After the latest Manjaro update, I get numerous errors like this when running sbctl verify:
failed to verify file /boot/amd-ucode.img: /boot/amd-ucode.img: invalid pe header
failed to verify file /boot/grub/grub.cfg: /boot/grub/grub.cfg: invalid pe header
Since I use secure boot, I was concerned my system wouldn’t boot and took some precautions, but these errors are spurious and due to a recent bug which made it into the Manjaro release but should already be fixed upstream. My system booted fine even with the errors.
So just do nothing and wait. My kind of bug.
Microsoft’s implementation of Secure Boot is not supported by Manjaro – you must disable it for Manjaro to successfully boot.
Regards.
Personally, I’m not affected by this, as my firmware lets me install my own PK and KEK. But, this isn’t related to the error messages from sbctl…
Not supported OOB is correct - but it is quite easy to implement…
See this topic for instructions on setting up secure boot with Manjaro Linux
→ [root tip] [How To] Manjaro and Windows - Secure Boot - using repo only
When I look at the output - I see that you need to run sbctl with root privileges
Manjaro is using the same version as Arch Linux (drawn from Arch repository)
$ inxi -S
System:
Host: manjaro Kernel: 6.14.7-1-MANJARO arch: x86_64 bits: 64
Desktop: KDE Plasma v: 6.3.5 Distro: Manjaro Linux
$ pamac info sbctl | grep -e 'Version' -e 'Name' -e 'Packager' -e 'Build Date'
Name : sbctl
Version : 0.17-1
Packager : Morten Linderud <foxboron@archlinux.org>
Build Date : 2025-04-28T22:19:28 CEST
$ mbn info sbctl -q | grep -e 'Branch' -e 'Version' -e 'Build Date'
Branch : archlinux
Version : 0.17-1
Build Date : Mon 28 Apr 2025 22:19:28
Branch : unstable
Version : 0.17-1
Build Date : Mon 28 Apr 2025 22:19:28
Branch : testing
Version : 0.17-1
Build Date : Mon 28 Apr 2025 22:19:28
Branch : stable
Version : 0.17-1
Build Date : Mon 28 Apr 2025 22:19:28
$ sbctl verify
Verifying file database and EFI images in /efi...
failed to verify file /efi/loader/random-seed: /efi/loader/random-seed: invalid pe header
failed to verify file /efi/main.efi: open /var/lib/sbctl/keys/db/db.key: permission denied
$ sudo sbctl verify
Verifying file database and EFI images in /efi...
failed to verify file /efi/loader/random-seed: /efi/loader/random-seed: invalid pe header
✓ /efi/main.efi is signed
$ sudo sbctl list-bundles
Enrolled bundles:
/efi/main.efi
Signed: ✓ Signed
ESP Location: /efi
Output: └─/main.efi
EFI Stub Image: └─/usr/lib/systemd/boot/efi/linuxx64.efi.stub
Cmdline: ├─/etc/kernel/cmdline
OS Release: ├─/usr/lib/os-release
Kernel Image: ├─/boot/vmlinuz-6.14-x86_64
Initramfs Image: └─/boot/initramfs-6.14-x86_64.img
AMD Microcode: └─/boot/amd-ucode.img
$ sudo sbctl status
Installed: ✓ sbctl is installed
Owner GUID: xxxxxxxx-7494-4ee5-8ab3-70698073a4bb
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: none
Thanks!
I do have secure boot set up and have been using it for several years.
I do run sbctl with sudo, but I still see 22 “invalid pe header” errors. If I don’t use sudo, I don’t get far at all (sbctl requires root to run: open /var/lib/sbctl/keys/db/db.key: permission denied).
When I install sbctl from source using go install github.com/foxboron/sbctl/cmd/sbctl@latest, there are no errors. It’s clear to me that problem is the linked bug in my original post, and this has not yet filtered downstream.
2 Likes