line in the signed UKI.

Now let's create and enroll Secure Boot keys:

sudo sbctl create-keys
sudo sbctl enroll-keys --Microsoft

Run sudo mkinitcpio -P. It should take a minute or two to generate a new UKI for your kernels in the EFI partition. If this command fails, try to understand if you have missed any steps. It should also have a "SIGN" step. If it is not signed, something is wrong.

Time to check EFI boot entries. Run efibootmgr to list current boot entries. You can delete unused entries now. In my case, I have removed Grub boot loader so it has only the kernels I use. To do that run sudo efibootmgr -B -b 000N where N is the Boot0000 entry you want to remove.

Run sudo findmnt /boot/efi to find the device name your EFI partition is, usually /dev/sda1 or /dev/nvme0n1p1.

Add the kernel UKI to the boot loader:

sudo efibootmgr -c -d /dev/nvme0n1 -p 1 -L "Manjaro" -l "EFI/Linux/manjaro-6.12-x86_64.efi"

Note the path is related to the EFI partition root, not your current root. In my setup here, my mounted EFI full path is /boot/efi/EFI/Linux/manjaro-6.12-x86_64.efi.

Run sudo sbctl verify to check if everything you need is properly signed.

If it is, you can now restart, enable Secure Boot and lock changes to boot order, usb boot, and protect the firmware by setting up a password.

Once you restart, the boot process will ask you for the password of your encrypted root partition. If you want to unlock it automatically with TPM, do the following steps.

First, confirm you have a LUKS2 partition. Run cryptsetup luksDump /dev/nvme0n1p2 (or /dev/sda2). Note the version number. If it is 2, you are ready to proceed. If it is 1, we need to convert it. The conversion is simple, but you need to boot into a live CD that has cryptsetup because you can't convert if it is unlocked and mounted.

To convert the partition, while on Live CD, run sudo cryptsetup convert --type luks2 /dev/nvme0n1p2. Then restart back to your actual system.

Enroll the LUKS2 into TPM: sudo systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2

Open /etc/crypttab and make it look like this:

luks-xxx-xxx-xxx-xxx-xxx UUID=xxx-xxx-xxx-xxx-xxx none tpm2-device=auto,discard

Copy /etc/crypttab to /etc/crypttab.initramfs, making it the same as above.

Recreate your UKI running sudo mkinitcpio -P. If it is successful and signed, you can restart again and now your disk will be unlocked by your TPM chip.

That's it, I hope this tutorial is simple for you to follow. I wish one day Linux distributions can provide easier and out-of-the-box tools so that the avarage user can have a more streamlined experience like other non-open OSes.

Let me know in the comments how it went or if your have suggestions.

Bonus

One thing that bothers me a lot is the slowness of bluetooth keyboard and mouse connection when swtiching devices. This is actually a "feature" to save energy, but you can fix it by changing /etc/Bluetooth/main.conf file property FastCoonectable to true.

If you have multiple monitors with different DPI, and also use SDDM as your login greeter, you will notice that it shows on the wrong DPI on one of the displays. To fix that I've enabled SDDM to run itself in Wayland. That's actually a X11 issue. To do that, make sure you have included nvidia drivers if you have a NVidia GPU in your initramfs regardless of using SecureBoot or TPM. This is required because the driver should be loaded before SDDM. To fix it create the /etc/sddm.conf/10-wayland.conf driver with the following content:

[General]
DisplayServer=wayland
GreeterEnvironment=QT_WAYLAND_SHELL_INTEGRATION=layer-shell

[Wayland]
CompositorCommand=kwin_wayland --drm --no-lockscreen --no-global-shortcuts --locale1

A new card for your Home Assistant dashboard

Marcos Junior — Tue, 06 Jun 2023 13:58:27 +0000

I've created a new card for your home assistant dashboard, that aims to be a minimalist version of the native area card.

By minimalist, I mean it would be as simple as having a title, sensors, and toggle buttons. For style changes, this card can use the area image already defined, a camera image, or a solid color.

It is not my goal to provide many ways of customizations, however you can also use other tools like card-mod if you need to add custom style changes.

Check out the documentation on how to setup it using HACS for Home Assistant.

If this is useful for you, please consider donating, but only if you wanted to :)

Using Autofac on Azure Functions

Marcos Junior — Thu, 02 Apr 2020 22:04:37 +0000

Reasons to use DI on a software project are numerous, and while one can argue that a micro-service should be so small that no IoC is needed, others may have their reasons to use it.

Not here to judge which approach is the best, but if you decide that DI is a must on your azure function project, you may find that the native support for DI does not allow you to use a third-party container as easy as you can see on a regular asp-net project. There are some libraries out there, but most uses some different techniques (such as DI using attributes) not alike to the code style on asp-net projects.

That is the reason I decided to write a library to fill this gap, and create an easy DI setup code as similar to asp-net as possible. That means you will be able to create classes with interfaces as parameters of a constructor, without the need of anything else but registering dependencies accordingly.

