Dual-boot with Win11 and Manjaro Gnome without secure boot - Why does this work and is it risky?

[I hope this is the proper category for my question, but the others did not seem more fitting.]

Hello Forum,

my new laptop got shipped recently and for the first time in years I decided to install a dual-boot system, consisting of Win11 and Manjaro Gnome. I used to use dual-boot setups a lot in the past, but back then I combined Ubuntu and Win7.

As I was used to do it, I installed Win11 first and then tried to install Manjaro. When I inserted the live usb stick I received the following warning: “EFI USB Device has been blocked by the current security policy.” I assumed this refered to the secure-boot that was enabled and googled that issue. As I understood it, Win11 (in opposite to prior versions) requires secure-boot. Afterwards I googled the installation of Linux, using secure boot and found all kinds of rather complex solutions, that sort of intimidated me.

So I tried the “straight forward way” and simply disabled secure-boot and tried to insert the usb stick again - and it worked! No warning anymore, the installation worked smoothly and now - with disabled secure-boot - I can use both OSs in a dual-boot setup (Win11 also works fine).

Can anyone explain this to me? Was I mistaken to think that Win11 requires secure-boot? Is the solution I have chosen now “risky” in any way (meaning, does the disabled secure-boot pose some kind of problem)?

Thanks in advance for your help!

It depends if you have shared the /boot/efi partition if you have then one day when microsoft updates it may stop you booting manjaro

It is possible to run a system with Manjaro using Secure Boot to exclude Microsoft Windows.

Microsoft Windows itself does not require Secure Boot to be enabled, but you may need to if you decide to use Microsoft BitLocker to protect the operating system and sensitive data.

When a vendor - in agreement with Microsoft - is allowed to distribute Microsoft Windows preinstalled, the vendor is required to enable the firmware’s Secure Boot.

No - it is not risky - although the chosen name may imply that it is.

It is security related and should be seen more as a verification tool which allows the system firmware to know if the operating system loader is trusted.

Thanks for the swift answers!

And how could Microsoft do that? By a simple Windows-Update?

Sometimes yes. It can overwrite the boot menu or and the default entry. A uefi update will also do this. Just have the manjaro install media and the article at hand so that you can recover if that happens.

While that happens very rarely, and there are some ways to protect yourself and make it less probable like making a separate ESP, there is NO absolute guarantee so better learn to recover instead of trying fancy ways to avoid it.

Just squeezing between these two quotes;

There is absolutely no need for any OS to require Secure Boot.

Someone might like to expand on this comment, if he happens to be online anytime soon. @Aragorn

I’ll drop this here for consideration.

The easiest way to avoid many issues when multibooting is to install each OS on its own separate disk (with its own ESP). Doing so maintains a certain separation of concerns; isolation of on OS boot environment from another.

However, using multiple disks isn’t always possible if, for example, you’re using a laptop, or otherwise have only one disk available. In that instance, some people create a second ESP on the disk (as @Teo previously mentioned), however, this is not ideal.

The ESP created by Windows is 100 MiB which is too small for sharing between two (or more) operating systems; depending upon the distribution(s) concerned. However, there is a workaround for that which negates the need to take measures such as creating a second ESP.

Assuming the ESP is large enough; fit for purpose; then sharing the ESP between Linux and Windows should cause no dilemmas. I have seen complaints (and no doubt you will see them too) that Windows has wiped this or that partition… I have no doubt that’s true, however, the cause is usually attributed to lack of attention by the user, in the cases I’ve seen.

Windows won’t overwrite your ESP as many people seem to believe. That’s not how a UEFI system works; only OS-specific folders (on the ESP) are ever replace; $esp/EFI/Microsoft in the case of Windows.

Still, for the ultra-paranoid; it takes very little effort to take a backup of the ESP (or just its contents) for peace of mind. Whether that be cloning the partition, or simply zipping the $esp/EFI folder itself.

Interesting to note is that the UEFI firmware (in your BIOS) holds UEFI boot entries (as determined by available UEFI boot loaders on the ESP). These entries can be overwritten by another OS in some circumstances.

The common misconception here is that the ESP folders are overwritten - they are not - instead, its the entries in UEFI firmware that need to be reset on occasion. I hope this ramble provides some clarification.

Cheers.