Hello. Recently I was doing some research on the topic of secure boot and how I could run non-secure boot signed iso/os’s off my usbs. I found a way to run them by using the Linux EFI called Preloader and HashTool. I have verified that this allows Garuda Linux to boot with Secure Boot enabled.
There are various reasons why people need Secure Boot on:
- Preventing attacks via booting unverified systems… (which is exactly what we’re doing here so ignore that one)
- They can’t turn it off (BIOS Lock, No Option to Turn Off, etc.)
- DualBooting other OS’s such as Windows 11 that require secure boot.
Preloader was designed for this to combat this issue and to run any unsigned efi in a secure environment.
This project was very popular way back when a 10 or so years ago but has mainly been swept under the rug making appearances in the efitools package and the arch wiki secure boot page.
Preloader is the solution to booting Garuda and other OS’s on secure boot.
Here’s a step by step on how to do so:
-
Plug in your USB/HDD/SSD with your OS/iso/etc. installed on it
-
Make a dir for the efi to go
Ex. sudo mkdir /mnt/efiboot -
Mount the partition for efi to the dir:
Ex. sudo mount /dev/sdX /mnt/efiboot (where sdX is the name of your efi boot drive which can be found on Garuda with the KDE Disk Manager or GParted or Disks, etc.) -
Download the .efi files and copy them to the boot folder
Ex. sudo cp /FILES/efipreloaderstuff/* /mnt/efiboot/EFI/boot/
Link: [Linux Foundation Secure Boot System Released | James Bottomley's random Pages (Linux Foundation Secure Boot System Released | James Bottomley's random Pages) -
Rename the boot file in the /EFI/boot under the mounted drive with the mv command to loader.efi
Ex. Sudo mv bootx64.efi loader.efi -
Rename the Preloader.efi to the bootx64.efi
Ex. Sudo mv Preloader.efi bootx64.efi
That way the boot loader boots the bootx64.efi which checks the loader.efi with the HashTool and boots it. Sometimes a prompt may come up to verify this and you select the HashTool.efi to sign it.
This works way better and easier than manually shim-ing the efi-s and signing them which can cause damage to the hardware.
I suggest this be a solution to any future person looking to boot with secure boot on instead of “Just Disable Secure Boot dude”.
I think this should also be included as an option in future .iso distributions to allow for secure boot from the start.
Thank you for reading, if you would like to comment or tldr go ahead in the comments. I hope this can help people like me just wanting to leave secure boot on or having no option to do so for the tasks they want to accomplish.
Feel free to quote me if anyone comes in the future to ask how to do this in the Garuda forums or feel free to correct me!
The article i linked just has the download links for the .efi files. They still work even if they are outdated, and if it works dont touch it so as long as it still works and functions as expected I think its a good method overall so I hope that either we can incorporate this soon or possibly Arch ships a secure boot solution (hopeful so that other distros that are based on arch do so too).