You can boot into Windows a bootable usb stick plugged in and once I even added the USB drive’s secure boot cert to the uefi MOK and Windows still did not care even though secure boot settings had changed(this dosen’t always happen, one time it did ask me for Bitlocker recovery key)
And as for the UEFI password, most laptop OEMs don’t include the feature
Really? What a shame. Better do not buy from such vendors.
As for MOK, it doesn’t change those PCRs which are checked by BitLocker.
There’s an easy way to trigger BitLocker’s panic mode: try booting Windows through non-default boot option. For instance, Windows boot is selected as the default one, but you select Grub and in Grub instead of Linux, you select Windows. And boom! - there’s a prompt from BitLocker.
Well I have an HP laptop and I think Dell does the same so much not much options left unless you want to spend $1000
And UEFI password is not the first feature I would look for in a laptop or any PC in general
And yes that way to trigger Bitlocker does work, I have done that before but if you just force shutdown and reboot correctly, it just goes away
Yes, sure it goes away, cause all bits are correct again and no reason to trigger extra caution check.
As for password, well, I couldn’t disable Secure Boot until I had set it. Only after that I was able to disable SB and start playing with custom db, KEK and PK. That’s a very basic Insyde-based UEFI I have here on my Xiaomi laptop. I think it’s done right from security point of view.
Ok but Xiaomi is not a major laptop OEM
Doesn’t matter. Disabling SB will trigger BitLocker prompt when booting Windows. If not, that would speak much about your “major laptop OEM”.
Why whatever do you mean? I think it makes total sense for Windows 11 to require your motherboard have a TPM 2.0 chip (for your own safety, of course!) and that it will not install on any laptop in the future that does not have a high-def front-facing camera starting in January 1, 2023.
Because even though most laptops have built-in webcams, and even though Microsoft can “recommend”, or “highly encourage” purchasing a laptop with a high-def front-facing camera, or even “unlock” extra security features that necessitate a camera… there’s nothing suspicious or creepy about making a high-def front-facing camera a publicly stated hard requirement.
Oh, hi NSA! 
We were just having an innoculus discussion. Don’t mind us.
I installed SBCTL. Secure boot Works fine the only problem is I have not tested it with Dual-boot Windows.
It is available in Manjaro Repo.
Yep. This one and sbupdate-git from AUR are very convenient tools that drastically reduce the hassle of managing custom Secure Boot keys. I use the latter but this one looks very promising too.
Does it work with Dual boot? I don’t think sbctl is currently entitled to work with Dual boot as I have to delete Microsoft Keys from BIOS, before working with Manjaro SB.
You don’t have to delete MS keys, but you need to manually backup stock vendor-provided keys (PK, KEK, db and dbx), then create your own PK, KEK and db keys, then concatenate your db and KEK with vendor db and KEK you saved before, sign resulting files with PK (for compound KEK) and KEK (for compound db) and then enroll one by one starting from dbx and db, then KEK and the last one is PK while in Secure Boot setup mode (entered when one clears SB keys in UEFI settings).
https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki’s_EFI_Install_Guide/Configuring_Secure_Boot#Saving_Current_Keystore_Values.2C_and_Creating_New_Keys
After that, sbupdate will take care of the rest.
There’s other thing you can try. Just sign Windows bootloader with your current key. It is located in $esp/EFI/Microsoft/bootmgfw.efi. So it will make Windows boot without MS keys enrolled in UEFI.
You need to manually backup stock vendor-provided keys (PK, KEK, db and dbx), then create your own PK, KEK and db keys, then concatenate your db and KEK with vendor db and KEK you saved before, sign resulting files with PK (for compound KEK) and KEK (for compound db) and then enroll one by one starting from dbx and db, then KEK and the last one is PK while in Secure Boot setup mode (entered when one clears SB keys in UEFI settings).
I tried really hard, step by step, taking hours and never succeed booting Manjaro in a dual-boot Windows environment with Secure Boot enabled.
What bothers me is that Debian, OpenSuse, Ubuntu, Fedora can do it out of the box. As far I could read, Fedora developed its own way and it is not paying MS for the keys. I really doubt the others are paying. But I’m not sure.
There’s nothing wrong in using any of those distros if you really need Secure Boot. All of them are still GNU/Linux after all. Manjaro is a small and mostly community-driven distro which kinda cannot afford (it can but cannot lol) messing with such a niche stuff as Secure Boot. Partially because corporate / server use cases of Manjaro are little to nothing, partially due to vast ignorance of home Linux users on the essence of Secure Boot, who would refuse to accept things like paying “MS” even if it’s not MS actually and as if non-participating would make them rootkit-proof.
Since you didn’t describe your exact issue, I cannot suggest anything that would be of help.
I can only wildguess:
sudo efibootmgr -c -d /dev/sda -p 1 -L "Manjaro 5.14" -l /vmlinuz-5.14-x86_64 -u ' ro quiet initrd=\intel-ucode.img initrd=\initramfs-5.14-x86_64.img apparmor=1 security=apparmor audit=0' -v and try booting it directly.efitools package). Many BIOSes have no means to manipulate keys and many systems do not allow efi-updatevar to do its job so the only way to do what you want might be KeyTool.They all do pay. And the payee is not MS but a certificate authority founded by MS. If you live in a democratic country, consider this analogy: you pay taxes to your government but you do not fund your ministers directly, there’s a budget that is being discussed and established on a regular basis.
Hello everyone, I only post this.
I have a dual boot with Manjaro and Windows 11. Previously I had the dual boot with windows 10, the only thing I do is update thought their assistant and that’s all.
I’m on a HP X360 convertible 14-cd0xx, and this work smoothly with Manjaro Gnome 21.1.4
Used Windows 11 Installation Assistant to upgrade to Win 11 on Lenovo Yoga 720. It’s a little quirky at times, widgets are all but useless and do not retain configurations. Performance seems slightly slower than Win10 for now. I don’t yet see a compelling reason for anyone to upgrade, at least not on a system similar to mine–i5 8th generation; 8GB; SSD; Intel 630 graphics. This system “qualified” for Win 11.
The installation was done with SB enabled but I disabled it afterwards. Win 11 boots without error messages with SB disabled. I don’t know how it might behave with the next update. MS appears to be hesitant with its Win 11 policies.
I was having windows 10 and manjaro installed together without secure boot and I have upgraded to windows 11 without any problem.
Thanks, I did the same and it worked. Windows upgrade didn’t mess with my grub at all and dual boot is working fine with secure boot disabled
It worked fine for me by doing a simple configuration after booting into windows.
Run CMD as Administrator -
bcdedit /set {bootmgr} path \EFI\manjaro\grubx64.efi
Then reboot.
bcdedit /set {bootmgr} path \EFI\manjaro\grubx64.efi
@XoirDrioX What does this mean? Can it boot with secure boot on?
Some UEFI like Lenovo has nothing different between secure boot on/off, but others like Surface show a annoying red lock sign which is VERY UGLY if you turn Secure Boot off
