Honestly, this kind of arrogance is astonishing. Are you saying that the user shouldn’t expect a Distro which advertises itself as “user friendly” to not have some basic out of the box? Have you actually gone through the Arch Wiki and try to setup Secure Boot for GRUB 2.06 and realize it’s actually lacking some pretty important information regarding the latest update right now? Please, instead of talking trash, actually provide an answer, or if you don’t know it, don’t talk.
Most of the other major non-DIY distributions actually do support Secure Boot using Signed Shim by default. Just on the top of my head - Fedora, RHEL, openSUSE, SUSE, Debian, Ubuntu - they all support it. It is perfectly reasonable for a user to expect a distribution which seeks to provide an easy out-of-the-box experience to have such basic and common security measure enabled. After all, Manjaro isn’t Arch, is it?
As for the other posts by other users, a few things actually changed with GRUB 2.06 that I don’t see mentioned on the Arch wiki yet:
-
It seems to expect to be chainloaded with shim to do secure boot by default. Thus, if you are trying to use your own keys (no shim and MOK involved), you need to add --disable-shim-lock to tell it to not use shim. Needless to say, do not add this flag if you are chainloading it with shim (with either signed-shim or shim you sign yourself). This is mentioned in the official GRUB documentation.
-
GRUB 2.06 will no longer sideload modules like 2.04 does if Secure Boot is enabled. That means, you need to build grub using grub-install with all of the necessary modules before signing it. From forum posts, it seems that grub is using tpm.mod to perform verification. I have tested it on my Arch install and it does indeed seem to be the case (You will get “Verification requested but nobody cares” as soon as it tries to load the kernel without it). So, besure to add --modules=“tpm” when building your grub so that it can perform verification.
-
One caveat to what I mentioned in 2. is that if you include the tpm.mod and enable the TPM module in your firmware, it will attempt to do Measured Boot as well. This may break things like grub-btrfs. The work around for this is to include the tpm.mod in your GRUB build but to disable the TPM module in your firmware.
I actually haven’t found a solution to have the TPM Module enabled while doing secure boot and not break grub-btrfs yet. Maybe I need to look into setting up measured boot? I would really appreciate it if someone could share some info about this issue as well 