Unable to find files for secure boot

Sorry, I don’t know if this is the best place to post this, but whatever.

My friend wanted me to download Valorant so I could play it with him, but when I launched the game, it told me that secure boot had to be enabled. I did some research and found out that EndeavourOS didn’t have secure boot out of the box, but it could be enabled like any other Arch system. I managed to get secure boot working for Windows so I could play the game, but I can’t use my Linux system right now because I don’t have secure boot set up on it. I found a Youtube tutorial to set it up(here), and I need to sign three files with sbctl: BOOTX64.EFI(located in /boot/EFI/BOOT/ in the video), grubx64.efi(located in /boot/EFI/grub/ in the video), and the kernel, vmlinuz-linux(located in /boot/ in the video). I tried to sign these using the command, but they don’t exist in those directories, so I wanted to ask:
Where are these files located in EndeavourOS? I’m assuming the reason they don’t exist in those directories is because EndeavourOS uses a different partitioning and boot directory layout than the person in the video, so does anybody know which directories these files are in on EndeavourOS?

Any process that requires you to manually sign the kernel is not going to work because the kernel is replaced during an update.

If you want secure boot, you really need some automation in place so everything can be signed automatically.

I also give you my standard warning which is that 99% of Linux video tutorials are either flawed, too highly opinionated or just plain incorrect. Videos are not the best place to get information like that.

1 Like

Okay then, so where can I get information on how to do this? The video said that it should automatically resign the kernel whenever there is an update, but I don’t know if that’s true. I tried reading the Arch Wiki page about secure boot but I have no idea what it’s talking about as I have little understanding of how secure boot actually works.

Disclaimer: I didn’t watch that particular video. That was commentary on the many videos I have watched.

There probably isn’t going to be an easy follow, step by step solution. This is because there is no one single way that Arch booting is configured. It is left to the user to pick a path. The easiest solution would probably be to remove the EndeavourOS automation and create UKI’s as described below. That isn’t the only solution though. There are several ways to accomplish your goal.


I also just was looking through the Arch Wiki and found out the tool I was using, sbctl, has a way to show me what files need to be signed with sbctl verify, so I might need to go back and use that to figure out where the files are located.


I guess I’ll try that and see if it works, it’s in section 3 of the page.

The files are all under /efi

Ok, thanks.

Alright, I signed the files I needed to sign after like 3 tries, but now when I boot it puts me into grub rescue with error: prohibited by secure boot policy. What should I do?

Ahh…you weren’t using grub, were you? Are you booting the right option?

? What do you mean? I’ve been dual booting and switching back and forth between booting Windows to play the actual game and the EndeavourOS boot entry to use Linux. Booting EndeavourOS with secure boot now results in that error message and a GRUB rescue prompt instead of BIOS error saying that I can’t boot because of secure boot.

And I mean booting into GRUB, not getting the menu and selecting the option.

EndeavourOS can use either grub or systemd-boot. There is a choice in the installer.

If you were using grub, the files should have been in the same place as the video. If your files were in /efi/ than you are using systemd-boot.

I chose GRUB when installing, and the files were in /efi/, so I have no idea.

Before, I had secure boot disabled, and at the top of the menu it said GNU GRUB, so I should be using GRUB.

Would you say that systemd-boot is better for this kind of stuff?

That is definitely not normal. What does the inside of the EFI partition look like? Can you do a find /efi and share the results?

It is just different.

I also just realized; are you talking about /efi/ from root, or /boot/efi?

Yes, from root.

Okay then, it was just a miscommunication; all of the stuff besides the Linux kernel was in /boot/efi/.