Why is it always so complicated with Linux and Secure Boot?
The technical procedure is the same for all operating systems.
Roughly the steps are
- Create a signing-key and store the key in the systems firmware
- Create a file with the necessary code to load the operating system
- Sign the file with the key
- Tell EFI loader the location of the file
- Enable Secure Boot
Why is it Manjaro Linux does not support Secure Boot?
The Linux kernel took it’s first steps in August 1991 around 10 years after Microsoft deployed MS-DOS version 1.0 on an IBM PC.
Linux distributions has tried various methods to support Secure Boot out-of-the-box during the installer.
Fedora and Ubuntu deployed a shim they got signed by Microsoft - such shim will quickly be discovered and abused to circumvent Secure Boot for nefarious purposes.
Linux have a long history of independence and because it is free and open-source, there is many, many different ways to run Linux on various hardware and using Linux has always been a matter of independence and freedom - but with that freedom comes limitations.
How can freedom be limited
To be able to support Secure Boot from the get-go - the key used to sign the loader must be available in the system’s firmware.
Getting such a key into the firmware at vendor level is next to impossible - bluntly put - it requires influence and power and there is no single Linux entity with such power - who shall administrate such infrastructure - with administration comes costs - verification to keep the shady and criminal away and protect the keys from abuse.
Microsoft has a problem as the dominant operating system - when the operating system is compromised again and again - they had to come up with measures to protect the operating system even before it load.
The idea of verifying the first binary in the chain is great - but every chain has a weak link - the end user.
If the system’s firmware is not protected by a password - Secure Boot is null and void.
How can Secure Boot put to use with Manjaro Linux?
An Arch Developer has created an essential tool sbctl - it is available in Manjaro repo as well.
If you are not afraid of the terminal it is fairly easy to implement.
I encourage the curios to read this guide Manjaro and Windows - Secure Boot - using repo only to learn how.