Enable secure boot for existing Manjaro - using repo only

prettynewby · 20 February 2025 09:44

On the same boat: company policy to have secure boot, must have windows installed for some third party compliance vpn/proprietary software (not really concerned about games like this angry Aragorn person ranted). they don’t mind if i dual boot into other os for my private stuff as long i keep secure boot enabled to comply with client contracts

So i just ignored them (because no sysadmin is going to come to my computer and check whether i have it enabled so whatever), but now they will install some micro$oft intune that is going to re-enable secure boot on demand by a sysadmin which is end of manjaro for me

The post from linux-aarhus mentions guide on how to enable a brand new iso install for secure boot, which is not applicable for us who already have manjaro installed.

However, i have found this promising guide that uses “shim” to sign the keys for secure boot, but i am afraid to bork something up because it mentions enabling AUR in order to get shim-signed and across this forum people always advice against third party packages, or at least flatpack only

Could someone more tech savvy advice me whether disabling/uninstalling shim-signed after this process is safe? Or whether is there an alternative to use it without AUR?

linux-aarhus · 20 February 2025 09:55

I never used shim - so I don’t know

You can enable secure boot without using AUR

See → [root tip] [How To] Manjaro and Windows - using Secure Boot and repo only

More information

See → Unified Extensible Firmware Interface/Secure Boot - ArchWiki
See → Unified kernel image - ArchWiki
See → GitHub - Foxboron/sbctl: 💻 🔑 Secure Boot key manager
See → Multiple UKIs with mkinitcpio? - #5 by linux-aarhus

Teo · 20 February 2025 13:47

Setting up with sbctl is very easy, the only drawback is that the kernels have to be saved on the ESP, which is fat32 and often not big enough. But if it has about 50-100mb free it should be possible without resizing, esp. If you disable the fallback profiles.

soundofthunder · 20 February 2025 16:34

@prettynewby

It seems (to me) that an easier solution by far would be to choose another Linux distribution that supports Secure Boot.

You could likely still choose whichever DE you’re accustomed to, and that would also ease your transition.

Regards.

xman1 · 20 February 2025 17:20

Most people don’t care all that much about secure boot in Linux. Yes, it can have some benefits, but I wouldn’t worry about it a whole lot unless you run your system as root.

soundofthunder · 20 February 2025 17:29

I think you missed the point of the OP’s question.

xman1 · 20 February 2025 17:30

You are right… Company policy being the keywords.

Sorry.

Red Hat or Ubuntu should solve that. Rocky Linux too.