Hello,
I have Manjaro + Windows dual boot. I’ve configured everything with sbctl, and while everything seems fine, I’m getting single quirk from sbctl status command:
sudo sbctl status ✔
Installed: ✓ sbctl is installed
Owner GUID: 12345678-1234-1234-1234-123456789123
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft
Firmware: ‼ Your firmware has known quirks
- FQ0001: Defaults to executing on Secure Boot policy violation (CRITICAL)
https://github.com/Foxboron/sbctl/wiki/FQ0001
When I’m going to that github site, the suggested solution is changing Secure Boot Mode to “Custom” and Secure Boot Preset to “Maximum Security”. I done this and quirk is still appearing. What I am doing wrong?
Bios: MSI Click Bios 5
Maybe you are right, but as I understand that “quirk” is appearing because one option from BIOS settings is not set properly (its mentioned here: FQ0001 · Foxboron/sbctl Wiki · GitHub) . But probably you are right, I dont have any experience in setting secure boot on linux.
Ok, i will do that, but how i can determine which modules should stay in original script (that one mentioned in the beginning of shim-lock paragraph). As i understand only modules should be changed in that ubuntu script to make it work perfectly on Manjaro, yes?
Oh - I didn’t mean that link - I meant the link to sbctl on Github.
I don’t think you need to do anything shim lock related.
If you have errors of that type - you are using grub - and such error is usually caused by the manjaro and grub efi stub is out of sync - this can be fixed by using install-grub script.
//EDIT:
It is very important - when enrolling the key - to use the --microsoft argument, thus including signatures - especially on desktop systems.
If one do not include the keys supplied in the firmware - the firmware will block e.g. your GPU from loading and this would be a catastrophic failure when the board does not have an onboard GPU.
Oh ok, so you mean that Foxboron Github FQ0001-quirk link. Unfortunately i already did that. I have MSI board with Secure Boot Preset option which I set on “Maximum Security” value and it didn’t help much. I tried even to set 2nd option and went back for “Maximum Security” - same problem.
I did it with that option. Even sbctl is warning user with big red writing that not using --microsoft can brick motherboard.
EDIT:
Is it possible that just firmware have quirk/vulnerability and its buged, just like DMT mentioned?
Sorry i forgot to write one thing - I’m using dual boot because second user operate on Windows. Linux is with LUKS, but /boot and /boot/efi is outside LUKS to make GRUB boot without password (second user can easy choose Windows without knowing my password). Maybe this is a problem.
The quirk has no impact on the system as such and you can ignore the message.
You cannot change how the firmware work and if the mitigation suggested by Foxboron on github doesn’t work - there is nothing you can do - that is besides poking MSI support and express you dissatisfaction with the state of the firmware.
There is no system which is 100% secure - that is how it is - we can only work with what we got.
Thank you for very fast answer. I was editing my previous message to write this, but you answer so quick that i not make it in time:
If there is nothing I can do i will take it as it is. I thought maybe that is solution for that and I am doing something wrong. Thanks for help and sorry to waste some time. I will mark your answer as solution. Thanks again!
