Setting up Secure Boot in Arch-based Distributions

I remember my 60s. They were good times, but then, so are my 70s

You’re welcome. I’m glad you liked my work. Interestingly, as it turns out, EndeavourOS is one of the more complex Arch-based distributions for setting up Secure Boot compatibility because I had to sign three images to get it to boot successfully using both the primary and the fall-back boot options in rENInd. After I wrote this item, I installed and set up Manjaro Linux in a VM and I only had to sign the vmlinuz image (in the /boot directory), so its more straight-forward when setting up compatibility for Secure Boot.

Ernie

Right again, Dan, thanks for the correction. BTW, I put some effort in with Fedora 39 and walked my way (with guidance) through using dnf to install my printers .rpm package and was successful. Old dog, one or two new tricks.

I actually tried Fedora 36 and 37 for a while… But they make some things harder than they need to be - e.g. GPU drivers - you have to setup RPMFusion - which was a PITA - Ubuntu and Pop!_OS do that stuff 10x more easily…

IF I boot up the live Pop!_OS image, it’s already supporting my AMD Radeon GPU with recent accelerated open source drivers…

So - I think I’m sticking with Pop! for the foresee-able future… Both Pop and Ubuntu automagically find my Brother printer on the network, know that I’m in Australia and default my page to A4…

It’s always a very good thing when your OS knows where in the world you are and what hardware is attached to your computer, etc.

Currently running Arch. If I want to enable Secure Boot, ReBar and Above 4G memory do I also have to convert the file system from ext4 to GPT in addition to running your insctructions above? I know Windows requires GPT to use those features. have Arch on a 2Tb nvme drive.

GPT refers to the partition table style being used on your disk drive. The partition table is the mechanism used by disk drives to keep track of where files and directories are located. PCs use one of two common types of firmware to manage disk drives. The earlier/original style was called BIOS (Basic Input Output System), and it used the MBR (Master Boot Record aka MS-DOS) partition table. The newer/current style is called UEFI (Unified Extensible Firmware Interface), and it uses the GPT (Guid Partition Table) partition table.

EXT4 refers to the type of file system you’re using on the disk drive, and is compatible with either style of partition table (mentioned above). In order to answer your question, I’ll need more information:

Does your computer support Secure Boot (Does it use UEFI firmware)? If your computer has, or came with Windows 11 installed, it uses UEFI firmware, and your partition table is GPT. If your computer has, or came with Windows 10 (and was built after about 2008), the answer is less certain. Read this item for more information.

If your computer uses MBR partition tables, and you want to switch to GPT, you can make the change, but everything on the disk drive will be unrecoverably erased, so you should back up all your data before changing the partition table style.

I hope this helps. If you have more questions, reply to this thread,

Ernie

My computer does support Secure Boot but it is not enabled, BIOS is set to Legacy. I have 2 nvme drives one with Win 10, the other Arch. Want to install an Intel ARC A770 16Gb video card, which requires ReBar & Above 4G Memory Enable to be set in the BIOS. But to enable those Secure Boot needs to be turned on. I know Windows 10 & 11 require the drive to be GPT. What I don’t know is whether I would need to convert the Arch drive from MBR to GPT.

I have a tutorial to convert from MBR to GPT on Linux w/o data loss and have performed the MBR to GPT conversion on a few Win 10 drives to upgrade to Win 11 preserving the data just fine.

Yes, you’ll need to do that.

I’ve not heard of that process, but if you’ve completed the task before, all I can say is to go on ahead and do it, but I strongly suggest you back up your data, just to be safe. After you change the drive to GPT, disable Secure Boot so you can boot into Arch, and complete my instructions to make it able to boot with Secure Boot enabled. Note that you probably won’t be able to install rEFInd until after you convert the partition table to GPT (I’ve never tried installing rEFInd on an MBR partitioned disk). After you get rEFInd and your kernel images signed, you can re-enable Secure Boot. If all goes well, after you enroll rEFInd’s key in MOK, Arch should boot O.K.

If your tutorial’s online, please post the link here, so others can benefit from it.

