You are not logged in.
As there is a lot of controversy on the internet regarding setting up secure dual boot with Windows I want to share my success story with the dual Windows/Arch installation with Secure Boot and TPM Bitlocker/LUKS encryption.
If you do not care about Secure Boot then in the disabled state it does not interfere with Bitlocker and I was able to start Windows from systemd-boot without having to enter the recovery code every time. On the other hand, by issuing my own efi-keys (using `sbkeys`) and signing kernel image + boot loader I was able to achieve a working dual-boot setup with Secure Boot enabled. However, this made Bitlocker unhappy and he started demanding the recovery code on every boot. Finally, I was able to achieve both Secure Boot and happy Bitlocker by abolishing the boot loader and using UEFI itself for booting both Windows and Linux.
I followed mostly arch wiki for installation [1] and setting up Secure Boot [2] so I won't dive in many details in the following (see also [3]). This was done on Dell Precision 5550 laptop with already installed Windows and enabled Secure Boot and Bitlocker with TPM. Make sure to write down the Bitlocker recovery code somewhere, you will most definitely need it! My steps were:
1. Disable Secure Boot from UEFI firmware menu. As EFI partition is unencrypted there is no need to disable Bitlocker, especially if some space is freed for Linux installation beforehand using Windows disk partition tool.
2. Install Arch as usual by following the wiki page and encrypting with LUKS [4] it in process. Here I first installed systemd-boot and checked that I can boot both Windows and Linux without problems. However, I was not able to make systemd-boot work with the Secure Boot because (as I understand) this messes up the boot process and Bitlocker starts demanding the recovery key on every boot. I later uninstalled the systemd-boot and use UEFI itself to start both Windows and Linux, so probably its installation is not necessary at all.
3. Generate the whole set of efi-keys (I used `sbkeys` script for that).
4. Create a unified kernel image and sign it using the generated key (I used `sbupdate` script for that). Do not forget to include your CMDLINE arguments with information for LUKS encryption.
5. Add the new boot entry with this image to the EFI firmware (I used `bcfg` tool, but `efibootmgr` should also work [5]).
6. Reboot into UEFI firmware and APPEND your generated DB.esl to the already present db file (the same can also be done from Linux cli if you do not have the append option in UEFI).
7. Enable Secure Boot and check if everything works.
After this process now I am able to boot both Linux and Windows with Secure Boot and Bitlocker with TPM. I can choose between the two from the EFI firmware menu or by modifying the `BootNext` variable of the UEFI. Of course, kernel image must be resigned on every update, but this is where `sbupdate` comes in especially handy.
I find it a bit strange that I modified only db (but not PK or KEK variables) to make Secure Boot accept my Linux image, but maybe I just don't fully understand the process yet.
[1] https://wiki.archlinux.org/title/installation_guide
[2] https://wiki.archlinux.org/title/Unifie … ecure_Boot
[3] https://wiki.archlinux.org/title/Dual_boot_with_Windows
[4] https://wiki.archlinux.org/title/Dm-crypt
[5] https://wiki.archlinux.org/title/EFISTUB
Offline