Im talking with windows 11.
I read in the arch that you can do this, but it seems complicated, and also risky i read that your hardware can brick.
If not, which is the reason? I see that some linux distro have Secure boot, but it seems that based arch distro dont have.
Thanks.
Your understanding is correct. It is possible with Arch Linux, but you need to set it up yourself and it is a little complicated.
Other distros provide signed bootloaders and kernel modules, specifically for enabling secure boot out of the box with no configuration required. Arch Linux does not provide these resources at this time.
Setting up your own secure boot configuration is somewhat in keeping with the DIY ethos of Arch Linux. If you want a distro you can install alongside Windows 11 that will enable secure boot with no configuration required, choose Fedora or Ubuntu.
5 Likes
Ok, thanks.
It seems weird to me that based arch distro dont incorporate this. Because the idea of the distro based is provide a solution to a complete install with colors and rainbows (i dont speak english, and im lack of words)
I’m used to it install distro arch based, i like Arch… but if this is too complicated sadly, i think i would end with ubuntu…
Thanks.
This is not the idea with Arch Linux. When you install Arch, you get almost nothing. Not even a bootloader is configured by default. You must decide how you would like the system configured and build it yourself.
Garuda Linux is not Arch, of course. This distro ships with many configuration decisions already made for the user, so installation is much easier and complete (“with colors and rainbows”, so to say). Even so, it is unlikely Garuda will ever configure secure boot during the installation unless upstream Arch starts providing secure boot support without the need to enroll your own keys.
Yes, if you want secure boot to be set up with no effort on your part then Ubuntu is a good choice. Or like I mentioned, Fedora does this by default as well. Enjoy! 
5 Likes
I run Garuda with secure boot enable on all three of my PCs, and while it’s not for the faint of heart, it’s not all that hard/complicated to accomplish. Before I moved to Garuda, I used a few other Arch-based distributions, RebornOS, and CachyOS. In the CachyOS Wiki, I found an item about setting up secure boot, which can easily be adapted for any Arch-based distribution. The item’s a step-by-step guide to obtaining and installing sbctl (the utility that does all the magic) in a terminal window, and creating a script (sbctl-batch-sign) to set up signing all the required files following a kernel update, by adding a build hook to do that for me.
There are two things I had to do to make everything work for Garuda:
First, in the Pre-Setup - Grub Boot Manager section, I edited the command to enable secure boot setup using CA keys as follows:
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=garudaos --modules=“tpm” --disable-shim-lock
I changed the --bootloader-id=cachyos to --bootloader-id=garudaos.
Second, I used nano, which must be installed using sudo pacman -S nano to create the sbctl-batch-sign script with sudo nano /usr/bin/sbctl-batch-sign, then copying/pasting the script’s content below:
#!/bin/bash # sbctl-batch-sign is a helper script designed to make it easier for users to sign files needed for secure boot support. # The obvious case in which this script helps a lot is when dual booting Windows as there are a lot of files by Windows that # needs to be signed in EFI. if [ "$(id -u)" -ne 0 ]; then echo "Error: This script must be run with root privileges." exit 1 fi if [ "$#" -eq 0 ]; then for entries in $(sort -u -i <(sbctl verify | grep 'signed' | cut -d' ' -f2) -i <(find /boot -maxdepth 1 -type f | grep vmlinuz)); do sbctl sign -s $entries done fi
Then I saved my edit by pressing the Ctrl+X, y, Enter, keys, in that order.
With these two modifications, you can easily follow the steps in the CachyOS Wiki item, Secure Boot Setup.
I hope this helps,
Ernie
2 Likes
The bootloader id should be garuda not garudaos.
Such a script is not really needed since it only needs to be run once and it can be replaced with just 2 commands:
sbctl verify | sed 's/^âś— \(.*\) is not signed$/sbctl sign -s \1/e'
find /boot/vmlinuz-* | xargs -n1 sbctl sign -s
Here is a short guide for Garuda Linux: Secureboot - #3 by stefanwimmer128
Here is a longer write up: Secure Boot Guide
2 Likes
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.