{"id":655,"date":"2025-11-13T13:23:18","date_gmt":"2025-11-13T21:23:18","guid":{"rendered":"https:\/\/downthecrop.xyz\/blog\/?p=655"},"modified":"2025-11-13T13:25:21","modified_gmt":"2025-11-13T21:25:21","slug":"deck-sb","status":"publish","type":"post","link":"https:\/\/downthecrop.xyz\/blog\/deck-sb\/","title":{"rendered":"Steam Deck Secure Boot (Deck SB)"},"content":{"rendered":"<blockquote>\n<p>X-Post from <a href=\"https:\/\/github.com\/downthecrop\/DeckSecureBoot\">https:\/\/github.com\/downthecrop\/DeckSecureBoot<\/a><\/p>\n<\/blockquote>\n<p><a href=\"https:\/\/github.com\/downthecrop\/DeckSecureBoot\/releases\/latest\"><img src=\"https:\/\/github.com\/downthecrop\/misc\/blob\/main\/branding.png?raw=true\" alt=\"\" \/><\/a><br \/>\n<strong>Status:<\/strong> Beta 1.6<\/p>\n<p>Arch-based live ISO for Enabling Secure Boot the Steam Deck (LCD and OLED)<\/p>\n<p><a href=\"https:\/\/github.com\/downthecrop\/DeckSecureBoot\/releases\/latest\"><img src=\"https:\/\/img.shields.io\/badge\/Download-latest-brightgreen?style=for-the-badge&amp;logo=github\" alt=\"Download\" \/><\/a><\/p>\n<h2>Features<\/h2>\n<ul>\n<li>Easy to use menu on the Deck (D-Pad navigation)<\/li>\n<li>Enables Secure Boot without the UEFI exposing the toggle<\/li>\n<li>Optional disk install to always have access to change SecureBoot status<\/li>\n<li>Keeps SteamOS fully launchable while Secure Boot stays enabled<\/li>\n<li>Supports every Steam Deck hardware revision (LCD and OLED)<\/li>\n<li>Compatible with Clover Bootloader and Dual Boot setups (Windows\/SteamOS)<\/li>\n<li>Key safety baked in: you cannot lock yourself out of disabling Secure Boot<\/li>\n<li>No tricks. This is valid Secure Boot, Windows anti-cheat software treats the deck as compliant<\/li>\n<li>Fully reversible<\/li>\n<\/ul>\n<p>This is heavily inspired by \/ a practical follow-up to:<br \/>\n\ud83d\udc49 <strong><a href=\"https:\/\/github.com\/ryanrudolfoba\/SecureBootForSteamDeck\">https:\/\/github.com\/ryanrudolfoba\/SecureBootForSteamDeck<\/a><\/strong><br \/>\nHis work showed the steps. This repo automates them into an ISO.<\/p>\n<h2>How to use it<\/h2>\n<ol>\n<li><strong>Get the ISO<\/strong> \u2013 Grab the latest release artifact or build it yourself with <code>build.sh<\/code> (see \u201cBuilding it yourself\u201d).<\/li>\n<li><strong>Flash to USB<\/strong> \u2013 Use Balena Etcher (recommended) or any dd-like tool to write the image to a USB drive.<\/li>\n<li><strong>Boot From USB<\/strong> \u2013 Plug in the USB, hold <code>Vol-<\/code> + <code>Power<\/code>, and pick the USB device from the boot selector.<\/li>\n<li><strong>Run the menu<\/strong> \u2013 the ISO boots into a menu where you can enroll keys, sign loaders, rerun the EFI installer, or disable Secure Boot later.