You are not logged in.
- Topics: Active | Unanswered
#1 2024-12-21 07:41:19
- approx
- Member
- Registered: 2024-12-21
- Posts: 4
Secure Boot Support (or «bypass») on Portable Arch Installation
Hello forum,
I am now in the process of making a portable iso of full Arch Linux installation. Now I'm faced with the fact that I have to manually disable Secure Boot on every new PC before booting. (My idea is to simply run Linux on any computer without unnecessary actions, like disabling SB in BIOS settings every time on every new machine.)
I have some questions about it and expected solutions.
1. Do I understand correctly that even if I sign the bootloader, would this signature still not make sense on another PC?
2. If no, can I somehow «bypass» Secure Boot check without manually disabling it in BIOS settings? Maybe shim or shim-signed can help?
3. Maybe, I can use another bootloader instead of GRUB to make this work?
both the help and the theory will be greatly appreciated.
Offline
#2 2024-12-21 11:13:47
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 9,003
- Website
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
I think the best you can do is use shim-signed and the MOK manager to get the ISO to boot:
https://wiki.archlinux.org/title/Unifie … y_for_shim
You won't have to disable SecureBoot but I think you will have to enrol the ISO on every machine.
Jin, Jîyan, Azadî
Offline
#3 2024-12-21 12:57:10
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 2,160
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
to keep it within reason:
what you're asking for is exactly what secureboot is designed to prevent: run unauthorized code
even using shim won't help here - as it's yet another stub loader which got a signature from Microsoft granted but also has to verify everything it loads and executes
in combination with mok-manager it is a simple tool to enroll keys and hashes - but it still requires manual user interaction - and depending on the specific implementation of a systems firmware might not help at all
if, however, a bypass would be found it would break secureboot entirely making it use- and worth-less - and with a working exploit you would have some very powerful tool at jand only equaled by some way to break dnssec or something similar
so the short answer: save yourself a lot of trouble trying the impossible and just swallow both the red and the blue pill and get on with you have to disable secureboot on any system not planed to run windows anyway - everything else will just cost you sleepless nights
Offline
#4 2024-12-24 10:18:36
- approx
- Member
- Registered: 2024-12-21
- Posts: 4
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
Big thanks for help! So, I guess I should have heard that it's impossible one more time, haha. I will disable Secure Boot every time on every new machine.
Another question: Maybe I can make GRUB only for BIOS (not UEFI), i386-pc systems? after all, bios systems do not have Secure Boot support, and, as far as I know, new machines still able to boot «old» BIOS systems. Will machines start my system in that case?
Offline
#5 2024-12-24 12:38:59
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 2,160
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
it's not that easy - but from the PCs side
to create a hybrid boot medium that can boot both on legacy systems as well as on uefi systems - that's the easy part
but as for the platform there're at least three options:
1) an old-school pre-uefi system: such system doesn't even know what uefi is but always require an i386 16bit mbr bootloader
2) a modern uefi system: it requires a platform compatible 32bit or usually 64bit uefi executeable - it doesn't matter if that's a full blown bootmanager like grub or windows or a small stub like in a UKI environment where a uefi stub loader is packed with a kernel, its commandline options and an initrd
3) a uefi but set to legacy / with enabled CSM: csm is short for Compatibility System Module and downgrades a modern uefi to emulate an oldschool bios
on its own uefi can only boot in the mode its set to: uefi or legacy
if its set to uefi then any ldgacy bios mbr bootcode will be ignored but a uefi stub is required
when its set to legacy only old bios mbr boot xan be done
many bootmedia support both in a hybrid config - but it's up to tge board how to boot
this is for classic x86 - I'm not sure about alternative stuff like coreboot / u-boot or other platforms like arch or risc-v - but as this forum targets vanilla 64bit arch anyway that's about ok
Offline
#6 2024-12-24 12:45:56
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 9,003
- Website
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
My current laptop doesn't offer CSM. I think that might be quite common these days.
Jin, Jîyan, Azadî
Offline
#7 2024-12-24 14:38:33
- Arlunlux
- Member
- From: Germany
- Registered: 2024-12-23
- Posts: 9
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
Making your boot stick bios compatible wouldn't really solve your issue because you usually have to go into the BIOS anyway to enable legacy mode, at this point you might as well disable secure boot. And as @cryptearth mentioned, that would also compromise the whole Idea of secure boot.
Offline
#8 2024-12-29 09:09:10
- approx
- Member
- Registered: 2024-12-21
- Posts: 4
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
big thanks everyone!
Offline
#9 2024-12-29 11:04:11
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,311
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
As a side note: Other distributions like Fedora come with their own shim builds signed by microsoft. Those shims include a certificate for their official kernel images, so booting without secure boot modifications should be possible. Arch does not have such a custom shim build, so manual intervention is necessary. (Edit: I seem to remember some talk about adding a bios option to disable automatic secure boot trust for those third-party bootloaders when windows comes preinstalled. So called "Windows 11 Secured-core PCs".)
Maybe it could be possible to create a frankenstein distro with arch userland and fedora kernel, but good luck with that.
Last edited by progandy (2024-12-29 11:08:29)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline
#10 2024-12-29 11:19:02
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 9,003
- Website
Re: Secure Boot Support (or «bypass») on Portable Arch Installation
I seem to remember some talk about adding a bios option to disable automatic secure boot trust for those third-party bootloaders when windows comes preinstalled. So called "Windows 11 Secured-core PCs"
Instructions here: https://download.lenovo.com/pccbbs/mobi … re_PCs.pdf
Maybe it could be possible to create a frankenstein distro with arch userland and fedora kernel, but good luck with that.
The trick is to use dracut instead of mkinitcpio 
Jin, Jîyan, Azadî
Offline