Arch ISO secure boot signed?

ervion · 2016-06-15 19:20:20

Am I correct, that the ISO from https://www.archlinux.org/download/ is NOT signed, so that it will not work with secure boot out of the box?

I did not manage to successfully boot (boot image did not authenticate) without swapping out PreLoader.efi or using my own custom signing keys. However, I am not sure, if I did something wrong, or if it is not supposed to work like that.

dockland · 2016-06-15 20:02:34

ervion wrote:

Am I correct, that the ISO from https://www.archlinux.org/download/ is NOT signed, so that it will not work with secure boot out of the box?
I did not manage to successfully boot (boot image did not authenticate) without swapping out PreLoader.efi or using my own custom signing keys. However, I am not sure, if I did something wrong, or if it is not supposed to work like that.

Here you go

https://wiki.archlinux.org/index.php/Secure_Boot

ervion · 2016-06-15 20:14:55

I am sorry, but i have already read through that many times before posting here.

It says "Booting the archiso with Secure Boot enabled is possible...". Wiki also says "Archiso is a small set of bash scripts...", but as booting a set of bash scripts is utter nonsense, I am guessing, that in this context "archiso" instead means the iso, that can be downloaded from https://www.archlinux.org/download/.

Booting with secure boot enabled is only possible, if the bootloader is signed with keys, that are trusted by the hardware. I know, that some linux bootloaders are signed with Microsoft's key, which is present in all laptops. Therefore I am guessing, that this wiki page means to say, that arch iso is also signed with Microsoft's key?

However, if i enable secure boot from bios and try to boot arch iso, my computer reports, that "boot image did not verify". Also I found multiple occasions of people using their own signing keys, therefore I am in doubt, that maybe the arch iso is not signed by Microsoft's key after all.

That's why I would be glad, if anyone could confirm one way or the other: should arch iso work with secure boot, or is it not signed and will only work after being signed by a custom key?

ewaller · 2016-06-15 20:51:03

You can boot the iso in secure boot mode.
Re-read section 2.1

Last edited by ewaller (2016-06-15 20:51:48)

ervion · 2016-06-15 21:01:42

Ok, let me verify, that I understand that wiki page correctly:

I take the arch iso, dd it to a usb, turn on secure boot in bios (with default, factory keys), boot from usb, and I am supposed to get "Failed to Start loader... I will now execute HashTool" message?

I do not get that message, instead i am greeted with bios error "the boot image did not authenticate". I checked the checksums and gpg signature of the iso, also verified after being written to usb. I get the same behaviour on multiple computers.

ewaller · 2016-06-15 21:45:45

Will your system secure boot from USB? Some won't (like a dell Inspiron I've been cursed with at work). My HP Envy works perfectly and performs as advertised..

Check to see if that usb drive works on other machines.

ervion · 2016-06-15 22:02:17

I tested Arch on two computers (dell inspiron and hp probook) and it did not boot on either of them.

I wrote Fedora workstation live image to the same usb, and it booted with secure boot enabled on both of them without problems.

Very interesting, that some laptops have such limit. Unfortunately (of, fortunately ) this does not seem to be my issue at the moment.

Arch Linux

#1 2016-06-15 19:20:20

Arch ISO secure boot signed?

#2 2016-06-15 20:02:34

Re: Arch ISO secure boot signed?

#3 2016-06-15 20:14:55

Re: Arch ISO secure boot signed?

#4 2016-06-15 20:51:03

Re: Arch ISO secure boot signed?

#5 2016-06-15 21:01:42

Re: Arch ISO secure boot signed?

#6 2016-06-15 21:45:45

Re: Arch ISO secure boot signed?

#7 2016-06-15 22:02:17

Re: Arch ISO secure boot signed?

Board footer