Re-configure garuda-health to recognize secure boot signed kernels as valid

Issues & Assistance Unsupported hardware | Dual boot
1

Background: I enable secure boot for Windows 11 which I dual-boot with Garuda Linux, so I used sbctl to sign the kernel and all other required files using a script named sbctl-batch-sign (from the secure boot article on CachyOS Wiki), and I use rEFInd as my boot loader if that matters. When I run garuda-update in the terminal, at the end of the process, garuda-health reports “Kernels in /boot are invalid (do not match expected files) (fix available)”.

Can I re-configure garuda-health to recognize my signed kernel as valid?

Output of garuda-inixi:

Summary

System:
Kernel:6.18.1-zen1-2-zenarch:x86_64bits:64compiler:gccv:15.2.1
clocksource:tscavail:acpi_pm
parameters:root=UUID=9f9ca6d5-23e0-4c6f-b767-cefe9d263cf0 rw
rootflags=subvol=@
vt.default_red=30,243,166,249,137,245,148,186,88,243,166,249,137,245,148,166
vt.default_grn=30,139,227,226,180,194,226,194,91,139,227,226,180,194,226,173
vt.default_blu=46,168,161,175,250,231,213,222,112,168,161,175,250,231,213,200
quiet loglevel=3 intel_iommu=on iommu=pt
initrd=@\boot\initramfs-linux-zen.img
Desktop:KDE Plasmav:6.5.4tk:Qtv:N/Ainfo:frameworksv:6.21.0
wm:kwin_waylandvt:2dm:SDDMDistro:Garudabase:Arch Linux
Machine:
Type:LaptopSystem:LENOVOproduct:82AUv:Lenovo Legion 5 15IMH05
serial:<superuser required>Chassis: type:10v:Lenovo Legion 5 15IMH05
serial:<superuser required>
Mobo:LENOVOmodel:LNVNB161216v:SDK0R32862 WIN
serial:<superuser required>part-nu:LENOVO_MT_82AU_BU_idea_FM_Legion 5
15IMH05 uuid:<superuser required>Firmware:UEFIvendor:LENOVO
v:EFCN59WWdate:06/09/2023
Battery:
ID-1:BAT0charge:53.8 Wh (95%)condition:56.7/60 Wh (94.4%)volts:15.22
min:15.4model:Celxpert L19C4PC0type:Li-polyserial:<filter>charging:
status:not chargingtype:long_lifeavail:long_life,standardcycles:19
CPU:
Info: model:Intel Core i7-10750Hbits:64type:MT MCParch:Comet Lake
gen:core 10level:v3note:checkbuilt:2020process:Intel 14nmfamily:6
model-id:0xA5 (165)stepping:2microcode:0x100
Topology: cpus:1xdies:1clusters:6cores:6threads:12tpc:2
smt:enabledcache: L1:384 KiBdesc:d-6x32 KiB; i-6x32 KiBL2:1.5 MiB
desc:6x256 KiBL3:12 MiBdesc:1x12 MiB
Speed (MHz): avg:800min/max:800/5000scaling: driver:intel_pstate
governor:powersavecores: 1:8002:8003:8004:8005:8006:8007:800
8:8009:80010:80011:80012:800bogomips:62399
Flags-basic:avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Vulnerabilities:<filter>
Graphics:
Device-1:NVIDIA TU117M [GeForce GTX 1650 Mobile / Max-Q]vendor:Lenovo
driver:nvidiav:580.119.02alternate:nouveau,nvidia_drm
non-free:550-580.xx+status:current (as of 2025-11; EOL~2026-12-xx)
arch:Turingcode:TUxxxprocess:TSMC 12nm FFbuilt:2018-2022pcie:
gen:3speed:8 GT/slanes:16ports: active:eDP-1empty:DP-1,HDMI-A-1
bus-ID:01:00.0chip-ID:10de:1f99class-ID:0300
Device-2:EMEET HD Webcam C960driver:snd-usb-audio,uvcvideotype:USB
rev:2.0speed:480 Mb/slanes:1mode:2.0bus-ID:1-4:4chip-ID:328f:006d
class-ID:0102serial:<filter>
Device-3:Bison Integrated Cameradriver:uvcvideotype:USBrev:2.0
speed:480 Mb/slanes:1mode:2.0bus-ID:1-6:6chip-ID:5986:2137
class-ID:0e02
Display:waylandserver:``X.org``v:1.21.1.21with:Xwaylandv:24.1.9
compositor:kwin_waylanddriver: gpu:nv_platform,nvidia,nvidia-nvswitch
