[SOLVED] Failing secure boot setup for dualboot with windows 11

kikis202 · 2025-01-13 14:49:09

Hi! I have previously successfully configured dual boot with my windows installation with secure boot following the arch wiki post https://wiki.archlinux.org/title/Unifie … ecure_Boot

Yesterday I somehow managed to screw up my bootloader and I couldnt get back into it.
To fix that I created bootable drive, mounted my arch install on it. The `/boot` directory was empty, so I created `/boot/efi` and mounted my efi partition on it. Created loader config and arch entry config. After that I reinstalled linux and linux-firmware with pacman and ran `mkinitcpio -P`. Then `efibootmgr --create --disk /dev/nvme1n1 --part 1 --loader /EFI/systemd/systemd-bootx64.efi --label "Arch Linux" --unicode`

After that I could boot in my Arch install, but when I tried to access windows from the bootloader it threw me in to the bitlock recovery screen. If I boot straight to windows, I get in with no problems, so I figured I just need to follow the steps that I did previously. I put my device in setup mode, by deleting keys in BIOS, ran `sbctl create-keys`, which returned `Secure boot keys have already been created!`, then ran `sbctl enroll-keys -m` with no problems

> sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/Linux/arch-linux.efi is signed
✓ /boot/EFI/Microsoft/Boot/sk-SK/bootmgfw.efi.mui is signed
✓ /boot/vmlinuz-linux is signed
✓ /boot/EFI/Linux/arch-linux-fallback.efi is signed
... alot of microsoft files

> sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	...
Setup Mode:	✓ Disabled
Secure Boot:	✓ Enabled
Vendor Keys:	microsoft

After all these steps I still get the BitLocker error when trying to launch Windows from linux bootloader.

Last edited by kikis202 (2025-01-13 23:17:23)

twelveeighty · 2025-01-13 15:46:03

Please edit your post and use [ code ] tags, not markdown. It also appears your post is truncated. If you fixed the problem, please also prepend SOLVED to the title, so that folks know the solution is included, it may save someone else some time if they run into the same problem.

kikis202 · 2025-01-13 16:06:14

twelveeighty wrote:

Please edit your post and use [ code ] tags, not markdown. It also appears your post is truncated. If you fixed the problem, please also prepend SOLVED to the title, so that folks know the solution is included, it may save someone else some time if they run into the same problem.

Thanks for the info about the post getting truncated and the code tags, got rid of some of the `sbctl verify` output. The problem still persists after successfully signing all files with sbctl, I still get bitlocker recovery screen after booting in to windows from systemd-boot

Head_on_a_Stick · 2025-01-13 16:50:34

kikis202 wrote:

The `/boot` directory was empty, so I created `/boot/efi` and mounted my efi partition on it

Why did you do that? If the /boot/ directory on the root partition is empty that means you must have been mounting the EFI system partition under it. Why are you now mounting the ESP at a different location?

Reinstalling the kernel with that setup means you probably now have 2 sets of kernel images, one on the ESP and one on the root partition. That could get confusing in the future.

Check /etc/fstab to see where the ESP should be mounted and in future use the `mount -a` command after chrooting into the sytem to ensure all partitions are correctly mounted.

kikis202 wrote:

After all these steps I still get the BitLocker error when trying to launch Windows from linux bootloader.

Sounds like something best pursued on a Windows forum.

kikis202 · 2025-01-13 23:16:35

Head_on_a_Stick wrote:

Why did you do that? If the /boot/ directory on the root partition is empty that means you must have been mounting the EFI system partition under it. Why are you now mounting the ESP at a different location?
Reinstalling the kernel with that setup means you probably now have 2 sets of kernel images, one on the ESP and one on the root partition. That could get confusing in the future.
Check /etc/fstab to see where the ESP should be mounted and in future use the `mount -a` command after chrooting into the sytem to ensure all partitions are correctly mounted.

I may have confused some of the steps that I took, but it seems to be fine now?

> cat /etc/fstab
# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>
# /dev/nvme1n1p2
UUID=73312132-a0dc-437f-b999-1333e6742cbe	/         	btrfs     	rw,relatime,ssd,discard=async,space_cache=v2,subvol=/@	0 0

# /dev/nvme1n1p2
UUID=73312132-a0dc-437f-b999-1333e6742cbe	/home     	btrfs     	rw,relatime,ssd,discard=async,space_cache=v2,subvol=/@home	0 0

# /dev/nvme1n1p2
UUID=73312132-a0dc-437f-b999-1333e6742cbe	/var/log  	btrfs     	rw,relatime,ssd,discard=async,space_cache=v2,subvol=/@log	0 0

# /dev/nvme1n1p2
UUID=73312132-a0dc-437f-b999-1333e6742cbe	/var/cache/pacman/pkg	btrfs     	rw,relatime,ssd,discard=async,space_cache=v2,subvol=/@pkg	0 0

# /dev/nvme1n1p2
UUID=73312132-a0dc-437f-b999-1333e6742cbe	/.snapshots	btrfs     	rw,relatime,ssd,discard=async,space_cache=v2,subvol=/@.snapshots	0 0

# /dev/nvme1n1p1
UUID=E9A1-0FE3      	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro	0 2

> ls /boot
 EFI                            intel-ucode.img              vmlinuz-linux
 initramfs-linux-fallback.img   loader
 initramfs-linux.img           'System Volume Information'

> ls /boot/EFI
BOOT  Linux  Microsoft  systemd

> ls /boot/EFI/BOOT
BOOTX64.EFI

kikis202 · 2025-01-13 23:22:20

I added `reboot-for-bitlocker yes` to my `/boot/loader/loader.conf` https://man.archlinux.org/man/loader.conf.5#OPTIONS
After that I rebooted, chose windows option on the systemd-boot selector
Still had BitLocker screen.
Entered the recovery key
Rebooted
After that both windows and arch installations are accessible without issues

My `/boot/loader/loader.conf`:

timeout 3
reboot-for-bitlocker yes

Arch Linux

#1 2025-01-13 14:49:09

[SOLVED] Failing secure boot setup for dualboot with windows 11

#2 2025-01-13 15:46:03

Re: [SOLVED] Failing secure boot setup for dualboot with windows 11

#3 2025-01-13 16:06:14

Re: [SOLVED] Failing secure boot setup for dualboot with windows 11

#4 2025-01-13 16:50:34

Re: [SOLVED] Failing secure boot setup for dualboot with windows 11

#5 2025-01-13 23:16:35

Re: [SOLVED] Failing secure boot setup for dualboot with windows 11

#6 2025-01-13 23:22:20

Re: [SOLVED] Failing secure boot setup for dualboot with windows 11

Board footer