Secure boot with windows 11

Hello.

I use an ubuntu based distribution as my primary os, and dual boot it with windows 11.
I would like to replace it so I dual boot Garuda with Windows 11.
The problem is that windows requires secure boot (Windows 11 System Requirements). It works well now, but garuda wiki says it needs to be disabled.
Is it possible to install garuda with secure boot enabled or to safety disable secure boot in windows 11 while keeping it working?
Thanks for advice.

It may be that you will need to jump through some hoops with this one! If you can identify the file that is the 'shim' in the EFI directory (it must be there if Ubuntu is booting OK - you will need to make sure you have a separate copy (just in case). Then, AFAIK, you will need to be able to either point grub at it (see the grub.cfg file on your Ubuntu for how it works) OR use rEFInd to boot up on the shim - from which you can then call the Garuda grub for startup duties.

A bit of a dance! However - the presence of a 'secure bootable' Ubuntu does mean there should be a 'signed' shim file present. To make sure, I would suggest posting a listing of your current grub, and an ls of your esp (often /boot/efi/EFI) along with the usual machine info (garuda-inxi I think). I'll follow with interest - as Garuda themselves don't support dual booting Windows (the team isn't big enough!)

4 Likes

If win 11 is already installed you can disable it to install garuda.
If you are starting afresh install win 11 first then garuda with fastboot and secure boot disabled

3 Likes

Fortunately, the problem doesn’t affect me and I haven’t looked into Windows 11.
However, reading those articles for the first time :face_vomiting: I see:

While the requirement to upgrade a Windows 10 device to Windows 11 is only that the PC be Secure Boot capable by having UEFI/BIOS enabled, you may also consider enabling or turning Secure Boot on for better security.

So maybe this could be not a problem at all…

2 Likes

Except there is some (relatively rare) hardware that does not permit disabling secure boot in the BIOS.

1 Like

I had this problem long ago on a laptop, and managed to disable secure boot with mokutil.
I still have this in my bookmarks:
https://wiki.debian.org/SecureBoot#Disabling.2Fre-enabling_Secure_Boot
but I remember reading about it also in our forum...

2 Likes

Secure boot is not really a requirement for Win11. (just like the other fake requirements) Disable it and forget it.

If Win11 begins crying when an update releases, temporarily enable it and after update disable it again.

2 Likes

Thanks for all your answers!
So, as others pointed out, I solved the problem by disabling secure boot. You can do that in UEFI (BIOS) settings. It may cause some problems, such as windows hello stops working (classic sign-in working), windows update not working, and boot may become slower. Full list can be found here: Can You Disable TPM and Secure Boot After Installing Windows 11? What Happens...
After that, garuda works very well with windows 11 dual boot.

1 Like

Until it doesn’t. :wink:

Familiarize yourself with how to repair grub, (you’ll likely need it before long). :stuck_out_tongue_winking_eye:

4 Likes

No all wrong everything works fine SB is a joke to frighten users like you into thinking Windows is secure :yawning_face:

1 Like

That's the shit you get a refund for lol