You are not logged in.
- Topics: Active | Unanswered
#1 2025-08-18 12:26:41
- Rays42
- Member
- Registered: 2022-08-14
- Posts: 8
Can't enable SecureBoot on ASUS x670E
Hey there,
I'm having some trouble enabling SecureBoot on my desktop. I have done it successfully on a number of portables with various methods, but this time I'm at a loss. Maybe I just don't understand my UEFI, so perhaps someone with a similar board can help out. My goal is to enable SecureBoot with Windows Dual Boot.
My setup is:
Asus X670E ProArt
systemd-boot with UKI (kernel-install + ukify)
Windows Bootloader is copied to /boot and works
I have tried the assisted methods which usually work fine, now I'm at the fully manual setup because the assisted ones didn't work. I generated the keys and I enrolled them all manually and I tried with the commandline tool (which bootctl claims my mainboard supports), but after a reboot, bootctl claims that SecureBoot is disabled, and so is setup mode. My understanding was that after enrolling the keys, SecureBoot enforcement should be on?
SecureBoot Menu
SecureBoot Key Menu
systemd-boot
Last edited by Rays42 (2025-08-18 12:35:02)
Offline
#2 2025-08-18 17:45:24
- -thc
- Member
- Registered: 2017-03-15
- Posts: 998
Re: Can't enable SecureBoot on ASUS x670E
but after a reboot, bootctl claims that SecureBoot is disabled, and so is setup mode.
AFAIK the setup mode is only used for manipulating the PK key. After installing this key the custom/user mode should be active.
My understanding was that after enrolling the keys, SecureBoot enforcement should be on?
Not as I recall it - there should be a separate "enable" option.
What does Windoze have to say (msinfo32.exe)?
Offline
#3 2025-08-18 18:29:42
- Rays42
- Member
- Registered: 2022-08-14
- Posts: 8
Re: Can't enable SecureBoot on ASUS x670E
It agrees with bootctl, saying that it's off. I also checked everywhere incl. the bios manual and there isn't a separate enable toggle.
Offline
#4 2025-08-19 06:34:04
- StarWolf3000
- Member
- Registered: 2025-06-23
- Posts: 32
Re: Can't enable SecureBoot on ASUS x670E
Did you check the PDF manual?
https://www.asus.com/motherboards-compo … EATOR-WIFI
Click "Manual & Document", then "PRIME PROART TUF GAMING AMD AM5 Series BIOS Manual ( English Edition )"
Pages 82+
To boot with Windows, you need to change from "Other OS" to "Windows UEFI Mode"
Last edited by StarWolf3000 (2025-08-19 06:38:16)
Mainboard: GIGABYTE B550 AORUS ELITE V2 | CPU: Ryzen 7 5800X | RAM: 32 GB
GPU: GeForce RTX 4060 8 GB (575.64.05 proprietary) | Display: BenQ BL2405 1920x1080
Kernel: 6.15.9 stable | Boot Manager: GRUB2 | DE: KDE Plasma | Login Manager: SDDM | Window Manager: KWin (Wayland)
Offline
#5 2025-08-27 08:03:33
- Rays42
- Member
- Registered: 2022-08-14
- Posts: 8
Re: Can't enable SecureBoot on ASUS x670E
Did you check the PDF manual?
https://www.asus.com/motherboards-compo … EATOR-WIFI
Click "Manual & Document", then "PRIME PROART TUF GAMING AMD AM5 Series BIOS Manual ( English Edition )"
Pages 82+To boot with Windows, you need to change from "Other OS" to "Windows UEFI Mode"
Yes that was my original mistake - In fact I need to switch to Windows UEFI Mode for Secure Boot to be enabled at all. Other OS just means "off".
However I still failed enrolling multiple keys. I follow the various versions of the guide and I'm able to enroll my KEK + DB and then I try to enroll the microsoft add db/kek and it says permission denied whether or not the PK is already enrolled even if I'm still in setup mode. The firmware will only let me enroll one key. I tried to "append" explicitly, but same issue. When I try to do it manually via the firmware by enrolling my keys and then the microsoft keys via append, systemd-boot causes a violation/manipulation error and won't launch. However when I only enroll my own keys it all works, Arch boots and SB is enabled. I have tried every version and order of enrolling and rebooting and changing settings I could think of. I hope it's not a firmware bug. My current workaround is to just enroll the microsoft keys and only enable secure boot when I need to launch a specific application on Windows that requires it, but I'd really prefer it set up properly.
Maybe someone with a very similar board can try it?
Offline
#6 2025-08-27 08:49:48
- -thc
- Member
- Registered: 2017-03-15
- Posts: 998
Re: Can't enable SecureBoot on ASUS x670E
Maybe your mainboard's key management is restricted.
Whenever I need to change/add keys I use "KeyTool.efi" instead. Have you tried it?
It's part of the "efitools" package. Just copy it to your EFI partition, start the internal/mainboard UEFI shell (not edk2-shell) and launch it.
Offline