Arch: Secure Boot for Grub + Windows dual-boot

1. SOURCE: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
2. ^-- Mentions the potential for bricking a couple times.
3. SOURCE: https://www.reddit.com/r/archlinux/comments/10pq74e/my_easy_method_for_setting_up_secure_boot_with/
4. SOURCE: https://web.archive.org/web/20250116185859/https://www.reddit.com/r/archlinux/comments/10pq74e/my_easy_method_for_setting_up_secure_boot_with/
5.  
6. 0. About my system: <-- A mix of relevant and irrelevant info. The esp path = /efi is probably all that matters here. Just flexing the two-EFI setup that everyone should use (if not on a laptop) IMHO.
7.  
8. Grub boot-loader to select Arch or Windows, installed to /boot/grub
9. Linux-only EFI (at the end of D:\ drive) mounted to /efi
10. Windows-only EFI (at the start of C:\ drive) mounted to /efi-win
11. ^-- Needs to be mounted in /etc/fstab for os-prober to see it, to add Windows to the grub menu.
12.  
13. 1. Gigabyte BIOS preparation for secure boot:
14.  
15. Boot > Secure Boot:
16.  
17. System Mode: Setup
18. Secure Boot: Disabled
19. Not Active
20. Secure Boot Mode: Custom
21.  
22. NOTE: This is the default state i saw after updating the BIOS.
23. This is the state you need to be in to configure Secure Boot with custom keys for Arch to boot.
24.  
25. If not in this state then you can get here by setting [Secure Boot Mode: Custom] and selecting "Reset To Setup Mode".
26. After the system reboots, re-enter BIOS and set Secure Boot: Disabled.
27.  
28. ----
29.  
30. --> For windows-only users, that do NOT intend to dual-boot:
31. SOURCE: https://www.reddit.com/r/gigabyte/comments/rciwjd/comment/hnw0kdo/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
32.  
33. If it says System Mode: User, then set Secure Boot: Enabled. Done.
34. If it says System Mode: Setup,
35. Set Secure Boot: Disabled
36. Secure Boot Mode: Custom <-- Change this to Custom...
37. Secure Boot Mode: Standard <-- ... Now change it to Standard.
38. <Select Yes to install Factory Defaults, causing a reboot>
39. Go back into BIOS. If it says System Mode: User, then set Secure Boot: Enabled. Done.
40. If you can't boot Windows then come back to BIOS and set Secure Boot: Disabled, and try all of this again?
41.  
42. 2. Boot into Arch with Secure Mode: Setup + Secure Boot: Disabled.
43.  
44. 3. Re-install GRUB to utilize Microsoft's CA certificates (as opposed to shim):
45.  
46. NOTE: Make sure to use your esp mount point if its not /efi.
47.  
48. For Secure Boot do this:
49.  
50. $ sudo pacman -S grub efibootmgr os-prober
51. $ sudo grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=Arch --removable --modules="tpm" --disable-shim-lock
52. $ sudo grub-mkconfig -o /boot/grub/grub.cfg
53.  
54. NOTE: This is what i did before using Secure Boot:
55.  
56. $ sudo pacman -S grub efibootmgr os-prober
57. $ sudo grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=Arch --removable
58. $ sudo grub-mkconfig -o /boot/grub/grub.cfg
59.  
60. 4. Add an environment variable so sbctl can find the EFI:
61.  
62. Not 100% sure this step is needed.
63.  
64. I was getting this error before adding the ESP_PATH environment variable:
65. error: verification requested but nobody cares: (hd4,gpt6)/boot/grub/x86_64-efi/normal.mod.
66. Entering rescue mode...
67. grub rescue>
68.  
69. But then i updated my BIOS to version F7 which has "Secure Boot Database Key Update: Enhances system security".
70. I added the environment variable, said the magic words, and it worked?
71. Its possible that the environment variable is not critical to sbctl finding the files and the new bios fixed the issue?
72.  
73. /etc/environment
74.  
75. #
76. # SBCTL
77. #
78. # SEE: https://github.com/Foxboron/sbctl/issues/207#issuecomment-1479188897
79. # Foxboron
80. # > sbctl should instead try to pull info from /boot, /efi, /boot/efi, check that they are mountpoints; and if they are, that they satisfy the set constraints (vfat, parttype, etc.).