Find below a basic function example, observe that classes and functions are not declared as static, and dependencies are passed to the constructor just like in a regular asp-net project.

    public class Function1 : Disposable
    {
        public Function1(IService1 service1, ILogger logger)
        {
            // ...
        }

        [FunctionName(nameof(Function1))]
        public async Task Run(
            [QueueTrigger("myqueue-items", Connection = "AzureWebJobsStorage")]
            string myQueueItem
        )
        {
            await Task.Delay(2000);
            _logger.LogInformation($"C# Queue trigger function processed: {myQueueItem}");
        }

        // ...
    }

You will also find in the github project, a sample project that demonstrates the IDisposable classes being disposed at the end of a function run.

Head to the project's read-me and check out code examples.

Please feel free to contribute creating issues with feedback and pull requests.

junalmeida / autofac-azurefunctions

Autofac implementation of the dependency injection factory for non isolated Azure Functions.

Autofac.Extensions.DependencyInjection.AzureFunctions

Autofac is an IoC container for Microsoft .NET. It manages the dependencies between classes so that applications stay easy to change as they grow in size and complexity. This is achieved by treating regular .NET classes as components.

This library has been created to allow Azure Functions v3 users to use AutoFac library in a common way like it is done with regular web projects Note that Azure Functions moving forward has now a NET 5 dotnet-isolated mode which allows the use of Autofac directly without this library.

Please file issues and pull requests for this package in this repository rather than in the Autofac core repo.

NuGet
Contributing - You can report problems and feature requests creating issues and pull requests on this project.

Get Started in Azure Functions

This quick start shows how to use the UseAutofacServiceProviderFactory integration to help automatically build the root service provider…

View on GitHub

Redirecting legacy .NET apps to a new Oracle DataAccess

Marcos Junior — Thu, 26 Mar 2020 13:15:40 +0000

Published on October 13, 2018

I wrote this guide to help you dealing with a development or production environment that needs to run multiple legacy .net applications that are highly coupled with an specific version of Oracle DataAccess. With this guide you don't have to change any line of code, reference, or configuration of each project.

This guide will also help you to keep your system clean, running only one lighweight version of Oracle Client.

Please fell free to give feed back and suggest improvements.

Deploying a Cordova + Ionic application with VSTS

Marcos Junior — Thu, 26 Mar 2020 13:12:34 +0000

Originally posted on LinkedIn, on April 17, 2018.

I decided to write this article to present to you all the benefits we achieved with a 100% automated deploy, and, of course, to help you out showing the difficulties that arise when doing such task. Although it seems to be a simple task, and in theory it is, the reality is that you will face really difficult technical problems on building this kind of application on different machines and OSes. I will show you in this article what component and versions we have been using, and each task we configured for Android and iOS deployment.

The project used as inspiration to this article was started in June 2017. Since that date we have not updated structural components like cordova. Here is the list of components we are using:

Apache Cordova 6.5.0; Ionic 3.12.0; NodeJS 6.11.4; AngularJS 4.1; HockeyApp 2.2.4

Let's go straight to the point: the flow used in VSTS to build, test and deploy to both staging and production environments. As you know, the idea of VSTS regarding CI/CD separates the process of a deploy (CD) from the build itself (CI) into so called BUILD and RELEASE.

The build process is configured as the image shows. Here, the idea is to tokenize all the necessary xml and json files so that these tokens can be replaced later by real values during the release (CD) process. These tokens includes the android and ios package name, ids to necessary services, apis, and apple certificates and profiles.

Please note that I decided to archive the files before the npm step. This is due to size. As you know, npm downloads tons of files and a significant part of them are simply not used. The rest of this process aims to guarantee that ionic builds successfully. If you have any kind of js tests like jasmine, you can add a task to execute such tests.

The down side on the build process: we suffered a lot at this part when trying to update cordova and ionic versions. It is a real pain because latest cordova version changed the whole android project structures, and I have incompatibilities with current structure, plugins and so on. The latest nodejs version also lead to some problems with npm. I need to invest more time (and patience) in order to update cordova, ionic and nodejs versions.

The build process runs after each pull request to master or develop branches. It can be triggered after any push to any branch, but my account have some limits, so I ended up in configuring only these. Every successful build of develop triggers a release to our staging environment, and build of master triggers a release to the production environment.

Now, let's inspect the release parts. The first task is a simple extraction from the artifact of a previous build. Then, all the tokens are replaced with variables configured in the release definition. These variables can be secured so sensitive data like passwords stays only on the servers.

Ionic Build Android is the key task that will generate for us the real APK. This APK will be created using values from the previous tokens task, so, when releasing a staging environment, there will be an APK for staging, and when releasing production, APK for production. After that, the APK is uploaded to the former HockeyApp service, now AppCenter. HockeyApp is the distribution method we chose for both Android and iOS enterprise and staging versions.

The iOS task is almost identical to the Android one, but we faced a very difficult problem with that. The latest version of cordova and cordova-ios packages simply did not build successfully due to problems accessing the provisioning profile. After wasting days looking for a solution, we found out that this problem was already fixed in the alpha version of the cordova-ios package. So, I put on the build process a curl command to download the fix to the problematic file (platforms/ios/cordova/lib/build.js) and then everything worked.

So, that's my odyssey on automating all my workflow with this project. The best part of it is that once I achieved the staging and production environments correctly, I got everything automated. A pull request and a code review leads to an artifact pushed to users phones.

I hope that the information I tried to spread here can be useful in some manner to you. Fell free to ask any questions about this process, if you think that you need more details on any step or opinions.