Secure Boot not working with shim-signed on Gigabyte motherboard

Support AUR
,
1

Hello,

I’m trying to set up Secure Boot with dual boot (Manjaro + Windows) on a Gigabyte motherboard (Intel i7-14700KF) with Secure Boot Mode set to Custom.

What I’ve done so far:

  • Installed shim-signed (15.8+ubuntu1.59-1) from AUR
  • Copied shimx64.efi and mmx64.efi to /boot/efi/EFI/Manjaro/
  • Boot entry points to shimx64.efi
  • grub-install with --sbat flag (grub 2.14)
  • Signed grubx64.efi with a custom MOK key using sbsign
  • Enrolled MOK key via mokutil and confirmed via MOK Manager
  • Enrolled shimx64.efi directly in BIOS via Enroll EFI Image (db now shows 5 keys, Mixed)

Problem: Still getting “Secure Boot Violation - Invalid signature detected” when Secure Boot is enabled.

sbverify confirms shimx64.efi is signed by Microsoft UEFI CA 2011, and grubx64.efi is signed with CN=Manjaro MOK.

Any ideas what could be causing this on a Gigabyte board with Custom Secure Boot mode?

Thanks

2

Hello and welcome to the Manjaro Community! :vulcan_salute:

Maybe this will provide an insight?:

… I’m not familiar with the ins-and-outs of Secure Boot myself, though, as I don’t dual-boot. :wink:

1 Like
3

I suggest contact upstream maintainer for AUR package
Bugs : shim-signed package : Ubuntu

1 Like
4

Remove it.

Not necessary at all.

Run sbctl to create your own personal keys

sudo sbctl create-keys

Then edit the file /etc/mkinitcpio.d/<kernel>.preset.

Example /etc/mkinitcpio.d/linux618.preset

 $ cat /etc/mkinitcpio.d/linux618.preset 
# mkinitcpio preset file for the '6.18-x86_64' package

#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-6.18-x86_64"

PRESETS=('default')
#PRESETS=('default' 'fallback')

#default_config="/etc/mkinitcpio.conf"
#default_image="/boot/initramfs-6.18-x86_64.img"
default_uki="/efi/EFI/Linux/manjaro-6.18.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-manjaro.bmp"

#fallback_config="/etc/mkinitcpio.conf"
#fallback_image="/boot/initramfs-6.18-x86_64-fallback.img"
#fallback_uki="/efi/EFI/Linux/manjaro-6.18-x86_64-fallback.efi"
#fallback_options="-S autodetect"

Create the folder /boot/efi/EFI/Linux

sudo mkdir /boot/efi/EFI/Linux

After you have created the folder run mkinitcpio

sudo mkinitcpio -p linux618

The endresult is a UKI (Unified Kernel Image) which will get signed when you run mkinitcpio.

Create an entry in your systems firmware for the new UKI (assuming your primary disk is nvme0n1 and the first partition is your EFI partition)

sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 --loader "/EFI/Linux/manjaro-6.18.efi" --label "Manjaro 6.18" --unicode

Reboot into your system’s firmware

systemctl reboot firmware-setup

Then ensure Secure Boot is changed to setup mode - save the changes and reboot into your Manjaro Linux system.

When booted open a terminal and enroll your personal secure boot key to the firmware (it is important that you add the –microsoft flag, - if you don’t you may brick your system)

 $ sudo sbctl enroll-keys --microsoft
[sudo] password for nix:
Enrolling keys to EFI variables...
With vendor keys from microsoft...✓
Enrolled keys to the EFI variables!

Check

 $ sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	6203b16f-d516-4f71-9b0a-215c046f3bdc
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft

Reboot into your firmware and enable secure boot - save the changes and reboot

Check

 $ sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	6203b16f-d516-4f71-9b0a-215c046f3bdc
Setup Mode:	✓ Disabled
Secure Boot:	✓ Enabled
Vendor Keys:	microsoft

Congratulations - finally reboot into your system’s firmware and password protect the access.

:partying_face:

2 Likes