i followed the guide all the way through and i got an error on the boot after i enabled secure boot. it reads
ERROR: Failed to mount '' on real root
you are now being dropped into an emergency shell
anyone got any ideas what i did wrong? fyi i have a lenovo V130-15iKB-81HN running manjaro 24.2.1 kde and the arch 6.13.8 kernel all updated and installed fresh this afternoon
UPDATE
I tried it with the stock kernel and got the same error
sudo sbctl verify
Verifying file database and EFI images in /boot/efi… /efi/EFI/boot/bootx64.efi does not exist
✗ /boot/efi/EFI/Manjaro/grubx64.efi is not signed
✗ /boot/efi/EFI/boot/bootx64.efi is not signed
✓ /boot/efi/main.efi is signed
✓ /boot/efi/main.efi.old is signed
The output of sbctl verify is correct as sbctl defaults to expect the $esp to be mounted to /efi.
Before writing the guide I tested tested my implementation many times - I didn’t encounter the issue you describe - my initial testing involved scripting an full installation - and I made many errors while testing before I reached the final script - which by the way is still using my crude workaround because sbctl was still in it’s early stages.
You cannot use an alien kernel unless you recreate the bundle - because the alien kernel is named different from Manjaro stock kernel.
At no point was i using an alien kernel with the bundle. when i swtiched back to stock i rebuilt the bundle.
I have read that some lenovo laptops require a special tool to get the nvram to take the bundle but i will say in that research my laptop model did not come up. I will also state secure boot works ootb on opensuse, fedora, ubuntu and others so this seems to me to be distro level.
While we’re making random unrelated statements, I’ll mention that Manjaro does not support Microsoft’s implementation of Secure Boot; not by default; not OOTB.
That some other distributions support Secure Boot, is irrelevant.
I have made a lot of effort - perhaps not enough - to make sure the reader understand that Manjaro LInux as distribution - does not support Secure Boot and any implementation thereof is done by a system administrator.
No, it is not a distro level issue.
What I have provided is proof-of-concept - A Secure Boot setup using Manjaro Linux - it is not to be regarded as an insurance that it will work on every system it may be applied to.
No special tool is required - that is - to my limited knowledge no tools required - only that you reset Secure Boot to setup mode.
Only then you are able to enroll the key used to sign the bundle into Secure Boot together with the Microsoft keys - if you are using dual-boot - and this enrolling action will set Secure Boot back to enabled.
It is important you remember to create the entry in the firmware pointing to your new main.efi - you did that - right ?
If you forget one step - then it won’t work - so I suggest you back trace your steps - to locate where you deviated - but if you didn’t deviate - I have idea what may cause it
I have implemented secure boot on three completely different devices - no problems…
a ThinkPad x13 AMD
a Tuxedo InfinitiBookPro 14 gen.8
a Clevo n141
The Clevo was the PoC for implementing Secure Boot in a dual-boot scenario…
yep, i did all of that. I like how everyone is assuming, after i supplied sbctl verify and sbctl list-bundles that i missed a step. if i had missed a step, i would have either noticed the error in the supplied info OR i would have got the uefi boot select screen, instead i got a bootloader\kernel panic. This means that i got to the point where the bootloader started AND TRIED to load the kernel but couldn’t, most likely coz it couldn’t mount the root filesystem.
/efi/EFI/boot/bootx64.efi does not exist