Not able to boot after attempting to enable secure boot

theberger23 · 2025-10-29 17:19:55

I dual boot Arch and Windows 11 on my machine. I have had secure boot disabled since I installed Arch, but I wanted to play Battlefield Redsec (On Windows obv) and that requires it to be enabled.

I ran the following command

sudo grub-install --target=x86_64-efi --efi-directory=/boot/EFI --bootloader-id=GRUB --modules="tpm" --disable-shim-lock

After this I ran

sbctl status

and it instructed me to change settings in my motherboard firmware specific to my hardware. I rebooted into UEFI Setup and changed these settings. Then when I booted back into Arch I get this error message:

 error: symbol 'grub_is_using_legacy_shim_lock_protocol' not found

So I chrooted into my system and finished creating and signing my keys with sbctl.

grub-install --target=x86_64-efi --efi-directory=/boot/EFI --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
sbctl status
sbctl create-keys
sbctl enroll-keys -m
sbctl verify
sbctl verify | sed -E 's|^.* (/.+) is not signed$|sbctl sign -s "\1"|e'

After this I run

sbctl verify

again and it shows all my files as verified.

Then I rebooted and enable secure boot and cannot get passed this error when trying to load into GRUB.

 error: prohibited by secure boot policy

Is anyone familar with this process/issue? I'm not sure if I missed a step in the process somewhere or if it is a problem with my hardware. If it helps I have a MSI Pro B-650 Motherboard.

Wiki pages referenced:
https://wiki.archlinux.org/title/Unifie … ecure_Boot
https://wiki.archlinux.org/title/Unifie … with_sbctl
https://wiki.archlinux.org/title/GRUB#S … ot_support

-thc · 2025-10-29 17:39:31

On first glance you seem to have missed the signing of the grub efi executable and the kernel with your key:
https://wiki.archlinux.org/title/Unifie … ot#Signing

theberger23 · 2025-10-29 17:46:38

-thc wrote:

On first glance you seem to have missed the signing of the grub efi executable and the kernel with your key:
https://wiki.archlinux.org/title/Unifie … ot#Signing

Those files were signed with this command

sbctl verify | sed -E 's|^.* (/.+) is not signed$|sbctl sign -s "\1"|e'

I verified this by running

sbctl verify

and seeing that those files were verified.

Tiikerihai · 2025-10-29 18:37:32

I think your issue is this:

--efi-directory=/boot/EFI

I'm pretty sure it's usually installed to /boot (folder structure: /boot/EFI/GRUB), and if you install a second copy of it in /boot/EFI (/boot/EFI/EFI/GRUB) it will be broken in this exact way. You'd have to delete the second copy and install to /boot

Last edited by Tiikerihai (2025-10-29 18:40:12)

theberger23 · 2025-10-29 22:01:08

Tiikerihai wrote:

I think your issue is this:
--efi-directory=/boot/EFI
I'm pretty sure it's usually installed to /boot (folder structure: /boot/EFI/GRUB), and if you install a second copy of it in /boot/EFI (/boot/EFI/EFI/GRUB) it will be broken in this exact way. You'd have to delete the second copy and install to /boot

This was the exact issue. Thank you so much for pointing out my dumb mistake

Arch Linux

#1 2025-10-29 17:19:55

Not able to boot after attempting to enable secure boot

#2 2025-10-29 17:39:31

Re: Not able to boot after attempting to enable secure boot

#3 2025-10-29 17:46:38

Re: Not able to boot after attempting to enable secure boot

#4 2025-10-29 18:37:32

Re: Not able to boot after attempting to enable secure boot

#5 2025-10-29 22:01:08

Re: Not able to boot after attempting to enable secure boot

Board footer