Enabling Secure Boot with shim-signed but I cant install it

HI I am trying to get Secure boot enable becouse I have Windows 11 dual-booted with manjaro and I have games and apps useing secure boot.

I found a way using “Shim-signed” and “mokutil” and I understanded thanks to another post what I need to do but I can’t install Shim-signed becouse pacman said Error: target not found: shim-signed

I tried to search up alternative ways like git clone but I didn’t find anything workable.

I am in the process of learning how to do it and I can assure you - implementing Secure Boot is not just a piece of cake.

You may find something useful here - you will have to be selective as the topic is around LUKS.

Otherwise read the Wiki on Arch Linux

1 Like

I found a youtube tutorial what made me understand a bit more how to do it I just unable to install shim-signed via pacman :sweat_smile:

So I tried out things by this tutorial and I saw that the Boot folder has different reach out /boot/efi/EFI/boot/ and most of the scripts works with esp/EFI/GRUB/ I didn’t understanded fully the difference but I saw this as a problem in most of the times so when I tried to create new private keys to secure boot it went into nothing becouse it most of the times it got written to arch and tries to sign a key in /boot/vmlinuz-linux and into esp/EFI/BOOT/grubx64.efi and even I changed up the direction to /boot/efi/EFI/boot/grubx64.efi or Bootx64.efi it failed both times + I tried to find the vmlinuz-linux file and I found one in /usr/lib/modules/5.15.25-1-MANJARO/vmlinuz, but not vmlinuz-linux. So I was able to “modify” the loader to try to use the localy created Keys, but It cannot find it in the grubx64.efi or bootx64.efi OR it is written differently then it got used in Arch or Debian, but I don’t think that’s the thing becouse it is different from the distro.

(I am not an expert just a random teen who try to learn things)
Some extra document or files I tried to use maybe someone can find some other solution.
Arch wiki for Shim and Key creating (sbsigntools, shim-signed)

For having a GUI for efi folders and for /boot/ folders I used package (nautilus)
(you can open it with Sudo or using Sudo su)

if someone added more shim to efibootmgr you can delete it by this

For some other info about Managing EFI Boot Loaders and for me it helped in understanding RFI Keys

If I find anything else or anything helpful I will inform under this post

Hi guys, I managed to get Secure Boot working in Manjaro, with some help of Arch Wiki and some archived forum posts.

I don’t have much time to write a full-blown guide on it though, one of the reasons is that English is not my native language, and I am a student, hence it would take a hell of a longer time to write a proper write-up.

Maybe someone can help me with that :))

In a nutshell:

1, Install shim-signed, and copy most of the EFI binaries to the ESP.
2, Generate an MOK key.
3, grub-install with all necessary modules embedded, along with the SBAT and sign it with the MOK key
4, Sign the vmlinuz aka. the kernel.
5, Enroll key into MOKList with mokutil.
6, use efibootmgr to create a boot entry for the system to boot with the Shim bootloader.
7, Enable Secure Boot.
8, Profit.

Bonus: Using pacman hook and script to automate signing grub and kernel on every update.

Edit: I’ve seen some people who did really good write-ups on how to setup Secure Boot, but I saw it as pretty complicated and time-consuming, which makes most people don’t want to bother with it.

My aim with this guide is to setup Manjaro to run in Secure Boot as less painful and quickly as possible. So no fancy LUKS encryption, just a plain normal Manjaro installation with Secure Boot support.

1 Like