Arch Linux

aopi

Member

Registered: 2025-11-28

Posts: 3

[SOLVED] Dual boot on seperate drives with Secure Boot enabled.

Hello. I am attempting to dual boot Arch Linux and Windows 11 on two separate drives with Secure Boot enabled. I require it for some games on Windows 11 and would like to implement it into Arch Linux to conveniently switch between the two OSes. I plan to use sbctl to implement the keys and GRUB as the boot loader. I am lost on how to achieve this.

Should I share one ESP or use a separate ESP for each drive? I am unsure if the keys need to be signed in one central location or is it as simple as signing the keys for Arch's ESP if they were separate. As far as I understand, you need to delete at least the Platform Key to enable Setup Mode to then continue setting up with sbctl. My confusion is, If I delete the PK with Windows installed first with separate ESPs and then setup Arch with sbctl would that overwrite it's key or cause any conflict?

I'm not too sure if I'm approaching this the right way or there is a better solution.

Last edited by aopi (2025-11-30 12:48:46)

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 25,142

Re: [SOLVED] Dual boot on seperate drives with Secure Boot enabled.

What mainboard? At lot of the behavior here hinges on whether your implementation is remotely sane or not.

Shared or separate ESPs should be completely irrelevant, the keys are stored in a central location regardless - the UEFI NVRAM/TPM, which location you procured and store the keys in to resign your kernel images is irrelevant to the UEFIs further function, as long as you provide valid keys when doing so. I doubt that "deleting platform key necessary for enabling setup mode" is a universal thing and if really needed would be very specific to your mainboard, hence the initial question. If you follow the sbctl setup guide properly, it mentions that you can tell it to store microsofts keys as well as your own with the "-m" flag.

Last edited by V1del (2025-11-28 19:16:00)

aopi

Member

Registered: 2025-11-28

Posts: 3

Re: [SOLVED] Dual boot on seperate drives with Secure Boot enabled.

What mainboard?.

I have an ASUS ROG Crosshair VIII Hero WIFI on BIOS ver 4902.

I doubt that "deleting platform key necessary for enabling setup mode" is a universal thing and if really needed would be very specific to your mainboard, hence the initial question.

Im not sure how to check if I need to delete the PK or not for my mainboard. Would I just create, enroll with the "-m" flag, then sign the keys without deleting the PK?

Thank you for clearing up the ESP and key locations!

Last edited by aopi (2025-11-29 12:02:29)

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 25,142

Re: [SOLVED] Dual boot on seperate drives with Secure Boot enabled.

No I seem to have misread, you're most likely going to delete the PK but as long as you enroll together with the -m flag the otherwise relevant microsoft keys should get retained/readded. If you properly follow the steps outlined in https://wiki.archlinux.org/title/Unifie … ecure_Boot you should be able to succeed. If you're looking for a guarantee, unless you find someone with the same MB that has tried this it's impossible to say for sure, though it will™ most likely work.

Last edited by V1del (2025-11-29 15:04:00)

aopi

Member

Registered: 2025-11-28

Posts: 3

Re: [SOLVED] Dual boot on seperate drives with Secure Boot enabled.

Reporting back with Secure Boot enabled! If anyone else has my mainboard include the "-f" flag when enrolling your keys. Although I can successfully boot Arch, the GRUB menu is no longer visible. Checking in /etc/default/grub, GRUB_TIMEOUT=5 and GRUB_TIMEOUT_STYLE=menu is set. When installing GRUB the only other flags I have added are "--modules="tpm" --disable-shim-lock". I have also tried disabling Fast Boot. I'll be happy to provide any logs or files needed.

[EDIT]: After rebooting, I saw the GRUB menu. I realized my monitor powers up rather slow from a cold state which is why I would not see it when I would power on my PC. Looks like I need to increase my timeout time. It makes me wonder if I boot faster with Secure Boot enabled. Thank you for all of the help!!

Last edited by aopi (2025-11-30 12:54:23)