What is UEFI Secure Boot NOT?
UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here; Secure Boot is a security measure to protect against malware during early system boot. Microsoft act as a Certification Authority (CA) for Secure Boot, and they will sign programs on behalf of other trusted organisations so that their programs will also run. There are certain identification requirements that organisations have to meet here, and code has to be audited for safety. But these are not too difficult to achieve.
Secure Boot is also not meant to lock users out of controlling their own systems. Users can enroll extra keys into the system, allowing them to sign programs for their own systems. Many Secure Boot-enabled systems also allow users to remove the platform-provided keys altogether, forcing the firmware to only trust user-signed binaries.
See Unified Extensible Firmware Interface/Secure Boot - ArchWiki
Why is it always so complicated with Linux and Secure Boot?
The technical procedure is the same for all operating systems.
Roughly the steps are
- Create a signing-key and store the key in the systems firmware
- Create a file with the necessary code to load the operating system
- Sign the file with the key
- Tell EFI loader the location of the file
- Enable Secure Boot
Why is Manjaro not supporting Secure Boot OOB?
Linux distributions has tried various methods to support Secure Boot out-of-the-box using the installer.
Fedora and Ubuntu deployed a shim they got signed by Microsoft - such shim will quickly be discovered and abused to circumvent Secure Boot for nefarious purposes.
Linux have a long history of independence and because it is free and open-source, there is many, many different ways to run Linux on various hardware and using Linux has always been a matter of independence and freedom - but with that freedom comes limitations.
How can freedom be limited
To be able to support Secure Boot from the get-go - the key used to sign the loader must be available in the system’s firmware.
Getting such a key into the firmware at vendor level is next to impossible - bluntly put - it requires influence and power and there is no single Linux entity with such power - who shall administrate such infrastructure - with administration comes costs - verification to keep the shady and criminal away and protect the keys from abuse.
Microsoft has a problem as the dominant operating system - when the operating system is compromised again and again - they had to come up with measures to protect the operating system even before it load.
The idea of verifying the first binary in the chain is great - but every chain has a weak link - the end user.
If the system’s firmware is not protected by a password - Secure Boot is null and void.
How can Secure Boot put to use with Manjaro Linux?
An Arch Developer @foxboron has created an essential tool sbctl - it is available in Manjaro repo as well.
If you are not afraid of the terminal it is fairly easy to implement.
Don’t forget to read docs (Unified Extensible Firmware Interface/Secure Boot - ArchWiki)