81. # Not possible as we use lsblk and it acts on blockdevices and not mountpoints. I'm not re-writing it to support a setup where people mount the ESP three places on a system.
82. # SEE: https://github.com/Foxboron/sbctl/issues/207#issuecomment-1652239359
83. # Foxboron
84. # If lsblk is reporting null I suspect udev has some issues. This isn't a sbctl issue, strictly speaking. You can set ESP_PATH manually.
85. ESP_PATH=/efi
86.  
87. ^-- Reboot after adding that to /etc/environment so the shell sees it, i.e. so $ echo $ESP_PATH displays "/efi".
88.  
89. 5. Install the sbctl tool:
90.  
91. $ sudo pacman -S sbctl
92.  
93. Ignore these errors:
94. -> Running post hook: [sbctl]
95. Secureboot key directory doesn't exist, not signing!
96.  
97. 6. Verify that you are in setup mode:
98.  
99. $ sbctl status
100.  
101. Installed: ✗ sbctl is not installed
102. > Setup Mode: ✗ Enabled
103. Secure Boot: ✗ Disabled
104. Vendor Keys: none
105.  
106. 7. Create your custom secure boot keys:
107.  
108. $ sudo sbctl create-keys
109.  
110. Created Owner UUID 79c89b78-022a-437b-a996-e562766537ef
111. Creating secure boot keys...✓
112. Secure boot keys created!
113.  
114. 8. Enroll your custom keys (note -m is required to include Microsoft's CA certificates):
115.  
116. $ sudo sbctl enroll-keys -m
117.  
118. Enrolling keys to EFI variables...
119. With vendor keys from microsoft...✓
120. Enrolled keys to the EFI variables!
121.  
122. 9. Verify that your keys have successfully been enrolled:
123.  
124. $ sbctl status
125.  
126. Installed: ✓ sbctl is installed
127. Owner GUID: 79c89b78-022a-437b-a996-e562766537ef
128. Setup Mode: ✗ Enabled
129. Secure Boot: ✗ Disabled
130. > Vendor Keys: microsoft
131.  
132. 10. Check which files need to be signed for secure boot to work:
133.  
134. $ sudo sbctl verify
135.  
136. Verifying file database and EFI images in /efi...
137. ✗ /efi/EFI/BOOT/BOOTX64.EFI is not signed
138.  
139. 11. Sign all unsigned files:
140.  
141. $ sudo sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI
142.  
143. ✓ Signed /efi/EFI/BOOT/BOOTX64.EFI
144.  
145. NOTE: If you get an error because of an issue with certain files being immutable. To make those files mutable run the following command for each file and reattempt to sign:
146. $ sudo chattr -i /sys/firmware/efi/efivars/<filename>
147.  
148. 12. Verify that everything has been signed:
149.  
150. $ sudo sbctl verify
151.  
152. Verifying file database and EFI images in /efi...
153. ✓ /efi/EFI/BOOT/BOOTX64.EFI is signed
154.  
155. -----
156.  
157. 13. Return to the BIOS:
158.  
159. Set Secure Boot: Enabled
160.  
161. -----
162.  
163. 14. Verify that secure boot is enabled:
164.  
165. $ sbctl status
166.  
167. Installed: ✓ sbctl is installed
168. Owner GUID: 79c89b78-022a-437b-a996-e562766537ef
169. Setup Mode: ✓ Disabled
170. > Secure Boot: ✓ Enabled
171. Vendor Keys: microsoft
172.  
173. -----
174.  
175. NOTE: sbctl comes with a pacman hook for automatic signing so you don't need to worry when you update your system.
176.  
177. NOTE: AI says do this to block LibreWolf/FireFox from TPM ID (idk if it works, did 2 seconds of research on this):
178.  
179. about:config
180. security.webauth.webauthn = false
181. security.webauth.webauthn_enable_softtoken = false
182. security.webauth.webauthn_enable_usbtoken = false
183. security.webauth.webauthn_testing_allow_direct_attestation = false