display-ID:0
Monitor-1:eDP-1model:BOE Display 0x0900built:2019res:
mode:1920x1080hz:60scale:100% (1)dpi:142gamma:1.2
size:344x194mm (13.54x7.64")diag:395mm (15.5")ratio:16:9
modes:1920x1080
API:EGLv:1.5hw: drv:nvidiaplatforms: device:0drv:nvidiadevice:2
drv:swrastgbm: drv:nvidiasurfaceless: drv:nvidiawayland: drv:nvidia
x11: drv:nvidiainactive:device-1
API:OpenGLv:4.6.0compat-v:4.5vendor:nvidia mesav:580.119.02
glx-v:1.4direct-render:yesrenderer:NVIDIA GeForce GTX 1650/PCIe/SSE2
memory:3.91 GiBdisplay-ID::0.0
API:Vulkanv:1.4.335layers:8device:0type:discrete-gpu
name:NVIDIA GeForce GTX 1650driver:nvidiav:580.119.02
device-ID:10de:1f99surfaces:N/Adevice:1type:cpuname:llvmpipe
(LLVM 21.1.6 256 bits) driver:mesa llvmpipev:25.3.1-arch1.2 (LLVM
21.1.6) device-ID:10005:0000surfaces:N/A
Info: Tools: api:clinfo, eglinfo, glxinfo, vulkaninfo
de:kscreen-console,kscreen-doctorgpu:nvidia-smiwl:wayland-info
x11:xdpyinfo, xprop, xrandr
Audio:
Device-1:Intel Comet Lake PCH cAVSvendor:Lenovodriver:snd_hda_intel
v:kernelalternate:snd_soc_avs,snd_sof_pci_intel_cnlbus-ID:00:1f.3
chip-ID:8086:06c8class-ID:0403
Device-2:NVIDIAvendor:Lenovodriver:snd_hda_intelv:kernelpcie:
gen:3speed:8 GT/slanes:16bus-ID:01:00.1chip-ID:10de:10fa
class-ID:0403
Device-3:EMEET HD Webcam C960driver:snd-usb-audio,uvcvideotype:USB
rev:2.0speed:480 Mb/slanes:1mode:2.0bus-ID:1-4:4chip-ID:328f:006d
class-ID:0102serial:<filter>
API:ALSAv:k6.18.1-zen1-2-zenstatus:kernel-apitools:N/A
Server-1:PipeWirev:1.4.9status:activewith: 1:pipewire-pulse
status:active2:wireplumberstatus:active3:pipewire-alsatype:plugin
4:pw-jacktype:plugintools:pactl,pw-cat,pw-cli,wpctl
Network:
Device-1:Intel Comet Lake PCH CNVi WiFidriver:iwlwifiv:kernel
bus-ID:00:14.3chip-ID:8086:06f0class-ID:0280
IF:wlp0s20f3state:upmac:<filter>
Device-2:Realtek RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet
vendor:Lenovodriver:r8169v:kernelpcie: gen:1speed:2.5 GT/slanes:1
port:3000bus-ID:07:00.0chip-ID:10ec:8168class-ID:0200
IF:enp7s0state:downmac:<filter>
Device-3:Realtek 802.11ax WLAN Adapterdriver:N/Atype:USBrev:2.0
speed:480 Mb/slanes:1mode:2.0bus-ID:1-1.2:5chip-ID:0bda:b832
class-ID:0000serial:<filter>
IF-ID-1:virbr0state:downmac:<filter>
Info: services:NetworkManager, smbd, systemd-timesyncd, wpa_supplicant
Bluetooth:
Device-1:Intel AX201 Bluetoothdriver:btusbv:0.8type:USBrev:2.0
speed:12 Mb/slanes:1mode:1.1bus-ID:1-14:9chip-ID:8087:0026
class-ID:e001
Report:btmgmtID:hci0rfk-id:2state:upaddress:<filter>bt-v:5.2
lmp-v:11status: discoverable:nopairing:noclass-ID:6c010c
Drives:
Local Storage: total:2.4 TiBused:152.72 GiB (6.2%)
SMART Message:Unable to run smartctl. Root privileges required.
ID-1:/dev/nvme0n1maj-min:259:0vendor:SK Hynix
model:HFM512GDHTNI-87A0Bsize:476.94 GiBblock-size: physical:512 B
logical:512 Bspeed:31.6 Gb/slanes:4tech:SSDserial:<filter>
fw-rev:11020C00temp:34.9 Cscheme:GPT
ID-2:/dev/sdamaj-min:8:0vendor:Western Digital
model:WD20SDZW-11JJ8S0size:1.82 TiBblock-size: physical:512 B
logical:512 Btype:USBrev:3.1spd:5 Gb/slanes:1mode:3.2 gen-1x1
tech:HDDrpm:5400serial:<filter>fw-rev:1026scheme:MBR
ID-3:/dev/sdbmaj-min:8:16vendor:Samsungmodel:Flash Drive FIT
size:119.51 GiBblock-size: physical:512 Blogical:512 Btype:USB
rev:3.1spd:5 Gb/slanes:1mode:3.2 gen-1x1tech:SSDserial:<filter>
