Can't boot with secure boot

Hey, I’ve enabled grub secure boot support by deleting the previous keys and signing the new ones using sbctl, sbctl verify verified that all needed file are signed but I still get this error:

Not sure if anyone here use’s secure boot. There is this from the arch wiki
https://wiki.archlinux.org/title/GRUB#Secure_Boot_support

1 Like

I’ve read the wiki along with a few other guides, and I’ve figured out how to set it up. I’ll explain the process in case anyone else needs it. :+1:

First, you need to put your system into “Setup Mode” by deleting the old signed keys in your BIOS. On my MSI motherboard, this was found under: Settings → Advanced → Windows OS Configuration → Secure Boot. Keep Secure Boot disabled but set it to Custom mode so you can delete the old keys.

After deleting the keys, boot back into EndeavourOS. Next, install sbctl using sudo pacman -Sy sbctl and reinstall GRUB with the following command:

sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock

In this command, replace esp with your boot partition. In my case, it was /boot/efi

After that, you’ll need to create new keys with sbctl by running:

sudo sbctl create-keys

Then, enroll the keys with:

sudo sbctl enroll-keys -m

Next, you’ll need to sign the necessary files. You can find out which files need to be signed by running:

sbctl verify

This command will show you which files require signing. You can sign them with:

sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi

After signing, verify once more with:

sudo sbctl verify

If everything looks good, reboot and enable Secure Boot. That’s it!

Also I’m new to Linux, this might need an edit, feel free to notify me if anything is wrong and needs an edit.

3 Likes

the other way is to suppress the policies
see https://news.itsfoss.com/windows-breaks-linux-dual-boot/

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.