<\/li>\n<\/ol>\n<p><img src=\"https:\/\/github.com\/downthecrop\/misc\/blob\/main\/CleanShot%202025-11-13%20at%2013.05.19%20(1).png?raw=true\" alt=\"\" \/><\/p>\n<h2>How this works<\/h2>\n<p>The Deck never shows a \u201cturn on Secure Boot\u201d toggle inside its UEFI UI, but Valve ships it in <strong>setup mode<\/strong>. Setup mode means the firmware happily accepts new Platform Keys (PK), Key Exchange Keys (KEK), and db signatures without user prompts. When you pick the enrollment\/enable option in the menu, we drop our baked keys (plus Microsoft\u2019s) into the firmware variables. As soon as the PK lands, the firmware automatically flips Secure Boot to <strong>enabled<\/strong>. Later, if you use the unenroll\/disable option, we clear those vars; once the PK is gone the Deck re-enters setup mode and Secure Boot is <strong>automatically disabled<\/strong>. No hidden switches involved\u2014just key presence or absence.<\/p>\n<h2>Helpful information &amp; FAQ<\/h2>\n<ul>\n<li><strong>Clover note:<\/strong> Clover removes the Deck SB Jump loader entry from the Deck\u2019s Boot Manager (<code>Vol-<\/code> + <code>Power<\/code>). Use <code>Vol+<\/code> + <code>Power<\/code>, pick <strong>Boot From File<\/strong>, then load <code>\/efi\/deck-sb\/jump.efi<\/code> to load it manually if you get stuck.<\/li>\n<li><strong>Signing other OSes:<\/strong> Any EFI loader or kernel you want to boot with Secure Boot enabled must be signed. Use the Signing Utility to add signatures for every distro you keep on the internal drive.<\/li>\n<li><strong>GRUB Secure Boot policy warnings:<\/strong> Some distros ship GRUB with <code>grubshim<\/code> (SteamOS GRUB has this too), which complains under Secure Boot. That\u2019s why we rely on our custom jump loader instead.<\/li>\n<\/ul>\n<p><strong>Does this modify SteamOS?<\/strong>  We drop a tiny systemd service whose only job is to ensure the Deck SB bootloader entry gets re-added if SteamOS updates wipe it. The OS rootfs, kernel, and userspace remain untouched. If you choose to <strong>install<\/strong> the ISO to disk from the menu, we also drop a copy of the live ISO environment on SteamOS (~400MB) so you can easily toggle SecureBoot in the future without the USB.<\/p>\n<p><strong>Will updates still work under Secure Boot?<\/strong>  Yes. SteamOS keeps its original GRUB entry and kernel images in the EFI partition. We install an additional boot option without overwriting any existing bootloaders.<\/p>\n<p><strong>SteamOS stopped booting under Secure Boot!<\/strong>  A recent SteamOS update probably bumped the kernel or initrd filenames. Re-run the EFI installer option from the menu; it re-parses the official SteamOS GRUB config and refreshes the arguments so the Deck SB loader tracks the new assets automatically.