Endeavouros is blocked by the current security policy

This issue is in a Lenovo G50-30 80G0 (aka LENOVO Lancer 5A6) with Intel Pentium N3540 with 1TB HDD and 4GM DDR3 SODIMM RAM.

One day, I had installed EndeavourOS over Linux Mint with grub. During that time, the secure boot was disabled.

All of a sudden, even after reinstalling grub, after enabling Secure Boot, grub is still bring blocked.
Sorry, but I don’t find other bootloader choices convenient as I multiboot with BlissOS and Windows 11 (just remaining as is, never booted to it for a long time, busy discovering about linux utilities)

I tried rEFInd but that is also blocked. But,the grub that got installed while reinstalling BlissOS, it is requiring a security certificate in MOK Manager. (That doesn’t exist, unlike ventoy) Only Windows Boot Manager is working.

EnOS Doesn’t support secure boot. You would need to disable it.

Is there any way to use it with Secure Boot? This is because I need it. Otherwise I am hardly able to use it with Secure Boot.

Have a look here:

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot

I’m afraid I have no experience of implementing the secure boot on Arch so I would retire from this thread and hopefully other forum members with experience on this area will chime in to assist you.

In my experience, very few distros support secure boot without quite a bit of work. It’s been more than 10 years since I did much distro hopping and the last time I did (about 3 years ago) was between different variations of Arch. So, I don’t know what distros support secure boot natively.

The last time I successfully used secure boot was with Ubuntu on my partner’s Dell laptop. It can be done with Arch distros, but it’s a lot of work and things easily go sideways.

One thing related to secure boot that causes a lot of problems is having to have the TPM enabled (usually a requirement for some Windows versions). While it is possible to boot Linux with TPM enabled, it’s very complicated to get setup properly. It’s not too difficult to find discussions online of people trying to implement it and ending up with serious issues to resolve.

The link shared above be @pebcak is one of the best places to start, regardless of what version of Linux you’re using.

Why do you think you need it? If you think you need it for WIndows 11…you don’t, there is a fairly easy work around…in fact any work around is likely to be easy compared to using Secure Boot on Arch, and any distro not shipping with a signed shim. So that limits you to Fedora (Centos Stream, RHEL), Ubuntu, and OpenSUSE (SLES), there might be others but the list is not long.

You’re correct, in the quick search I just did, those are the only 3 that ship with a signed shim to make it work.

It’s been about 3 years since I’ve faffed about with Windows. That’s good to know there’s a workaround to disable it. Thanks for sharing.

Definitely true!

As far as I’m concerned secure boot just gives a false sense of security just like incognito mode on a browser. It’s useless!

Edit:

Secure Boot must be enabled before an operating system is installed. If an operating system was installed while Secure Boot was disabled, it will not support Secure Boot and a new installation is required. Secure Boot requires a recent version of UEFI.

Windows does not require secure boot either!

Why? I’m interested to hear, as I’ve pretty much never heard why anyone absolutely needs it other than “My IT department said so”

I’m starting to use Secure Boot ever since I’ve heard about CosmicStrand rootkit. That’s it is likely a necessity to me, even if not for others.

So, did you mean that I need to enable Secure Boot first, then find a way to boot EndeavourOS and then reinstall grub in the ESP?

Well, I tried signing grub with sbctl a long ago but it’s still showing the same error

So reading about a rootkit lead you believe SecureBoot would protect from such a thing?

Supposedly, CosmicStrand “is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset.” (https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/).

“It is unclear how the implant was placed on the infected computers since the process would involve either physical access to the device or through a precursor malware capable of automatically patching the firmware image.” (https://www.bleepingcomputer.com/news/security/cosmicstrand-uefi-malware-found-in-gigabyte-asus-motherboards/).

And finally, " First, this is an example of sophisticated, expensive malware used for targeted, not mass, attacks — even if seemingly random people sometimes get hit. Second, there are security products able to detect such malware. For example, our security solutions protect our users from rootkits." (https://usa.kaspersky.com/blog/cosmicstrand-uefi-rootkit/26807/).

It appears to be Windows targeted and since many Windows installations use SecureBoot, why would it prevent such an infection? Do you have the hardware mentioned using the chipset mentioned in the articles? Have you tried Kaspersky Antivirus to detect whether your system is even affected? Unless you have, this seems like a lot of worry over nothing.

I was referring to Windows mainly that Secure boot has to be enabled before you install Windows. You can’t enabled it after that fact. I also said that you can disable secure boot on Windows as it isn’t something that is required. I don’t know about using Secure boot on Linux. It’s not something i personally would use. EOS has never supported secure boot.

You will need to follow the Arch wiki link then.

Or use a distro it works with like Fedora or Ubuntu

Or decide secure boot isn’t useful enough for you to care.