Hi all,
Sorry - I was not sure which categorie would fit the best, so I picked “Feature Request”, as my question concerns a functionality / feature of Manjaro.
As far as I understand, it is difficult to bring Manjaro to work with secure boot enabled. If that understanding is correct, with Windows 11 it will be difficult to make dual boot Windows 11 + Manjaro as Windows 11 will only work with secure boot - is there currently an easy and good solution to bring Manjaro to work with secure boot?
Here in the Forum I found some topics regarding Manjaro + Secure Boot that state that secure boot is not supported, somehow you can bring it to work, and so - but the relevant topics are from last year.
To support secure boot out of the box, I believe that an EFI bootloader signed by Microsoft is required. You can configure secure boot yourself, this guide on the Arch wiki may be of use: Arch wiki UEFI Secure Boot. As you note, doing this yourself is “unsupported”, i.e. the Manjaro team do not provide official support for this (but you may be able to find help on the forum with any issues).
And thank you for the information, that Win 11 will be possible to run without secure boot - the information I got concerning Windows 11 on another side was, that Windows 11 works only with secure boot enabled - that seems not to be correct - I think in a few weeks we will understand better…
Kinda hard to know right now as Windows 11 does not release until October-November this year
however Insider Beta releases is coming out later during this week
I don’t plan to purchase a compliant PC so Win 11 is not in my plans. Besides, there seems to be confusion and outrage right now so I’ll just let the dust settle and see what gives at Win 11 release time. I only “need” Windows for a couple of things and with 4 or so more years of support for Win 10 I can comfortably wait it out.
There’s no easy way to enable Secure Boot in Manjaro. Same is applicable to Windows 11, the only difference is that one needs to undertake several steps to disable Secure Boot and have Windows 11 bootable at the same time. So you have to choose which way to go. Having Secure Boot enabled for both systems is way more secure than simply disabling it and believing that everything will be OK.
My understanding is that MS has disabled the compatibility checks for installation of the Win 11 preview but will enable and enforce the checks in the final release or maybe even earlier. They are interested in seeing Win 11 on Gen 7 Intels and AMD Zen which are currently not on the compatibility list. In other words, Win 11 preview will install on any system and a successful install of Win 11 now is not necessarily an indication of any aspect of compatibility with the final release.
Edit: I probably don’t have my Windows release nomenclature right so Win 11 Preview may not be what they are calling the current version available to Insiders. My comments are meant to apply to the currently available Insider version.
“Secure Boot capable” for me means that your device has to support that “feature”. It does not say it has to be enabled though.
I made an account just to confirm that this seems to be the case so far. I have windows 10 (now 11 dev build) and Manjaro KDE duel booted on my laptop with secure boot off. I was able to upgrade to the 11 dev build without any issues and it did not mess up grub or anything. I also did not have to do anything special in windows 10 to do the upgrade with secure boot off, no reg edits or anything. Just switch to the dev build channel and it installed with no issues.
Forget dev builds. Perhaps we will need to decide: Windows or Linux.
Nevertheless, i still do want Secure Boot in Manjaro, even if it was the only boot partition, because it should be a common feature just like in Ubuntu, OpenSuse etc. Secure Boot is simply great and it’s my top search in distros. I’d also like to have Hello like authorization in Linux, instead of the fossil give-me-a-break-already password typing.
Secure boot by default on most PCs uses Microsoft’s keys so for a distro to work with secure boot out of the box, the devs have to pay Microsoft $99 and is a very long process in general so I don’t think that is really necessary.
The other option is to sign using your own keys and provide the user with the public key to enroll it in their system, it is a very easy process and the UEFI will ask you to do it at boot if secure boot is enabled and the distro doesn’t use Microsoft’s keys.
And I don’t agree that secure boot is great
I had bitlocker on in windows with secure boot, I turned off secure boot, booted into Manjaro, turned it back on and booted into Windows and it did not care at all.
Because you turned it back on with the same values it had before. Next time try booting in Windows with some bootable USB stick plugged in. You’ll get a recovery key prompt instead of a smooth process.
Also consider setting a password for UEFI, that will prevent from altering your settings like turning SB off.
