Enabling Secure Boot with Arch Linux

Friday, Aug 16, 2024 | 2 minutes read | Update at Friday, Aug 16, 2024

Niko

How to enable secure dual boot with Windows 11 and Arch Linux using GRUB, sbctl and PreLoader

Arch Linux is not shipped with secure boot signed EFIs by default. Leading to problems with computers using Secure Boot.

Games such as Valorant, require Secure Boot to enabled, in this guide, you will learn how to create your own keys, sign EFI files and install a pre-signed bootloader.

Note : Root access or sudo is required

SBCTL

Sbctl is a command-line utility to create and sign secure boot files. To install sbctl, run in your terminal pacman -S sbctl

Run sbctl status, check secure boot status, if it is not in setup mode, reboot your computer. In BIOS, set secure boot mode into setup.
In Arch Linux run, sbctl status if not in Setup Mode reboot again and turn it on
Create your own keys to sign Arch Linux files: sbctl create-keys
Enroll your keys, as well as Microsoft’s. sbctl enroll-keys -m (-m is for microsoft vendor keys)
Run sbctl verify and check which files need to be signed.
Sign each of the unsigned files with sbctl sign -s <filepath>
Run sbctl verify again to check the status of the files

Reboot with Secure Boot on.

If everything is signed corerectly and Arch Linux boots, you’re good to go.
If you boot into GRUB with prohibited by secure boot policy or similar, you may need to follow the rest of the guide.

PreLoader (pre-signed)

PreLoader is a pre-signed bootloader, that boots unsigned, or signed, EFI files.

Install preloader through the AUR, yay -S preloader-signed

Copy the files to your boot partition.
# cp /usr/share/preloader-signed/{PreLoader,HashTool}.efi /boot/EFI/systemd
or for GRUB
# cp /usr/share/preloader-signed/{PreLoader,HashTool}.efi /boot/EFI/GRUB

Copy the bootloader and rename it to loader.efi
cp /boot/EFI/systemd/systemd-bootx64.efi /boot/EFI/systemd/loader.efi
or for GRUB
cp /boot/EFI/GRUB/grubx64.efi /boot/EFI/GRUB/loader.efi

Finally create a new NVRAM entry to boot PreLoader.efi
efibootmgr --unicode --disk /dev/sdX --part Y --create --label "PreLoader" --loader /boot/EFI/systemd/PreLoader.efi
or
efibootmgr --unicode --disk /dev/sdX --part Y --create --label "PreLoader" --loader /boot/EFI/GRUB/PreLoader.efi

sdX is your disk, it may be a nvme0n1 if you have an nvme

–part Y, is the partition number

You can check by running lsblk and checking which disk and partition contains your /boot mountpoint

Reboot into BIOS, in your drive BBS properties, move GRUB or any other partition that is not Windows or your current boot partition (#1). Turn on Secure Boot, if your default bootloader appears and works as expected, it means Secure Boot has successfully been enabled on your computer dual-booting Windows and Arch Linux.

Β© 2022 - 2024 Nik0

🌱 Powered by Hugo with theme Dream.

listening to

Not listening to anything...
Current song on replay :
Faster Than You Know - Black Gryph0n

Powered by Last.fm
me

My name is β–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ or known online as Niko.

Average Arch Linux user and game developer.

terms of service (communication)

idk man, just don’t be stupid

  • ΞΆ DNI (you know who you are)
  • don’t expect me to reply to a message, i may forget to answer
  • be respectful. yes im a furry, yes we’re weird, who cares?
Projects

Game Development

  • 2D, Pixel art style game
  • Post-apocalyptic
  • Solar-punk
  • Exploration
  • Environment

Arduino - Proto Visor

  • LED Matrix
  • IOT
niko!

Name : Niko
Species : Protogen
Sex : Male
Weight : approx. 65 kg
Height : approx. 180 cm
Location : E1, Esmire 4, Z.O.R.
Role : Researcher