You should be careful before deleting all the secure boot keys from your BIOS.
Reading the warning at https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys:
Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate.
And it would be best to backup those keys before deleting them. There is a command to do so on the same wiki page, a few paragraphs below.
Personally, I am just sticking to shim method to stay on the safe side.
Le lun. 17 juil. 2023 à 14:24, Simon Perry <arch@xxxxxxxxxxx> a écrit :
On 2023-07-17 09:29 PM, Sergey Filatov wrote:
> So the boot sequence in my case is this:
>
> EFI -> shim -> MOK-signed GRUB2 with MOK-signed modules -> MOK-signed
> Linux kernel
From what I've learned you don't need shim at all, you can boot a signed
grub and kernel directly.
Apparently you can chainload Windows using shim because it's an MS
signed binary but I never got it to work.
If you just want Linux to boot have a look at:
https://www.reddit.com/r/archlinux/comments/10pq74e/my_easy_method_for_setting_up_secure_boot_with/
My general method was:
- Get UEFI boot working first
- Delete all the secure boot keys from your BIOS, ensure setup mode is
enabled
- Boot and set up and sign everything with sbctl
- Enable secure boot in the BIOS, boot
- If it doesn't work, enter your BIOS, delete all the keys and go to
setup mode again
- Try again
Cheers.
P.S. Always use --disable-shim-lock when installing grub
--
Simon Perry (aka Pezz)
