As far as I understand, it is difficult to bring Manjaro to work with secure boot enabled. If that understanding is correct, with Windows 11 it will be difficult to make dual boot Windows 11 + Manjaro as Windows 11 will only work with secure boot - is there currently an easy and good solution to bring Manjaro to work with secure boot?
Here in the Forum I found some topics regarding Manjaro + Secure Boot that state that secure boot is not supported, somehow you can bring it to work, and so - but the relevant topics are from last year.
My understanding is that MS has disabled the compatibility checks for installation of the Win 11 preview but will enable and enforce the checks in the final release or maybe even earlier. They are interested in seeing Win 11 on Gen 7 Intels and AMD Zen which are currently not on the compatibility list. In other words, Win 11 preview will install on any system and a successful install of Win 11 now is not necessarily an indication of any aspect of compatibility with the final release.
I made an account just to confirm that this seems to be the case so far. I have windows 10 (now 11 dev build) and Manjaro KDE duel booted on my laptop with secure boot off. I was able to upgrade to the 11 dev build without any issues and it did not mess up grub or anything. I also did not have to do anything special in windows 10 to do the upgrade with secure boot off, no reg edits or anything. Just switch to the dev build channel and it installed with no issues.
These 3 laptops have either been shutdown or restarted over the pass 3 days and when they start the 2 Dells were stuck on the Dell logo and the Lenovo was stuck on a black screen after turning on. Disabling Secure Boot on each laptop allowed it to boot but they have run with Secure Boot for many years in the past.
Since last writing a 3rd Dell XPS 13 L322X restarted to apply KB5034122 and KB5034275 - it restarted okay but then we logged in and scanned for further windows updates. It tied and failed to install KB5034441 (though note: one of the other XPS13s and the Lenovo have not attempted to install KB5034441 yet they failed to boot with secure boot on)
We then restarted this third 3rd Dell XPS 13 L322X again - this time it stuck on the Dell boot logo. We disabled Secure Boot (keeping UEFI selected/enabled) and it restarted without issue but it is odd that we are having to disable Secure Boot.
These are 10 year old laptops so perhaps they need a new BIOS update to be compatible with this latest version of windows?
Or perhaps there is some other compatibility issue. Other laptops are not exhibiting this issue - some are the same age, some are newer.
My current theory is that after KB5034122 and KB5034275 are installed Windows wants to restart - this restart works but during the start up process these updates finish applying something which means when you next boot the laptop cannot restart with Secure Boot on.
Hello,
I still use reliable laptop Lenovo z580 and I observed the same issue as described here. I also reinstalled the laptop several times as I found that as only option to get to the OS. Thanks to this rocommendation to turn off the secure boot I could get to the OS. Hope Microsoft will fix this soon.
Thank you for sharing this.
I use an old PC built 10 years ago but always allow updates and I had no problems with the secure boot issue. Seems that I was running the system on an MBR SSD so, no secure boot. I changed that partition type to GPT, and did a clean install of windows 10 pro. As the new install updated I watched KB numbers. I did not receive the KB5034275. I checked the update catalog online and do not see this patch listed. Does anyone know if this was actually the cause of the secure boot problem? Or maybe one of the problems? Did MS stop distributing this one?
Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability.
This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.
To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections. Customers will need to carefully follow manual steps to update bootable media and apply revocations before enabling this update.
The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up. The technical documentation referenced below provides implementation and testing guidance to limit potential impact at this time, and future release plans will allow Microsoft to simplify deployment without disruption.
Note: The publicly known vulnerability does not present any additional risk if secure boot is not enabled, and no additional steps are required. We recommend that customers use Secure Boot to protect systems from tampering and bootkit class exploits and to keep their systems up to date with the latest Windows Updates. For more information about the benefits of Secure Boot, see: Secure Boot and Trusted Boot.
I followed the instructions on the wiki to enable secure boot. But when I turn secure boot on, it boots directly to Windows. In fact, when it did not work, I pretty much did it over and over again with similar posts from other sites, like this one
To run the sbctl steps, I disabled Secure Mode and selected Audit Mode. Then to delete the keys, I enabled the Custom Mode. The Audit Mode switched back to Deployed Mode on its own. Then I deleted all the keys and saved my changes
When I enable Secure Boot and disable the Custom Mode, the system boots straight to Windows. GRUB is still above Windows in the UEFI boot loaders list. The grubx64.efi is signed and that is what the UEFI GRUB option is referring to.
After doing a lot of research online, the only thing I could notice was that some files needed for booting are on /boot, not on /efi (which is my ESP). I'm not sure if this matters.
Or is it because I did not keep Audit Mode on in the Firmware?
Or is it because I have not created a UKI? But the wiki does not say it is required.
Thanks for the response. I'm posting below all the commands and their output. I've removed all the lines from the output of sbctl verify and sbctl -s sign that listed .mui and .dll files as they are too numerous. If you need those, I can post them also.
I started by putting the firmware in Custom Mode and deleting all the keys. Then after booting up, I ran the following
I then enabled Secure Mode and disabled Custom Mode. Upon booting, the system went straight to Windows.
Then I disabled Secure Boot and booted into Arch Linux again.
After reboot with Secure Mode disabled:
While there may be a solution to this, the workaround I found for this was to use a systemmd boot instead of grub. While grub works outside of uefi firmware bootctl makes the loader in the uefi firmware itself. I would advise you to refer the documentation because you may have to manually add this windows boot location as my approach has always been to install bootctl first and then install windows for it to automatically identify the windows installation, else you will have to manually write the boot entries because bootctl does not recognize os-prober like grub does.
Also I did go to the documentation for Signing for secure boot/pacman hook which can be another viable way to explore.
Then it seems going to Bios and enrolling could be an option which i will have to try in future myself.
I would again request and advise you to please refer the documentation in the wiki "Signing for secure boot/pacman hook"
I think at some point in my installation (maybe after expanding the ESP) both Windows and GRUB vanished from the Boot sequence. Then I added them manually. Not sure if I made a mistake there. I don't recall which file I pointed WIndows to, but most probably it was bootx64.efi
The motherboard has BIOS Event logs, Thermal Event logs and Power Event logs. Nothing else. I think something got messed up when I expanded the ESP. The original entry for Windows in UEFI vanished at that time, and I added another one.
3-now we going to the motherboard bios once the laptop start hit escape or f10 then go to security , boot, looking for Eufi and legacy choose EUFI without csm then above that mark on the secure boot and save the setting Your laptop will restart
@Hawkeye
W11 requires secure boot to be enabled to boot along with tpm, fast boot can and is usually disabled,
but must be present for W11 to boot, along with a gpt formatted drive. So, I doubt you will be able to
disable W11 secure boot, without permanent damage to W11. My best advice would be to run Linux
in a VM, ditch W11 and install W10 or ditch W11 all together and run Linux. Their is no win win situation for this.
I checked my W11 secure boot status, and it is indeed disabled, but I have home built
PC. It more than likely is what @squealingcode is saying, and it has been altered by
the manufacture with the keys to enable secure boot. I still say if you disable secure
boot on that machine, W11 will probably not boot.
Windows 11 only needs Secure Boot to be enabled before upgrading or installing. It does not require Secure Boot to boot. I can confirm this, as my current setup does not have Secure Boot enabled, but I dual boot Windows 11 and Ubuntu.
d3342ee215