$neonvoid

Secure Dual Boot

3 min read

How to secure boot when dual booting (i.e Linux and Windows)

If you are like me you love Linux, hate Windows, but have gaming FOMO because your friends make you play games like League of Legends.

Most of the steps here I stole from a Reddit post a long time ago and stashed in my notes, but can no longer find. If you find it let me know and I’ll credit it here.

Prerequisites

  • You are dual booting with Linux and Windows
    • This means you already have Linux and Windows installed, whether they are on separate drives or partitions
  • You are using grub1 as your bootloader

Steps

  1. Re-install GRUB to utilize Microsoft’s CA certificates (as opposed to shim) — replace ‘esp’ with your EFI system partition:

    • sudo grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock

  2. Regenerate your grub configuration:

    • sudo grub-mkconfig -o /boot/grub/grub.cfg

  3. Install the sbctl2 tool (assuming Arch here, use your package manager or build from source otherwise):

    • sudo pacman -S sbctl

  4. As a pre-requisite, in your UEFI settings, set your secure boot mode to setup mode. This means entering BIOS and putting secure boot mode in setup mode, if you don’t see a “setup” mode for secure boot, often this just means clearing keys and disabling.

  5. Upon re-booting, verify that you are in setup mode:

    • sbctl status

  6. Create your custom secure boot keys:

    • sudo sbctl create-keys

7.Enroll your custom keys (note -m is required to include Microsoft’s CA certificates) - sudo sbctl enroll-keys -m

  1. Verify that your keys have successfully been enrolled:

    • sbctl status

  2. Check which files need to be signed for secure boot to work:

    • sudo sbctl verify

  3. Sign all unsigned files (below is what I needed to sign, adjust according to your needs):

    • sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
    • Be careful here, I recommend manually signing files, if you run some type of find exec command to sign these, you may sign way too much, and you’ll hate yourself later because you’ll have to manually un-sign each one

  4. (optional) You may get an error because of an issue with certain files being immutable. To make those files mutable, run the following command for each file then re-sign afterwards:

    • sudo chattr -i /sys/firmware/efi/efivars/<filename>

  5. Verify that everything has been signed:

    • sudo sbctl verify

  6. Finally, in your UEFI settings, enable secure boot, and reboot.

  7. Verify that secure boot is enabled:

    • sbctl status

Note: that sbctl comes with a pacman hook for automatic signing, so you don’t need to worry when you update your system.

Congratulations 🎉️,

you should now have secure boot working with dual booting Windows and Linux! Enjoy your newfound security and peace of mind. Gone are the days of gaming FOMO with friends. Now to game with friends you just reboot into Windows in disgust every minute as you game until you go to sleep at 3AM and wake up the next day smiling as you boot back into Linux.

Footnotes

  1. https://www.gnu.org/software/grub/

  2. https://github.com/Foxboron/sbctl

Graph View