fw-rev:1100scheme:MBR
SMART Message:Unknown USB bridge. Flash drive/Unsupported enclosure?
Partition:
ID-1:/raw-size:137.47 GiBsize:137.47 GiB (100.00%)
used:23.73 GiB (17.3%)fs:btrfsdev:/dev/nvme0n1p5maj-min:259:5
ID-2:/boot/efiraw-size:2 GiBsize:2 GiB (99.80%)used:36.6 MiB (1.8%)
fs:vfatdev:/dev/nvme0n1p1maj-min:259:1
ID-3:/homeraw-size:100 GiBsize:100 GiB (100.00%)
used:80.55 GiB (80.6%)fs:btrfsdev:/dev/nvme0n1p6maj-min:259:6
ID-4:/var/lograw-size:137.47 GiBsize:137.47 GiB (100.00%)
used:23.73 GiB (17.3%)fs:btrfsdev:/dev/nvme0n1p5maj-min:259:5
ID-5:/var/tmpraw-size:137.47 GiBsize:137.47 GiB (100.00%)
used:23.73 GiB (17.3%)fs:btrfsdev:/dev/nvme0n1p5maj-min:259:5
Swap:
Kernel: swappiness:133 (default 60)cache-pressure:100 (default)zswap:no
ID-1:swap-1type:zramsize:31.24 GiBused:0 KiB (0.0%)priority:100
comp:zstdavail:lzo-rle,lzo,lz4,lz4hc,deflate,842dev:/dev/zram0
Sensors:
System Temperatures: cpu:40.0 Cpch:44.0 Cmobo:N/A
Fan Speeds (rpm):N/A
Info:
Memory: total:32 GiBavailable:31.25 GiBused:3.61 GiB (11.6%)
Processes:382Power: uptime:28mstates:freeze,mem,disksuspend:deep
avail:s2idlewakeups:0hibernate:platformavail:shutdown, reboot,
suspend, test_resume image:12.45 GiBservices:org_kde_powerdevil,
power-profiles-daemon, upowerd Init:systemdv:258default:graphical
tool:systemctl
Packages:1667pm:pacmanpkgs:1660libs:400tools:octopi,pamac,paru
pm:flatpakpkgs:7Compilers: clang:21.1.6gcc:15.2.1Shell:Bash
v:5.3.9default:fishv:4.2.1running-in:konsoleinxi:3.3.40
Garuda (2.11.1-1):
System install date: 2025-11-30
Garuda release: 251002
Last full system update:2025-12-18
Is partially upgraded: No
Relevant software: snapper NetworkManager dracut nvidia-utils nvidia-open-dkms garuda
-hardware-profile-nvidia garuda-hardware-profile-standard garuda-hardware-profile-standard-x1
1
Windows dual boot: Probably (Run as root to verify)
Failed units:
--- System Health Check Report ---
25/26 checks run in 0.88 seconds ⌛
Powered by garuda-health 🦅e

--- CRITICAL ---
- Kernels in /boot are invalid (do not match expected files) (fix available)

--- LOW ---
- "Garuda" is not the current bootloader: https://wiki.garudalinux.org/why-garuda-bootloader` Run garuda-health --fix to apply fixes. `

Thank you all in advance for any help provided,

Ernie

2
  • Format terminal output (including your garuda-inxi) as a code block by clicking the preformatted text button (</>) , or put three tildes (~) above and below the text
4 Likes
3

This method is outdated and is not supported by Garuda Linux. Remove sbctl and all leftovers and follow these instructions:

The Garuda Linux Wiki only mentions grub for secure boot support, and garuda-secureboot has grub as a dependency. Therefore, I assume that it only works with grub and not with refind.

6 Likes
4

I selected the garuda-inxi output in my post and clicked the “Preformatted Text” button, but for some reason it didn’t work. I’ll try to be more careful going forward.

Ernie

5

Change to mark down,press

image
image490×246 23 KB

3 Likes
6

@nepti, thank you for your response. I followed both your suggestions, and the steps from the item you linked. Everything appears to be working as expected following the execution of the garuda-update command!

Ernie

7

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.