Having issues getting Secure Boot / UEFI / GPT boot working right. Any ideas?

Hey. I’ve been having a few issues trying to set up right, maybe someone here can help.

Short version, I’m struggling to get Secure Boot working right.

• I’d finished installing Endeavor OS before realizing that I’m on an MBR partition and using GRUB. A friend asked why I’m not using SystemD-boot, “good question.”
• Booted into BIOS config, tried disabling CSM, and now it can’t find any bootable drives at all (internal or installer USB.)
• Tried booting with an installer made with Ventoy, Rufus (both file images and DD mode), Balena Etcher… nothing.
• Made sure my BIOS is configured to use Secure Boot, disabled CSM, enabled Above 4G Encoding, has fTPM enabled… Still nothing. Tried resetting to default config before checking Secure Boot and CSM again. Still nothing.

Motherboard is ASRock B450M Pro4. Anyone have any ideas what I’m missing?

Secure Boot is not supported on Arch and by extension EndeavourOS.

You would need to disable it in the firmware settings.

Also if you want an installation in UEFI mode on a GPT disk with systemd-boot, make sure that CSM/Legacy is disabled so that you boot up your live usb in UEFI mode.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Booting_an_installation_medium

Hmmm, so secure boot is out. Got it.

Still trying to get UEFI mode and struggling. With CSM disabled it just doesn’t see any GPT drives at all.

You can setup secure boot. It’s little bit of a process, and arguably one that a lot of folks here/in linux don’t actually think is a good one. I know folks who don’t want/trust secure boot even if it were offered and setup via the distro. It’s really up to you. There are some distros that ship with secureboot working and enabled (Fedora, Ubuntu, etc) if that is a thing you need → for instance I know some IT departemtns will let you use Linux on a work computer provided secureboot is still working and enabled.

Ideas? Disable secure boot, what do you even want it for?

have you all disks in AHCI ?

I don’t really care either way. I was getting that and the modern GPT / UEFI boot stuff mixed up. My actual goal is getting SystemD-Boot working.

I have no idea what you’re trying to ask, sorry. What’s AHCI?

I was getting terms mixed up, apologies. But even with Secure Boot disabled, my machine isn’t recognizing GPT boot drives

Could you boot up your live usb and post the output of

sudo parted -l

?

I can’t boot the liveUSB if it’s in GPT.

But I can show from my MBR setup:

[@voxel@home] [ ~ ] $ sudo parted -l

[sudo] password for nomad: 

# User note: To be used for backups
Model: ATA TOSHIBA MK5056GS (scsi)
Disk /dev/sda: 500GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End    Size   Type     File system  Flags
 1      1049kB  500GB  500GB  primary  ext4         boot


# User note: Primary SSD
Model: ATA WDC WDS500G2B0B (scsi)
Disk /dev/sdb: 500GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End    Size   Type     File system  Flags
 1      1049kB  500GB  500GB  primary  ext4         boot


# User note: For bulk storage like Steam games
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sdc: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  106MB   105MB   primary  ntfs         boot
 2      106MB   1000GB  1000GB  primary

# User note: for memtest86+
Model: General UDisk (scsi)
Disk /dev/sdd: 503MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size    Type     File system  Flags
 2      1696kB  5890kB  4194kB  primary               esp


# User note: EndeavourOS installer
Model: General UDisk (scsi)
Disk /dev/sde: 15.7GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size   Type     File system  Flags
 2      2595MB  2760MB  165MB  primary               esp


# User note: Ventoy multiboot USB
Model: Samsung Flash Drive (scsi)
Disk /dev/sdf: 257GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End    Size    File system  Name     Flags
 1      1049kB  257GB  257GB                Ventoy   msftdata
 2      257GB   257GB  33.6MB  fat16        VTOYEFI  hidden, msftdata, no_automount

[@voxel@home] [ ~ ] $

// Is there a way to get Parted to include the UI labels for each partition?

I am not really sure I understand the issue you are facing.

Could you explain your disk set up?

How many drives? I see you are #Skipping internal drives, why?

Where are you going to install EnOS?

What do you mean that you don’t see any GPT drive.

I see you have a Ventoy boot usb.

Ventoy is capable of booting an ISO both in Legacy and UEFI mode.

You have to set the boot mode in firmware settings.

The skipped internal drives thing is one of those collapsible detail/summary things. just tap it.

[details="Summary"]
This text will be hidden
[/details]

Short version of the situation:

• Three internal hard drives.
  • sda: 500gb HDD, for backups.
  • sdb: 500gb SSD, primary drive. EOS installed here. MBR format.
  • sdc: 1000gb HDD, bulk storage (probably for games I don’t play much)
• Three liveUSB flash drives.
  • memtest86+ on the tiniest flash I’ve ever seen
  • EndeavourOS installer ISO burned to a 16gb drive (forget which burn utility I used, tried a bunch, trying again after this with Etcher)
  • Ventoy on a 256gb flash drive.

Here is what I would do:

Copy EnOS ISO to ventoy.

In firmware settings > Secure Boot: disabled, CSM/Legacy boot mode: disabled

Boot up Ventoy; Boot up EnOS’ ISO in Grub2 mode.

Once in the live session, use the partition manager and create a new partition table GPT on the target disk.

creating a new partition table will wipe out the data on the target disk. Make sure you pick the right disk and if you have any data on it back it up first.

Launch the installer and install the system on the target disk. Go with “erase the disk …” (or similar) option. Choose the filesystem. Go with systemd-boot (default) if that is what you want and so on …

That’s what I’d usually do too.
But the weird thing is, when I have my motherboard configured to disable CSM, it just doesn’t see any GPT partitions. No matter what disk burn utility I use, I can’t get it to boot anything but MBR stuff.

With this configuration, that is CSM/Legacy and secure boot disabled, could you boot up your EnOS’ iso and post the output of the following commands:

efibootmgr 
test -d /sys/firmware/efi && echo UEFI || echo BIOS

?

That’s my issue. I can’t get any OS to boot at all when I have CSM/Legacy disabled, seemingly no matter what app I use to burn the flash drive. Even if I make sure it’s configured to have the drive use a GPT partition table.

This is certainly a bit of an odd issue.

I’m afraid I have no more ideas at this point.

Hopefully other forum members will have some to help you out,

Otherwise there is nothing wrong with the setup you already have.

You also need to set “Launch Storage OpROM Policy” and/or “Launch PXE OpROM Policy” to “UEFI only”, as described in the Motherboard User Manual page 83.

I don’t see how.

When I have CSM disabled, those two options are hidden.
But I do have them both set to UEFI Only when they are visible.