I hope this helps,

Ernie

I left the Manjaro caravan a while ago. However, I’m now thinking of installing Pop!OS and it looks like the identical crankiness with respect to needing to shift all my boot loaders from GRUB to rEFInd?

Also … how much of this kernel-signing effort do I have to go through every time there is a kernel upgrade, such as 5 → 6 (major version)? I know Pop and Endeavour as well as most other Arch variants are “rolling” release based, so they stay arguably more secure without as frequent kernel upgrades, at least compared to Debian-based releases.

So, maybe it’s time to hang with a distro that is both secure and has pleasing graphics and wide-ranging software support (LMDE Cinnamon ticks off all those boxes for me), and deal with all the constant upgrades, and keeps working with minimal effort with Secure Boot enabled.

I don’t actually run Windows 11 that often these days, but every now and then, I need to open apps that don’t have any GNU/FOSS equivalent. Examples are LenovoVantage and Visual Studio Community edition. And I know I should enable BitLocker if I’m running Secure Boot.

Debian-based distros seem the most widely supported and adopted these days, and LMDE and Debian 12 seem like the way to go. Still can’t help but wonder: as Pop!OS is a Debian-based/Ubuntu-based distro and has all that “rolling release” good goo, is there any hope they (System 76) will eventually hop on the Secure Boot wagon, sign their shim and kernel, and allow multiple DE and WM environments, as both Debian and LMDE do now?

Sorry if this is off-topic, if anyone has been running Pop!OS without major pain using @ernie playbook (this is an excellent how-to article, thank you, @ernie), please chime in.

I ran it for several months without issue. I was not dual booting though. There seem to be elements of a rolling release. You get newer kernels faster than Ubuntu, but it didn’t cause me any issues. I may have turned off secure boot though, can’t remember.

@daniel.m.tripp also has used Pop!_OS for long periods.

Happy to add my input .

Since writing this, I found sbctl on the CachyOS Wiki. It’s a guide to a very easy way to enable secure boot support with automated kernel image signing (as well as any files that need to be signed), very useful following a kernel update.

Here’s a link to sbctl’s GitHub page, where you can get information directly from the developers.

Note: You can install sbctl in Arch-based distributions from the terminal with

sudo pacman -Sy sbctl

The CachyOS guide assumes that you will use Grub as your boot manager, but I prefer rEFInd, so if you do too, make sure you install rEFInd (while secure boot’s still disabled, and following the instructions to sign rEFInd in this post) before following these instructions.

If you want to use Grub rather than rEFInd, enable secure boot support using CA Keys (NOTE: you must edit this command by changing “cachyos” in the ‘id’ parameter to the distribution you’re using):

sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=cachyos --modules="tpm" --disable-shim-lock

With the above decisions made, and steps completed, you can now begin setting up secure boot.

Set secure boot to ‘setup’ mode in the UEFI:

Depending on the age of your computer, your UEFI interface should provide either an option to set it into “setup mode”, or one to “delete (pk) keys/restore factory keys”.

To reboot to the UEFI, you can use the following in a terminal window:

systemctl reboot --firmware-setup

With secure boot disabled, perform one of the above noted options, then reboot back to your GNU/Linux system.

What follows essentially echos what you’ll find in the CachyOS Wiki (noted above):

Set up sbctl:

    ❯ sudo sbctl status # If setup mode is enabled, we can proceed to the next step
    Installed:      ✘ sbctl is not installed
    Setup Mode:     ✘ Enabled
    Secure Boot     ✘ Disabled

    ❯ sudo sbctl create-keys # Create your custom secure boot keys
    Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
    Creating secure boot keys...✔
    Secure boot keys created!