<\/p>\n<hr \/>\n<h2>Repo layout<\/h2>\n<ul>\n<li><code>build.sh<\/code> \u2013 Entry point that prepares an Archiso workdir, copies our profile, injects payload + keys, and calls the resigner on output ISO.<\/li>\n<li><code>profile\/<\/code> \u2013 Trimmed Archiso baseline overrides (mainly <code>profiledef.sh<\/code>, EFI bits, pacman.conf).<\/li>\n<li><code>payload\/<\/code> \u2013 Everything that lands inside the live image. <code>payload\/root\/menu.sh<\/code> drives the ncurses UI, the <code>deck-*.sh<\/code> helpers enroll\/unenroll\/sign, and <code>payload\/etc\/systemd\/system\/deck-startup.service<\/code> re-adds the Deck SB boot entry if updates wipe it.<\/li>\n<li><code>keys\/<\/code> \u2013 the baked Secure Boot keys (<code>PK.pem<\/code>\/<code>PK.key<\/code>). <code>build.sh<\/code> mirrors them to <code>\/usr\/share\/deck-sb\/keys<\/code> and <code>\/var\/lib\/sbctl\/<\/code> during the image build.<\/li>\n<li><code>resigner.sh<\/code> \u2013 Post-build helper that re-signs the hidden ISO EFI image so the ISO still boots after the Deck trusts these keys.<\/li>\n<\/ul>\n<hr \/>\n<h2>What you get<\/h2>\n<ul>\n<li>A live ISO that understands the Deck\u2019s UEFI<\/li>\n<li>A ncurses menu with:\n<ol>\n<li><strong>Check Boot Status<\/strong> (UEFI? efivars? secureboot?)<\/li>\n<li><strong>Enroll \/ Enable Secure Boot<\/strong> (runs <code>sbctl enroll-keys -m<\/code> with our baked keys)<\/li>\n<li><strong>Signing Utility, EFI Dropper and ISO Installer<\/strong> (sign SteamOS or any other EFI loader in one place)<\/li>\n<li><strong>Root shell<\/strong><\/li>\n<li><strong>Reboot \/ Poweroff<\/strong><\/li>\n<li><strong>Unenroll \/ Disable Secure Boot<\/strong><\/li>\n<\/ol>\n<\/li>\n<li>Keys baked into the image, we all use the same keys so it's impossibel to lock yourself out of toggling SecureBoot (you can never lose the signing keys).<\/li>\n<li>A fixed sbctl GUID so the layout is stable:\n<ul>\n<li><code>decdecde-dec0-4dec-adec-decdecdecdec<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2>Why you need need to sign EFI's (or other OSes)<\/h2>\n<p>Secure Boot is simple but strict: <strong>the firmware will only run binaries signed by keys it trusts.<\/strong><\/p>\n<p>What this ISO does when you pick \u201cEnroll \/ Enable Secure Boot\u201d:<\/p>\n<ol>\n<li>Installs <strong>our<\/strong> key set (the ones below)<\/li>\n<li>Installs <strong>Microsoft<\/strong> production UEFI keys (so Windows and lots of vendor stuff still works)<\/li>\n<li>Tells firmware \u201cwe\u2019re done, leave setup mode\u201d<\/li>\n<\/ol>\n<p>After that, when booting the UEFI checks the signature on EFI files:<\/p>\n<ul>\n<li>anything signed by Microsoft \u2192 OK<\/li>\n<li>anything signed by <strong>our<\/strong> keys \u2192 OK<\/li>\n<li>anything not signed \u2192 <strong>blocked<\/strong><\/li>\n<\/ul>\n<p>SteamOS and other Linux installs often ship <strong>unsigned<\/strong> or <strong>signed with somebody else\u2019s key<\/strong>, so the firmware doesn\u2019t trust it. The Signing Utility entry takes the EFI binary you point at (SteamOS or anything else) and <strong>adds our signature<\/strong> so it passes Secure Boot with our key.