[HowTo] Enable Secure Boot with rEFInd

I realize this is a touchy subject for some, but for others, enacting secure boot in Manjaro may be of interest.

New to Arch/Manjaro, I had many difficulties finding secure boot for a Surface Pro 6. The Arch wikis about secure boot, by their own admission, are outdated or incomplete. For instance, signed grub needs to be installed and but apparently, grub-install is now superseded by working with grub img, a change that I found only after many failed attempts and ultimately proved above my pay grade. Another struggle was with the recent changes in the needed shimx64.efi. Versions past 15.2 need the insertion of a .sbat section, which is only anecdotally documented, and I failed at that process as well.

I ended up installing rEFind to replace grub as boot manager, which can sign itself without said dilemmas of grub-signing, and I used a 15.2 version of shimx64.efi

A 15.2 shimx64.efi can be downloaded here:

https://koji.fedoraproject.org/koji/buildinfo?buildID=1077877

and extracted by:

bsdtar -xf shim-signed-15-2.src.rpm

Once extracted to a directory, run these terminal commands:

yay -S shim-signed #which will install the current 15.6 shim-signed to /usr/share/shim-signed
sudo pacman -S sbsigntools
sudo pacman -S refind
sudo pacman -S mokutil

Rename /usr/share/shim-signed/shimx64.efi, then copy the 15.2 shimx64.efi to /usr/share/shim-signed/ Then run:

sudo refind-install --shim /usr/share/shim-signed/shimx64.efi –localkeys

This will install rEFind, place it first in BIOS boot menu, and generate the necessary keys to sign a secure boot.

Before booting into rEFind, all kernels must be signed. For me:

sudo sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux-surface /boot/vmlinuz-linux-surface
sudo sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-5.15-x86_64 /boot/vmlinuz-5.15-x86_64

Reboot and in the Surface Pro BIOS, enable this secure boot choice: Windows & 3rd-party UEFI CA

Continuing the boot will bring up a security violation and the MOK Menu (MOK Menu is installed by rEFind). Click the long-winded key from “Select Key,” then choose “sign from disk,” (ignoring anything about hash) and tunnel down to /boot/efi/EFI/refind/keys/refind_local.cer, and enter. Choose “Reboot” and if stars align, you should be able to boot into Manjaro with secure boot, which can be verified with:

sudo mokutil --sb-state

Veterans may be able to add a boot entry to the rEFind menu, but I was not successful. This resulted in rEFind’s menu only showing one linux kernel, vmlinuz-5.15-x86_64. The needed vmlinuz-linux-surface (which permits touch on the Surface Pro) could be found by tabbing the vmlinuz-5.15-x86_64 entry to produce a sub-menu with a vmlinuz-linux-surface option. That was tedious for me, so I simply moved /boot/vmlinuz-5.15-x86_64 to a sub-directory, leaving vmlinuz-linux-surface as the only boot option.

For Surface users, Surface firmware updates can remove rEFind’s signing, so disable secure boot in BIOS, boot into Manjaro, and rerun:

sudo sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux-surface /boot/vmlinuz-linux-surface #or whatever kernels you’re using

Other secure boot guides for Manjaro are better than mine, and mine includes the caveats of using rEFind instead grub and substituting an older version of shimx64.efi in place of its current version, but systemd and .sbat are for experts, and that does not include me.

Jake

2 Likes

https://forum.manjaro.org/search?q=secure%20boot