Arch Linux

Pfaust

Member

Registered: 2025-10-24

Posts: 2

Issues with setting up secure boot with GRUB

I’m trying to run Secure Boot with my own CA keys (enrolled via `sbctl`). GRUB loads fine, but any Linux kernel fails to boot.

Docs I followed

- GRUB → Secure Boot support: https://wiki.archlinux.org/title/GRUB#S … ot_support (CA-Keys, with disabled shim lock)
- UEFI / Secure Boot (sbctl assisted): https://wiki.archlinux.org/title/Unifie … with_sbctl

GRUB install
I had to include several modules to get the GRUB menu to show; without them I hit an error before the menu. Current install command:

sudo grub-install \
  --target=x86_64-efi \
  --efi-directory=/boot \
  --bootloader-id=GRUB \
  --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gzio gfxterm loadenv configfile tpm" \
  --disable-shim-lock

Problem
GRUB starts, but selecting any kernel (Arch or Cachy) immediately fails with:

error: verification requested but nobody cares: /vmlinuz-linux-cachyos

Same behavior for the Arch kernel as well.

Signatures (sbctl verify)
All relevant EFI images and kernels appear to be signed:

$ sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/grub/x86_64-efi/grub.efi is signed
✓ /boot/vmlinuz-linux is signed
✓ /boot/vmlinuz-linux-cachyos is signed
✓ /boot/vmlinuz-linux-cachyos-bore is signed
✓ /boot/EFI/GRUB/grubx64.efi is signed
✓ /boot/grub/x86_64-efi/core.efi is signed

What I’ve tried / Observations

- Adding the modules above is the only way I can reach the GRUB menu; otherwise I get an error before the menu. Found in this Discussion https://bbs.archlinux.org/viewtopic.php?id=279146
- Both the Arch kernel and Cachy kernels are signed (per `sbctl verify`) but fail with the same GRUB error.

My Grub Version: 2:2.12.r418.g6b5c671d-1.1
My sbctl Version:  0.18-1.1

lystor

Member

Registered: 2025-11-02

Posts: 2

Re: Issues with setting up secure boot with GRUB

Hi, @Pfaust
I have the same problem.
Have you fixed it?
Thank you

ScriptElephant

Member

Registered: 2025-11-02

Posts: 1

Re: Issues with setting up secure boot with GRUB

Hello from me too, @Pfaust
Personally haven't tried it — I personally don't like Grub on EFI — but the Gentoo wiki says you probably need the pgp module, since that's how grub checks files:

Error: verification requested but nobody cares: (<drive>,<partition>)/grub/<architecture>/<grub module>.mod.

Ensure that the pgp GRUB module is embedded into the GRUB executable; GRUB needs this module embedded because this is the module that verifies other modules and files.

(error doesn't match exactly but my best guess is that you've set the root variable earlier & perhaps gentoo uses a slightly different path layout )
https://wiki.gentoo.org/wiki/Secure_Boo … le.3E.mod.

Your install command would be something like

sudo grub-install \
  --target=x86_64-efi \
  --efi-directory=/boot \
  --bootloader-id=GRUB \
  --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gzio gfxterm loadenv configfile tpm pgp" \
  --disable-shim-lock

hope it helps or you figure it out yourself - in the latter case at least one person would be really glad if you did

Pfaust

Member

Registered: 2025-10-24

Posts: 2

Re: Issues with setting up secure boot with GRUB

Hi, @Pfaust
I have the same problem.
Have you fixed it?
Thank you

Hey @lystor
unfortunately not. I switched to systemd-boot and copied my windows efi into the esp/EFI and written the entry conf files and now it works.

lystor

Member

Registered: 2025-11-02

Posts: 2

Re: Issues with setting up secure boot with GRUB

Hi @Pfaust,
I solved the problem the same way.
I didn't want to sign all required GRUB modules with PGP. It is overkill.
GRUB is RIP for me.