<\/p>\n<p><strong>Important:<\/strong> if later you <strong>disable<\/strong> Secure Boot or clear vars, you do <strong>not<\/strong> have to \u201cunsign\u201d SteamOS or anything else. Signatures are just extra data. If Secure Boot is off, the firmware ignores them.<\/p>\n<hr \/>\n<h2>Keys we use (baked, public on purpose)<\/h2>\n<p>We all use the same keys so nobody bricks themselves permanently. These are the same ones we embed into the ISO:<\/p>\n<details>\n<summary>Show baked keys<\/summary>\n<p>**PK.key**<br \/>\n```text<br \/>\n-----BEGIN PRIVATE KEY-----<br \/>\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDAiQ+44gfMGScB<br \/>\nXrKOF8smb+IbcvMzZaZJNYfngTr12ZfLcuGBXKA7JF5sssFMaRA7oQ\/lYW4hT99q<br \/>\nacyRpSN3VFWbzZlrU3hq\/SH+X1EEkoLfjmRaTjT5Zecuf7RGmf+VqCYvv6L73l\/c<br \/>\nVwXnuX70kNkE82XmHGnX9wsmrMKH762lmS80NQS91Sl1jGKt3ylUZHHD7A68pSSR<br \/>\nJcLu2rFtqgaE9xt+V996QZvExD\/nJQ\/LvoVapB2z29dmdX4JidaK3hmUFseH2wYk<br \/>\npbEuQB9JxhZZGHxwOiz50uctFiyUGXFJBkkS2yykuVtvDYYSzvPdpfFzqLw9+DGX<br \/>\nbWzrRwqJAgMBAAECggEADCB6e79dcFyIEEPh9u6iJ3pWAV+82E95u11LpfFhZS3w<br \/>\n9PMcueRyXOdFGGq\/DToGAUt7UB5SLMBkJsa0CEj8DZnsrC5HtRdLQDwrY9DvriVU<br \/>\n1lsGWa3GgdUu3llT8\/J1MNgVwMtPGNuSqdd7Eipb2kvrk\/eJQxkBn\/LVWR1DHSfQ<br \/>\n12xdq5jO\/wxkeifPwwNSZ8QRIhorOV4jUZkBPJSYaaZDSNu3cDyeo7fVVXc5QVgm<br \/>\nep5Iu8ntLiFcQkKkqsUuPGTre+Z1bjBhjFAqAK0+zJJ7xDF5Pfflwuj7W+AL0FZY<br \/>\nGxGTrZkIX\/4Rg0Fe3H4pCAMZ311PlcemvMuH10BatQKBgQDfL\/qqGLWh\/gEW2Vb2<br \/>\nPOMFe+YSttKuWNp8Kwj9h+ZFcSp+IW0T8vzklciUwJ8dqZNhqQ7KdNqpaJYZviHD<br \/>\n73oZoMuOqj1N0TGbsh\/C2G76kgYlGhm8f1dBjZatHiMGrREpBO9m9+0A7o6TBP3T<br \/>\nRzMxmnMVLpML15KyYpBSrBPV5wKBgQDc13GRrnw0Kkwmi79LQUwJgB2jjW4re2gh<br \/>\nlsIqK88ok18ubdxRPe+gVak9DOq\/hr4RuT6bE\/nJIXKnJqLyGswjaV4GkfKN6u2C<br \/>\ngKnPjsl1jATHV5nq4gdpX\/Z8C5EeEIDlmMxxOyl6ocVw95D2aXNsePf38fX5ftWg<br \/>\nz2LcmyIuDwKBgQC3sLJ7GrkrKXZWCu1C3tvuYIn8rxH5QtIXzgepOxev4bMaeoJf<br \/>\nH+c6b3jVzS9oZ3AQueadhM2PDrAzYcRCkjAJNckzkzO\/f0R4I4N2h1HX0yVRlgjG<br \/>\nlnwHTPRNaXdkgD6WZyRut\/ENiko4AKy0Hm6pDbhYH6wQ3A012l90W4I70wKBgQCC<br \/>\nmbJjCgIPw3fXT8uoEIyMDcT5ZPljI474VjSrRc8z2rtuNLAXJ36fnikAnrPw4hlj<br \/>\nV96rTUvp4yrvqMyySqCwzG47inIb9XPSOo6x3WpMZqqozKiMnHDvoz2cLCb81Zu0<br \/>\nrAEzcV5dVG\/0F6QV5VTKMFvMuL3Td2uUtzBq8B9thwKBgQCwA6kAcdmfvtT87WM7<br \/>\n0xHkDUlPfJMt1ZiL9QdDPIR\/AvDuQtiNBHUoaqDDJcwYwFe42URkBbitksXPTAtG<br \/>\nI6fHURi0C4xrR5XAFHdFz5pm3w3+1gTf8rj\/NdPNOjlx+oheZaGGL6Gni8oF8S0L<br \/>\ngAleN\/5iX9x9Htpi80o4N\/kY3w==<br \/>\n-----END PRIVATE KEY-----<br \/>\n```<\/p>\n<p>**PK.pem**<br \/>\n```text<br \/>\n-----BEGIN