Arch Linux

yuvrajtalukdar

Member

Registered: 2024-01-17

Posts: 1

Secure boot not working after changing EFI partition

Full Story:-
My HP Laptop is dual booted with Arch and Windows 11. Both os share the same efi partition which was just 260MB in size before. This small size of efi partition lead to kernel update error during pacman -Syu one fine day. To fix this I had to create a new EFI partition of 1024 MB than install grub , copy the windows boot/efi files and run grub-mkconfig. I edited the fstab file to set the correct efi partition, voila everything is fixed now , both windows and arch booting correctly except secure boot. To get the boot to work i had to disable secure boot.

I decided to configure the secureboot from scratch, so deleted all the enrolled keys in bios, than deleted the secureboot folder in /usr/share/secureboot/ , and followed arch wiki https://wiki.archlinux.org/title/Unifie … ecure_Boot for setting up secureboot using sbctl.
On checking sbctl verify i got a bunch of files but all files which need to be signed. I signed all.
Than tried turning on secureboot in bios and the secure boot is not working.
This is the same process i followed befor during installation of arch, and has worked before, but not this time.
What have i done wrong? How to fix this?
Thank You.

current sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     c5445c38-e7cd-488e-9c04-57db7d865981
Setup Mode:     ✓ Disabled
Secure Boot:    ✗ Disabled
Vendor Keys:    microsoft builtin-db

sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/Microsoft/Boot/da-DK/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/en-US/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/fr-CA/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/lv-LV/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/sv-SE/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/cs-CZ/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_1137.dll is signed
✓ /boot/EFI/Microsoft/Boot/memtest.efi is signed
✓ /boot/EFI/Microsoft/Boot/qps-ploc/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/cs-CZ/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/fi-FI/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ko-KR/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/sv-SE/bootmgfw.efi.mui is signed
✓ /usr/lib/systemd/boot/efi/systemd-bootx64.efi is signed
✓ /boot/EFI/Microsoft/Boot/fr-CA/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_1969.dll is signed
✓ /boot/EFI/Microsoft/Boot/et-EE/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ja-JP/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ru-RU/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ru-RU/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/et-EE/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/zh-CN/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/pl-PL/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/zh-TW/bootmgr.efi.mui is signed
✓ /boot/EFI/HP/DEVFW/HpDevFwUpdate.efi is signed
✓ /boot/EFI/Microsoft/Boot/bootmgfw.efi is signed
✓ /boot/EFI/Microsoft/Boot/it-IT/memtest.efi.mui is signed
✓ /boot/grub/x86_64-efi/grub.efi is signed
✓ /boot/EFI/HP/BIOSUpdate/CryptRSA.efi is signed
✓ /boot/EFI/Microsoft/Boot/en-GB/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/fr-FR/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/hr-HR/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_07_1415.dll is signed
✓ /boot/EFI/Microsoft/Boot/zh-TW/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/bg-BG/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/tr-TR/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/zh-TW/bootmgfw.efi.mui is signed
✓ /boot/vmlinuz-linux is signed
✓ /boot/EFI/Microsoft/Boot/de-DE/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/hr-HR/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/Resources/en-US/bootres.dll.mui is signed
✓ /boot/EFI/Microsoft/Boot/cs-CZ/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_0C_8086.dll is signed
✓ /boot/EFI/Microsoft/Boot/pt-BR/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/uk-UA/bootmgr.efi.mui is signed
✓ /usr/lib/fwupd/efi/fwupdx64.efi is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_15b3.dll is signed
✓ /boot/EFI/Boot/fbia32.efi is signed
✓ /boot/EFI/Microsoft/Boot/cbmr_driver.efi is signed
✓ /boot/EFI/Microsoft/Boot/el-GR/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/es-ES/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/es-ES/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/fi-FI/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/hu-HU/memtest.efi.mui is signed
✓ /boot/EFI/HP/BIOSUpdate/BiosMgmt.efi is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_1af4.dll is signed
✓ /boot/EFI/Microsoft/Boot/zh-CN/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/Resources/bootres.dll is signed
✓ /boot/EFI/Microsoft/Boot/pt-BR/memtest.efi.mui is signed
✓ /boot/EFI/Boot/mmx64.efi is signed
✓ /boot/EFI/Microsoft/Boot/da-DK/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/pl-PL/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ro-RO/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ro-RO/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/sl-SI/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/sv-SE/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/bg-BG/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/it-IT/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_19a2.dll is signed
✓ /boot/EFI/Microsoft/Boot/sr-Latn-RS/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/de-DE/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/fi-FI/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/it-IT/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_10df.dll is signed
✓ /boot/EFI/Microsoft/Boot/ko-KR/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/nb-NO/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/en-GB/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ja-JP/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ko-KR/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ru-RU/memtest.efi.mui is signed
✓ /boot/EFI/Boot/fbx64.efi is signed
✓ /boot/EFI/HP/SystemDiags/SysDiags.efi is signed
✓ /boot/EFI/Microsoft/Boot/el-GR/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/es-MX/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/ja-JP/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/nb-NO/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/pt-PT/bootmgr.efi.mui is signed
✓ /boot/EFI/HP/BIOSUpdate/BiosMgmt32.efi is signed
✓ /boot/EFI/Microsoft/Boot/hu-HU/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/pt-BR/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/sl-SI/bootmgfw.efi.mui is signed
✓ /boot/grub/x86_64-efi/core.efi is signed
✓ /boot/EFI/Boot/BOOTIA32.EFI is signed
✓ /boot/EFI/Microsoft/Boot/fr-FR/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/pt-PT/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/tr-TR/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/nl-NL/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/de-DE/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/en-US/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/fr-FR/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/hu-HU/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_8086.dll is signed
✓ /boot/EFI/Microsoft/Boot/lt-LT/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/nl-NL/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/nl-NL/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/sk-SK/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/sr-Latn-RS/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/bootmgr.efi is signed
✓ /boot/EFI/Microsoft/Boot/sk-SK/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/es-ES/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/nb-NO/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/tr-TR/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/en-US/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kdstub.dll is signed
✓ /boot/EFI/Microsoft/Boot/lt-LT/bootmgr.efi.mui is signed
✓ /boot/EFI/HP/SystemDiags/CryptRSA.efi is signed
✓ /boot/EFI/Microsoft/Boot/kdnet_uart16550.dll is signed
✓ /boot/EFI/Microsoft/Boot/pt-PT/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/uk-UA/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_14e4.dll is signed
✓ /boot/EFI/Microsoft/Boot/zh-CN/bootmgr.efi.mui is signed
✓ /boot/efi/GRUB/grubx64.efi is signed
✓ /boot/EFI/GRUB/grubx64.efi is signed
✓ /boot/EFI/Microsoft/Boot/da-DK/bootmgr.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/el-GR/memtest.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/es-MX/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/kd_02_10ec.dll is signed
✓ /boot/EFI/Microsoft/Boot/lv-LV/bootmgfw.efi.mui is signed
✓ /boot/EFI/Microsoft/Boot/pl-PL/bootmgfw.efi.mui is signed

