UEFI secure boot initial enablement

I know that this topic was discussed many times in different places, but can we have one more look on it and maybe think of something?

In other places on the forum frequent answers was - do it yourself thru Arch Wiki, but this is not the way in Manjaro works for me and many other people I assume.
I really appreciate how Manjaro just works out from the box and have this nice configuration tools for drivers and kernels, and also Pamac. This is work of love and I am thankful to developers who made it possible!

What I propose is to at least discuss on what can be done for some initial support for it in a way that make it seamless experiences for the user.

Initial solution, how I see it, is to sign boot loader with Manjaro keys, and maybe add some simple way for users to enroll this keys on their system.

If I understand correctly, on fully encrypted system your kernel is laying on encrypted partition and only boot loader remains unencrypted, so maybe it is enough (for security as well as initial support effort) to sign only boot loader?

And, if I understand it correctly, for manual (arch wiki) way, user must manually sign boot loader every time its updated, what brings a lot of possible problems related to automated Manjaro update mechanism?

We should eat elephant by pieces, if making signing infrastructure is to complicated in the moment, maybe just ability to configure boot loader signing, so end users can add/generate their own keys for boot loader signing. And default Manjaro key can be added afterwards?

There is no default Manjaro key.

If you want to enable secure boot, you have to go through the Archwiki. From my understanding, this works and there seems to be a hook that signs your kernel automatically after each rebuilt.

Enrolling the keys automatically is not possible because the custom keys must be added to the UEFI which is specific and you can’t write to UEFI directly (universally, exceptions might exists).

Also, who is your attacker? Secure boot is nothing more than snake oil.


Manjaro has no plans whatsoever to yield on its earlier position, which is that users who want Secure Boot support must take care of this themselves.

The Arch instructions on how to do it are very explicit, and Manjaro does not consider supporting Secure boot so that users who dual-boot with Microsoft Windows would be able to play certain Windows games to be a valid excuse. That is not what this distribution β€” or indeed, the whole of GNU/Linux β€” is about.

You can hate me all you want if you are so inclined, but this discussion has already been had before ad nauseam, and there is no point in going over the same thing all over again. I am therefore closing this thread.