CERTIFICATE-----<br \/>\nMIIDETCCAfmgAwIBAgIUQBx1w+uTUKr7H2jtDG2rHfL4ZuowDQYJKoZIhvcNAQEL<br \/>\nBQAwGDEWMBQGA1UEAwwNU3RlYW0gRGVjayBQSzAeFw0yNTExMDcwMDE4MTJaFw0z<br \/>\nNTExMDUwMDE4MTJaMBgxFjAUBgNVBAMMDVN0ZWFtIERlY2sgUEswggEiMA0GCSqG<br \/>\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAiQ+44gfMGScBXrKOF8smb+IbcvMzZaZJ<br \/>\nNYfngTr12ZfLcuGBXKA7JF5sssFMaRA7oQ\/lYW4hT99qacyRpSN3VFWbzZlrU3hq<br \/>\n\/SH+X1EEkoLfjmRaTjT5Zecuf7RGmf+VqCYvv6L73l\/cVwXnuX70kNkE82XmHGnX<br \/>\n9wsmrMKH762lmS80NQS91Sl1jGKt3ylUZHHD7A68pSSRJcLu2rFtqgaE9xt+V996<br \/>\nQZvExD\/nJQ\/LvoVapB2z29dmdX4JidaK3hmUFseH2wYkpbEuQB9JxhZZGHxwOiz5<br \/>\n0uctFiyUGXFJBkkS2yykuVtvDYYSzvPdpfFzqLw9+DGXbWzrRwqJAgMBAAGjUzBR<br \/>\nMB0GA1UdDgQWBBSb3Ivqxe6awsRvL4HUvn7I45RgrTAfBgNVHSMEGDAWgBSb3Ivq<br \/>\nxe6awsRvL4HUvn7I45RgrTAPBgNVHRMBAf8EBTADAQH\/MA0GCSqGSIb3DQEBCwUA<br \/>\nA4IBAQARr6ABa4JHjW8\/jbTjo7RZpobkaR523BhXvPc3U4j19jKvOLygRT68QYF3<br \/>\nXWAMVeMcFROs06tcSubxqdAKa4INMyVVklGslIT\/z3CkLR5q9QV5SgI4Z3sRzAmL<br \/>\nPUKOoWc4x6op2heyxujlLwwiZouXWHqaklSaUymae9mCPUtwPg135WNc+E2BC4Ep<br \/>\neU5IzhUe8nLj4wlWQoxdBsKWhuvsVJVEWs\/HkzPrwulIAHQSb\/divYe3eTrYKfib<br \/>\ngXnR8BtFo0R8QGTtodx6d7nu1QO3275yvHAZTr3bfygs5AkSHF9oqpaUPAOyPM4c<br \/>\nOyHXIWSLcl2GuAJnBoSR3rKgFvvr<br \/>\n-----END CERTIFICATE-----<br \/>\n```<\/p>\n<p>These are embedded inside the ISO to KEK\/db so we can also *clear* secure boot later.<br \/>\n<\/details>\n<hr \/>\n<h2>The resigner (important)<\/h2>\n<p><strong>Utility:<\/strong> <code>resigner.sh<\/code> patches the hidden EFI image inside the ISO:<\/p>\n<ol>\n<li>Find the El Torito UEFI image<\/li>\n<li>Extract it<\/li>\n<li>Sign <code>EFI\/BOOT\/BOOTx64.EFI<\/code> (and IA32 if present) with the baked keys<\/li>\n<li>Write it back at the same offset<\/li>\n<li>Outputs <code>*-signed.iso<\/code><\/li>\n<\/ol>\n<p>Usage:<\/p>\n<pre><code class=\"language-bash\">.\/resigner.sh archlinux-steamdeck-sb-latest-x86_64.iso\n# -&gt; archlinux-steamdeck-sb-latest-x86_64-signed.iso<\/code><\/pre>\n<p>The main builder will auto-run <code>resigner.sh<\/code> on the generated ISO.<\/p>\n<p>You can also point the resigner at other ISOs to make them bootable under these keys (Ubuntu etc.).<\/p>\n<blockquote>\n<p><strong>Heads-up:<\/strong> <code>resigner.sh<\/code> rewrites the hidden EFI boot image inside the ISO at its original byte offset. On rare ISOs that pack data immediately after that blob, the rewrite can corrupt the image. If it happens, try adding a little extra data to the ISO to shift around the structure and try again.<\/p>\n<\/blockquote>\n<hr \/>\n<h2>Building it yourself<\/h2>\n<ol>\n<li>Boot an Arch x86_64 container<\/li>\n<li><code>sudo su<\/code><\/li>\n<li>Clone the repo and navigate to it<\/li>\n<li><code>.\/build.sh<\/code> will install all required dependencies and generate a new ISO. Finished ISOs are placed in <code>.