-thc

Member

Registered: 2017-03-15

Posts: 502

Re: Secure boot not working after changing EFI partition

Than tried turning on secureboot in bios and the secure boot is not working.

Messages? Phenomena? Behaviors?

How do you choose between Windows and Arch? EFI Boot Manager? GRUB?

ectospasm

Member

Registered: 2015-08-28

Posts: 273

Re: Secure boot not working after changing EFI partition

I don't know about HP UEFI firmware, but at least on my new Lenovo ThinkPad I can't enable Secure Boot from the UEFI firmware menu itself.  This is a relatively fresh install (less than a month old), and it came with Windows 11 Home installed with Secure Boot enabled by default.

I never totally disabled Secure Boot to install Arch, but I did put it into Setup Mode so I could boot memtest86+ and the Arch ISO for installation (Setup Mode has the effect of temporarily disabling Secure Boot for maintenance/OS installation).  When I enabled Setup Mode, my ThinkPad UEFI firmware warned me that the Platform key was going to be cleared.  Ostensibly it's this which actually disables Secure Boot.

Since at least on my ThinkPad you can't install the Platform key from the UEFI firmware directly (where are you going to get it from?), I had to enable Secure Boot with sbctl enroll-keys --microsoft.  YMMV, but I'd try that since you're already using sbctl.

Even the developer/maintainer of sbctl, Foxboron seems a bit unclear on this;  he told me you need to enable Secure Boot in the UEFI firmware (which I couldn't do, or at least not from within my UEFI firmware menu).  Even if enroll-keys doesn't work directly, it should install the Platform key so you can enable Secure Boot in the UEFI firmware settings.

-thc

Member

Registered: 2017-03-15

Posts: 502

Re: Secure boot not working after changing EFI partition

I don't know about HP UEFI firmware, but at least on my new Lenovo ThinkPad I can't enable Secure Boot from the UEFI firmware menu itself.

That is rather strange. I never encountered a single Thinkpad - from older refurbished TP14's to fairly recent Yoga 7's - that hasn't had a dedicated secure boot switch in the UEFI firmware.

When I enabled Setup Mode, my ThinkPad UEFI firmware warned me that the Platform key was going to be cleared.

That's the point of the "Setup Mode". Only clearing the PK allows you to enroll all keys. My UEFI firmware instantly leaves the "Setup Mode" as soon as a new PK is installed.

Since at least on my ThinkPad you can't install the Platform key from the UEFI firmware directly (where are you going to get it from?), I had to enable Secure Boot with sbctl enroll-keys --microsoft.

As the Wiki mentions you can also use "KeyTool.efi" within the built-in EFI shell of the UEFI firmware to deploy the keys.

ectospasm

Member

Registered: 2015-08-28

Posts: 273

Re: Secure boot not working after changing EFI partition

That is rather strange. I never encountered a single Thinkpad - from older refurbished TP14's to fairly recent Yoga 7's - that hasn't had a dedicated secure boot switch in the UEFI firmware.

You can disable it completely, I wasn't saying you couldn't control it at all from the UEFI settings.  But at least when you enable Setup Mode, it clears the Platform key and it didn't look like I was able to reenable it unless I installed the Platform key from the OS.

That's the point of the "Setup Mode". Only clearing the PK allows you to enroll all keys. My UEFI firmware instantly leaves the "Setup Mode" as soon as a new PK is installed.

Yes, my point exactly.

As the Wiki mentions you can also use "KeyTool.efi" within the built-in EFI shell of the UEFI firmware to deploy the keys.

Ahh, OK.  I know my UEFI firmware can reset everything to factory defaults, including the original Platform key, so if you really foul things up you can restore to baseline without too much trouble.