    ❯ sudo sbctl enroll-keys -m # Enroll your keys with Microsoft's keys
    Enrolling keys to EFI variables...✔
    Enrolled keys to the EFI variables

    ❯ sudo sbctl status
    # sbctl should now be installed, and we can proceed to signing the kernel images and boot manager
    Installed:      ✔ sbctl is installed
    Owner GUID:     a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
    Setup Mode:     ✔ Disabled
    Secure Boot     ✘ Disabled
    Vendor Keys:    microsoft

Sign the Kernel Image and Boot Manager:

Create /usr/bin/sbctl-batch-sign:

sudo nano /usr/bin/sbctl-batch-sign

Copy/paste the following into nano in your terminal window:

#!/bin/bash

# sbctl-batch-sign is a helper script designed to make it easier for users to sign files needed for secure boot support.
# The obvious case in which this script helps a lot is when dual booting Windows as there are a lot of files by Windows that
# needs to be signed in EFI.

if [ "$(id -u)" -ne 0 ]; then
  echo "Error: This script must be run with root privileges."
  exit 1
fi

if [ "$#" -eq 0 ]; then
    for entries in $(sort -u -i <(sbctl verify | grep 'signed' | cut -d' ' -f2) -i <(find /boot -maxdepth 1 -type f | grep vmlinuz)); do
        sbctl sign -s $entries
    done
fi

Save sbctl-batch-sign to disk using the following keyboard combinations:

Ctrl+X # tells nano you're getting ready to exit
y # tells nano tosave your changes
Enter # tells nano to execute the above, and close

Make sbctl-batch-sign executable:

sudo chmod +x /usr/bin/sbctl-batch-sign

Then execute:

    ❯ sudo sbctl verify
    Verifying file database and EFI images in /boot...
    ✘ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn4.0.fc40.x86_64/linux is not signed
    ✘ /boot/EFI/BOOT/BOOTX64.EFI is not signed
    ✘ /boot/EFI/systemd/systemd-bootx64.efi is not signed
    ✘ /boot/1c4b5246eef05ac3bc87339323cd5101/0-rescue/linux is not signed
    ✘ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn3.0.fc40.x86_64/linux is not signed

    ❯ sudo sbctl-batch-sign

    ❯ sudo sbctl verify
    Verifying file database and EFI images in /boot...
    ✔ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn4.0.fc40.x86_64/linux is signed
    ✔ /boot/EFI/BOOT/BOOTX64.EFI is signed
    ✔ /boot/EFI/systemd/systemd-bootx64.efi is signed
    ✔ /boot/1c4b5246eef05ac3bc87339323cd5101/0-rescue/linux is signed
    ✔ /boot/1c4b5246eef05ac3bc87339323cd5101/6.10.0-cn3.0.fc40.x86_64/linux is signed

Caution:

On systems with a separate /boot and /boot/efi partition layout, sbctl may only scan for EFI binaries in /boot/efi. This causes kernel images that are in /boot to not be detected. This script (sbctl-batch-sign) works around this by always scanning /boot for vmlinuz-* files.

Reboot to UEFI to enable secure boot

systemctl reboot --firmware-setup

Enable secure boot in the UEFI, then reboot.

Following the reboot, if you’re using rEFInd, you’ll see a message about secure boot, and the boot manager not being signed.

Press the OK button.

Now you’ll see the key enrollment dialog to sign the boot manager. Follow the prompts as directed in this post.

After a reboot, rEFInd will load successfully, and you should then be able to load your distribution successfully too.

Verify that Secure Boot is enabled:

    ❯ sudo sbctl status
    Installed:      ✓ sbctl is installed
    Owner GUID:     a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
    Setup Mode:     ✓ Disabled
    Secure Boot:    ✓ Enabled
    Vendor Keys:    microsoft

That’s it. This is my recommended method of enabling secure boot in arch-based distributions. I haven’t tried it with other distributions, so YMMV

Source:

I hope this helps. I’m going to download PopOS!, then install it in QEMU/KVM to see if I can set up secure boot in that OS. I’ll update this with what I learn in a few days (or sooner)

Ernie

Looks like to me the commonality between cachyOS and pop!OS is that they both use systemd-boot. Guess sbctl is available for install on Deb/Ubuntu derivatives like Pop?

I’m not sure yet. I haven’t had time to download the ISO yet.

UPDATE!

I’ve installed Pop!_OS in QEMU/KVM, and I was able to build sbctl from source, but only after considerable effort. I’ll outline the steps I used to get it built (but without any of the foibles I encountered/created along the way)

You can read the documentation I found, if you’re interested.

