Messed up with Asus ROG secure boot

Dear Friends, this is not directly related Manjaro, but most to the hardware.

I am using the Asus Flow X13 (GV302XA) model, and recently, I installed Manjaro Linux in the system by disabling the Secure Boot. For that, I created an administrator password and simply toggled the secure boot off, which worked well. Then, it was possible for me to install the Manjaro Linux, and the system also worked very well for around four days.

Yesterday, unaware that Manjaro won’t boot with a secure boot, I turned it back ON. Thereafter, the system is not booting and throws an error like “invalid signature detected. Check secure boot policy in setup error”. It was also not possible to disable the Secure Boot through the Bios now. If I disable secure boot and restart the system, leads to the same error message and in the BIOS it shows secure boot enabled.

I tried changing the Administrator password, created a user password and updated the Bios utility (Ver 3.1.1) (https://rog.asus.com/jp/laptops/rog-flow/rog-flow-x13-2023-series/helpdesk_bios/) - nothing worked. Also, I tried to delete the PK management key, which returned the error ‘FAILED’. I also tried to export the keys and then delete the PK key, still does not work .

All I need is just to disable the secure boot, and everything else would be fine for me. Would someone please kindly assist me in this regard?

I wish you luck.
This is ultimately a manufacturer issue.
I would encourage you to take it up with them - mention that your BIOS does not seem to apply settings, and any other weird experiences.

There may be other approaches … such as resetting cmos … but I would advise you to attempt less aggressive approaches before resorting to anything like that.

Thank you… Actually, mine is under warranty. So I contacted the Asus support and this is their reply:

We are sorry to tell you that we do not provide technical support and service for non-preloaded OS changing, non-preloaded OS is not in the scope of our services. We are not responsible for any problems after installation.

:roll_eyes:

Well, they’re not wrong. Their “technical” support is not equipped with knowledge other than what comes with the device, that’s just the truth with any company. What we are doing is tinkering with the device, which is normally out of the warranty scope.

However, the ability to set secure boot on or off should still be their responsibility. When claiming one, never mention you use anything but Windows, that’s as far as their capabilities go. Unless, a BIOS update disables that completely, well… I suggest selling the device and buy a new one from another company that still allows disabling secure boot.

Otherwise, you are limited with OSes which have secure boot key, where in the Linux realm, are limited to:

  • Debian
  • Ubuntu
  • RHEL
  • Fedora
  • OpenSUSE
  • SLES

There could be more, but classically they’re the ones which have it.

But I insist.

You are inquiring about the functionality of their BIOS.

It is not properly accepting configured values and saving them.

What OS you intend to use on the machine is besides the point.

If you must … try again.

Do not mention anything else besides;

  • You attempt to disable Secure Boot in the BIOS

  • Upon reboot Secure Boot is enabled

Providing steps to actually do it is next to impossible.

Enter your firmware - locate the secure boot settings - resetting secure boot to setup mode usually causes either the keystorage to be removed or a new menu entry is enabled which allows to do so.

Some firmwares requires - for security reasons - an administrative password - so be sure you are queried for this password before attempting to change anything.

I know, owning 2 ASUS boards and maintain another one:
for BIOS-update you need to disable secure boot (and activate it after if needed).
The important parts are in the bios-boot-menu - use “other os” if Manjaro.
And disable CSM…

Fedora served good and it updated the secure boot keys, it seems. So when I tried again to disable it, it worked fine.

Indeed, somehow I solved the issue, but still going point this out to them.

I think mine don’t have a CSM option. It seems enabling secure boot after installing manjaro somehow messes up with the secure boot keys (I think we have to use mokutil for this). Reinstallation of secure boot supported OS’s like Fedora (as mentioned by @leledumbo ) solve the issue. I was able to set a new admin password and disable secure boot.

1 Like

Now, I have installed Fedora in the system with Secure Boot enabled (Fedora and Ubuntu support this) and once it is finished Fedora attempts to update the Secure Boot keys with its own. Now I set up a new Administrator password ( I am not remembering properly whether I disabled it or due to the update it was set to empty) and disabled the secure boot. After this, it is possible for me to boot Manajro Live USB and install it. One issue I have noted is when I first installed Manajro, there was an option for screen rotation and keyboard brightness in the top panel (after installing asus-ctl). Now, it’s been missing as well as the sound is not working ( which worked when previously).

1 Like

This topic was automatically closed 3 hours after the last reply. New replies are no longer allowed.