\/out\/<\/code> (or <code>\/out<\/code> if that directory exists).<\/li>\n<\/ol>\n<p>The builder writes ISOs to <code>\/out<\/code> when that directory exists (handy inside containers) or <code>.\/out\/<\/code>.<\/p>\n<h2>Building from source (quickstart)<\/h2>\n<pre><code class=\"language-bash\"># optional: prep an output directory the container can write to\nmkdir -p .\/iso-out\n\n# launch an Arch Linux build shell\ndocker run --rm -it \\\n  --platform=linux\/amd64 \\\n  --privileged \\\n  -v $(pwd):\/work \\\n  -v $(pwd)\/iso-out:\/out \\\n  archlinux:latest \\\n  \/bin\/bash\n\n# Inside container\ngit clone https:\/\/github.com\/downthecrop\/DeckSecureBoot.git\ncd DeckSecureBoot\n.\/build.sh<\/code><\/pre>\n<hr \/>\n<h2>Booting it on the Deck<\/h2>\n<ol>\n<li>Power off Deck<\/li>\n<li>Hold <strong>Volume -<\/strong> and press <strong>Power<\/strong><\/li>\n<li>Pick the USB you flashed the ISO to<\/li>\n<\/ol>\n<blockquote>\n<h2>If you choose to install the ISO to disk in the menu (optional) it will appear in the DeckSB Jumploader (jump.efi)<\/h2>\n<\/blockquote>\n<h2>Credits<\/h2>\n<ul>\n<li>Original method \/ research: <strong>@ryanrudolfoba<\/strong><br \/>\n<a href=\"https:\/\/github.com\/ryanrudolfoba\/SecureBootForSteamDeck\">https:\/\/github.com\/ryanrudolfoba\/SecureBootForSteamDeck<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>X-Post from https:\/\/github.com\/downthecrop\/DeckSecureBoot Status: Beta 1.6 Arch-based live ISO for Enabling Secure Boot the Steam Deck (LCD and OLED) Features Easy to use menu on the Deck (D-Pad navigation) Enables Secure Boot without the UEFI exposing the toggle Optional disk install to always have access to change SecureBoot status Keeps SteamOS fully launchable while Secure &hellip; <a href=\"https:\/\/downthecrop.xyz\/blog\/deck-sb\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Steam Deck Secure Boot (Deck SB)<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[456,333],"tags":[794,323,788,797,790,793,796,407,791,783,792,780,785,781,782,784,786,787,789,795],"amp_validity":null,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/posts\/655"}],"collection":[{"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/comments?post=655"}],"version-history":[{"count":3,"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/posts\/655\/revisions"}],"predecessor-version":[{"id":658,"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/posts\/655\/revisions\/658"}],"wp:attachment":[{"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/media?parent=655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/categories?post=655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/downthecrop.xyz\/blog\/wp-json\/wp\/v2\/tags?post=655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}