After you get Pop!_OS installed and updated, etc., since it doesn’t support secure boot out of the box, you’ll have to disable it (secure boot) to install the distribution, then download and install Go, and finally download and install sbctl:

In your web browser, navigate to the sbctl Download page.

In the Featured downloads section, select Linux to download the Go package.

Open a terminal window, and navigate to your Downloads directory:

cd ~/Downloads

Execute the following command:

sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf ./go1.23.4.linux-amd64.tar.gz

The above command removes any Go installation located at /usr/local/go if an installation exists there, then extracts Go from the package you downloaded, and installs it there.

Next, add /usr/local/go/bin to the PATH environment variable. To do so, edit ~/.profile using nano in a terminal window, with the following command:

nano ~/.profile

Add the following lines to the bottom of the file, with a blank line between what was already there, and what you add here:

# Add /usr/local/bin to the PATH
export PATH=$PATH:/usr/local/go/bin

Exit nano, saving your changes, using the following key combinations/key presses:

Ctrl+X
y
Enter

Apply the change to the PATH variable immediately, or reboot the computer.

In the terminal, execute the following command:

export PATH=$PATH:/usr/local/go/bin

Verify your Go installation by typing the following command in the terminal:

go version

The output of the above command should be:

go version go1.23.4 linux/amd64

Next, install the dependencies for sbctl using apt:

sudo apt install util-linux
sudo apt install binutils
sudo apt install asciidoc

A few of the above commands may report that the latest version is already installed, and that’s a good thing.

Install sbctl using git:

git clone https://github.com/foxboron/sbctl.git
cd sbctl
make
./sbctl

The last command (above) should produce the help output for sbctl. It verifies that sbctl has been built successfully.

Next, move sbctl to the /usr/bin directory:

sudo mv ./sbctl /usr/bin

If you’ve reached this point without encountering any errors, you can follow the instructions in my previous post to set up secure boot support for Pop!_OS.

UPDATE2!!
After completing my last update, I attempted to enable secure boot in Pop!_OS (installed in QEMU/KVM). I cannot verify that this will work correctly, because I cannot access the UEFI interface from within the virtual machine. I hope anyone who uses this information on bare metal has better luck than I’ve had in my virtual machine.

UPDATE3!!!

I decided ti make 70GB available on my primary laptop PC to install Pop!_OS on bare metal. I followed the guidance I provided in these two posts, and I’m writing this post from within Pop!_OS with secure boot enabled, so what I’ve provided here should work with Pop!_OS as the only installed OS.

I installed Pop!_OS two times, first with the default boot loader, setting up sbctl as described here, and second, after getting the OS installed and updated, I installed rEFInd, then followed these guides to download and install the latest version of GO, build sbctl from source, and I was able to set up secure boot successfully in both cases.

UPDATE4!!!

During this process, I learned something new about rEFInd! The left-most item in the tool bar (under the boot options icons) allows me to remove boot loaders from the efi, one at a time, so for example, after removing Pop!_OS from my system, I was able to remove its boot-loader too, using this tool. How cool is that?

Unless I learn something new, that’s pertinent to this topic, this will be my last update here.

I hope this helps others,

Ernie

But NEVER in a dual boot system - so REFind vs UEFI and Grub don’t really come into play for me - and I certainly DO NOT use “secure boot” - so I won’t be looking at @ernie’s “playbook” but top effort for putting that together mate…

This desktop machine AMD Ryzen 7, 32 GB DDR4 and XT6600 graphics has been running Pop!_OS 22.04 since March 2023… the same install (that’s rather a long time for me)… as I’ve mentioned in previous posts - it’s a little bit broken : gdm (gnome display manager) doesn’t work. I disabled it in SystemD - but some system update renabled it so that I booted to a black screen. I was able to remote in (ssh from a Macbook) and stop GDM (after rebooting about 4-5 times), and disable it - once it was disabled, I could CTRL+ALT+F1,2,3 etc and login to TTY - then run “startx”. I hardly ever reboot - so it’s not a huge issue for me (note also I boot my single “/” partition Pop! with LUKS encrypted on my 1TB NVMe SSD).

