Here’s the situation.
I want to dual-boot, while using secure boot, while using two Linux distros. I know that the process is pretty straight forward when you are dual-booting with Windows (10 in my case). You just configure some stuff on the Linux side, and Windows boots just fine. But when you use this method to register the keys on both systems, you just end erasing the keys for the first distro that you installed (from the BIOS/UEFI), making that distro unbootable, at least while using secure boot.
So, is there a way to give both systems the same keys? Or is there a way to append the keys of both systems in the EUFI interface?
I tried looking for a way to do that using this article, but I honestly don’t see anything that resembles a solution to my problem.
Anyone has any recommendations?
true .. disable secure boot would be a solution to easily boot.. but it should be possible to do so with secure boot too or not?
Base question is if it s worse the work and if it has a usecase in addition.
@dante_igashu If you want to use secure-boot on both Linux distributions that you are dual-booting you can use sbctl which is the easiest way and then just enroll the Microsoft’s keys. Check section 3.1.4 of the Archwiki page you linked, it explains how to do it with sbctl. I have both used this way on Fedora when I was wanting to use a custom kernel and it also works on Arch.
Welcome back @dante_igashu, pay no mind to the naysayers in the thread. Secure boot is commonly misunderstood in the Linux community due to how badly Microsoft’s implementation of it is going1. A lot of people associate secure boot solely with Windows, overlooking the potential security benefit it can provide on other operating systems.
Some folks also tend to be aggressively dismissive when it comes to system configuration that they’d rather not deal with. If you want to see a real uproar, go ahead and ask about installing antivirus software.
Anyway, on to the actual question:
The trick is to set up secure boot on the first Linux installation, then share the existing /var/lib/sbctl directory with the second installation. In other words, install sbctl but do not enroll new keys. Grab the existing keys from the first installation, then use those for signing your boot files.
The way I typically handle this is to mount /var/lib/sbctl on a Btrfs subvolume that is shared between all Linux installations, but if you are not using Btrfs you could probably just mount the partition of the first installation and copy the files over with rsync, or something like that. Once /var/lib/sbctl is all set on the second installation, go ahead with whatever your routine for signing boot files is.
Thanks!
I am already using EndeavourOS with secure boot, and I would like to use the other Linux distro with secure boot too. At the moment I am interested in “CachyOS”, and they just offer a solution based on the Arch Linux sbctl article.
I’ve already tried those distros you mention, but they always die on their own after using them for a time, at least on my computer. I wonder why, but that’s irrelevant right now.
Firstly, because this article says that it is “designed to add a layer of protection…”. Also because it was so easy to activate, at least while dual-booting with Windows, when using sbctl, that I it made me feel like wanting to know if is is possible to do that with two Linux distros. If it is not a pain in the arse to do so, at least.
Also, living in a country where they are implementing laws to know anything and everything about its people, makes me feel paranoid. So, adding a layer of security feel kinda comforting, to some degree at least.
So, you mean that you followed that process for two distros, and both were able to boot with secure boot?. I thought that once you followed the process for the second distro, that you would have to erase the keys for the first distro. So, is it not necessary to reset the keys on BIOS, when you are gonna append some new keys for secure boot?.
Could you elaborate a little more about what exactly you did?
You mean that you mount that directory, that belongs to the first distro, on the second distro, every time that you boot that distro?. Like when you use “fstab” to mount a separate “home” directory on your system?. Am i imagining what you said the right way?.
Let me know if I am thinking of this the right way. So, you mean that, when you are about to install everything from scratch, you create a “/var/lib/sbctl” separate partition, so it can be shared by both distros. Meaning that you select partitions manually for the systems. Meaning that you do that before you install the first distro.
Did I assume a little too much here?
In here, you mean that you copy the “/var/lib/sbctl” directory from the first distro to the second, as to get the same copy on both installations, without having to share a directory?. So that way, both distros have the same keys, so, at the moment of booting, none have a problem booting with secure boot, because booth have the same keys.
Yes, in my case I create a subvolume for the first installation and mount it to /var/lib/sbctl, then set up the keys. Now the keys are inside this subvolume, and they are also in the directory where sbctl expects to find them. Next, I do the next installation and mount that same subvolume at /var/lib/sbctl (so the keys are already inside).
I “share” a lot of subvolumes between installations this way because it makes certain things easier for me. For example, all of my installations can share common directories like Documents or Downloads, so no matter which distro I boot into I have all my stuff.
Yes, exactly like that. Except in my case, I have a lot of those:
Except for the first four subvolumes in there, all the rest are shared subvolumes and can be accessed from any installation I have configured this way.
You have the right idea, although there is only one Btrfs partition with everything in it. All of the different subvolumes are inside of one Btrfs partition, including multiple different Linux installations (installed in subvolumes on one partition).
[...]
if [[ "$secure_boot" == "y" ]]; then
# Create /var/lib directory on the shared subvolume
mkdir -p /mnt/share/var/lib
# Add the sbctl subvolume
create_subvolume_if_not_exists "/mnt/share/var/lib/sbctl"
# Create the sbctl directory
mkdir -p /mnt/var/lib/sbctl
# Mount the subvolume
if [[ "$luks_install" == "y" ]]; then
mount -t btrfs -o noatime,compress=zstd,subvol=share/var/lib/sbctl "/dev/mapper/root" /mnt/var/lib/sbctl
else
mount -o noatime,compress=zstd,subvol=share/var/lib/sbctl "${root_partition}" /mnt/var/lib/sbctl
fi
fi
[...]
Anyway, my specific setup is definitely way more complicated than what you need for this. I guess what I was trying to say is: yes, it can definitely be done.
Probably this will work just fine:
Yes, exactly. Keep in mind I have not tested this suggestion, but I think it will work just fine because I don’t think the contents of these directories ever changes after the initial setup. Even just copying /var/lib/sbctl from one installation to another with a USB stick or something should do the trick.
Like anything, once you know what you are doing, it’s easy. However, secure boot primarily protects against bootkits and rootkits. It’s not a generalized security measure, and certainly not a privacy protection. Of the handful of known bootkits and rootkits targeting Linux, most of them seem to be research projects, and the few that have been found in the wild are delivered primarily through social engineering techniques. As a desktop Linux user, a firewall and good computing habits are very adequate in helping to minimize the threat of bootkits and rootkits.
@BluishHumility explained it better and seems to have done this with dual-boot before. I only have used secure-boot with a single-boot system so I just explained it from how it seemed to be most fitting from that perspective.
Yeah, I know every layer of securiry has its liminations. But, I think it still helps, even if it’s a little. At least it makes me feel slightly “safer” (even if it probably doesn’t go beyond a placebo).
Yep, I also try to take care of that part. Or else some layers of security become pretty useless.
I did use what seems to be the easiest method (and the most convinient for me). So, I just copied the contents of “/var/lib/sbctl” from one system to the other, and then signed eveything in the new system.
I had a few problems that I had to solve on my own (nothing hard, just something to play and experiment with for a short while), like removing windows residues here and there (I just got rid of windows 10 in one of my partitions). But, after creating new keys, appending them to the UEFI and signing everything that needs to get signed on the new installation, everything works fine.
It was a lot easier than i expected it to be, even though it was kind of a mess to do so (surely because I decided to experiment with an old installation and a fresh installation).
Welcome back 