I also have Pop!_OS 22.04 running on a thinkpad e495 (Ryzen 5 16 GB DDR4 and Vega 8 AMD GPU) since November 2023.

In both cases above - I don’t think I’ll be trying out the new Cosmic DE when Pop!_OS 24 comes out of beta - I don’t like the look of it for a start - and not sure how easy it is to disable Wayland and use x11 / xorg instead (which I need to do to run Synergy KVM [which I paid for]) - and I’m really liking Ubuntu 24.04 running on my Pi5 - so will probably go for that next time I upgrade (i.e. wipe / format and fresh install single O/S on single “/” partition). And whether it’s even possible to do some of the essential tweaks I cannot live without (like moving the Window Control widgets to the left of application windows).

I’m testing Ubuntu 24.10 on another laptop - but there’s a few niggling things or inconsistencies that really annoy me (e.g. not all apps respect my theming / tweaks) - so I reckon LTS 24.04 vanilla Ubuntu…

To each his own is my motto. I choose to use secure boot because it makes one more hoop the bad guys must jump through before they can get to my system, and maybe that’ll be just enough for them to go looking for an easier target. We don’t have to agree about that, or anything else about how we set up/use our computers. The thing I love most about GNU/Linux is that we can each make our own choices for ourselves. That’s the single thing that makes GNU/Linux better than Windows, because Microsoft will never allow that level of freedom.

Ernie

Does this come from driving on the left side of the road?
No really, I am curious. I assume this was what was the default in a previous OS you used.

I can get on board with Ubuntu 24.04 too. That’s what I’ve been using since shortly after it came out.

I comes from using Unity on Ubuntu - and - now MacOS…

And I’m left handed - so - I prefer them on the left… I also use my mouse on the left side - but - I don’t switch the buttons around…

Where I can I also try to make my cursors “left handed”… On Gnome (and XFCE) I can just copy some left handed cursor themes to /usr/local/share/icons (cursors go in the same folder as icons) - or ~/.local/share/icons. It’s not so simple on MacOS (while it has the window widgets on the left - cursors still point left [i.e. left handed cursors point right]) I use an app “MouseCape”.

I can’t believe how hard (actually impossible!) Microsoft makes it to do stuff like that. I think in the Windows XP days - there was a thingie you could install to move the Window widgets to the left - I never got it to work in Windows 7 so gave up on it… “LeftStyler” I think it was called… No such thing these days for Win 10 or 11 - which I do not use (other than via RDP for work).

Years ago I was working on a sheep stud in the Riverina. They had an army Blitz Wagon which they had converted to use as a fire fighting tanker.
It was originally left hand drive, but they converted it to right hand drive… with difficulty… the pedal controls would not reach so they put the accelerator where the clutch normally is, and the clutch where the accelerator normally is.
It was a beast to drive. The accepted technique was to cross your legs!

I d give my right arm to be ambidextrous

With the mouse I quite often use either hand, but the other day came across a secretary in a company who use the mouse totally wrong way round dragging by the tail … thought that was correct … i did not correct her just smiled

My mum nearly did - she was left handed as a child - during World War 2 - and copped so much punishment at school - she forced herself to write right handed when at school, but left handed doing her homework…

She’s now 87 and still ambidextrous… 4 of her 5 offspring were left handed - there’s only 3 of us left now - 2 of us “survivors” left handed… left-handedness is supposed to be sinister (I think one term for left handedness is “sinistral”) and the mark of satan - if only the good die young - in my family of 7 (parents and siblings) - there’s still 3 left handers (i.e. including mum)… Both my daughters are also lefties (missus isn’t - but her dad was - he copped a shitload of punishment at school in Yorkshire in the 1930’s and 40’s but persevered and still wrote left handed till he passed away at 82 in 2013).

I saw some statistic a few years ago - apparently lefties have less longevity than normally handed people… My dad was a righty and died just a few weeks shy of his 67th, my father-in-law, a leftie,died at the age of 82… Yeah that’s anecdotal and personal…