Edit this Page

Manjaro Manjaro and Windows - Secure Boot - repo only

Manjaro and Windows - Secure Boot - repo only

Background

This How-To and is based on the question asked with Enable Secure Boot For Existing Manjaro Usung Repo Only and can be seen as a complement to Encrypted Manjaro Linux Using Verified Boot.

I decided to work on the theory - and brush up on new sbctl options and configuration.

To be able to comply with corporate security - this is a proof-of-concept - how to make Manjaro and Windows co-exist with Secure Boot enabled.

Target System

The test system is Clevo N141wu with a single NVMe storage device and the steps I am going to list works with the mentioned laptop.

I downloaded and installed a Windows 10 - and subsequently added Manjaro using GRUB for dual-boot using a single Linux 6.12 kernel.

Although this project did not test Windows 11, there is no reason to believe the process would be any different than the one applied herein.

If you are trying to implement this with another layout - you must adapt the process.

Proof of Concept

This is a practical implementation using sbctl on Manjaro Linux.

See -> https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Assisted_process_with_sbctl

The PoC assumes the system has been kept up-to-date both operating systems.

Sync the package sbctl from the official repo

sudo pacman -S sbctl

After this you have an excellent opportunity to familiarize yourself with sbctl usage

sbctl --help
sbctl bundle --help
sbctl create-keys --help
sbctl enroll-keys --help
sbctl generate-bundles --help

Kernel Cmdline

Extract the GRUB_CMDLINE_LINUX_DEFAULT from /etc/default/grub and save the content in a new file /etc/kernel/cmdline. The content - using a default Manjaro installation - would look like

root=UUID=<uuid> rw quiet splash apparmor=1 security=apparmor udev.log_priority=3

When you created the file - create a new bundle using sbctl.

Define Bundle

A bundle is the set of files used to start your system.

To create a bundle definition you run sbctl bundle <args> providing paths to the files to bundle.

--amducode '/boot/amd-ucode.img' includes ucode for AMD
--intelucode '/boot/intel-ucode.img'includes ucode for Intel

Example for an AMD system

sudo sbctl bundle --esp '/boot/efi' \
                  --amducode '/boot/amd-ucode.img' \
                  --cmdline '/etc/kernel/cmdline' \
                  --initramfs '/boot/initramfs-6.12-xx86_64.img' \
                  --kernel-img '/boot/vmlinuz-6.12-x86_64' \
                  --save '/boot/efi/main.efi'

As can be deduced - it is fairly easy to create extra bundles with e.g. a fallback image - just don't do it (See Storage Consideration below).

Create Signing Keys

You need a a key to sign the bundle

sudo sbctl create-keys

Generate Bundle and Sign

When you have created the keys - generate the bundle and sign

sudo sbctl generate-bundles --sign

Configure Setup Mode

Restart your system and enter the firmware setup

systemctl reboot --firmware-setup

In the system firmware you need to locate the Secure Boot section, then configure Secure Boot for Setup Mode.

How you do this is specific for your firmware - you may need to experiment.

Enroll Keys

When you are confident the system's Secure Boot is in Setup Mode, boot into your Manjaro system - and enroll your key into Secure Boot key storage, remember to include Microsoft keys

sudo sbctl enroll-keys --microsoft

The command ensures the firmware Setup Mode is reverted to production mode. It is not automagically protected - for that you need to set an administrative password.

Storage Consideration

The $esp (efi system partition) with default Microsoft Windows 10 installation is 100M, and this is leaving little room to wiggle, as a single efi image takes 42M, thus leaving 29M remaining space.

[nix-n14xwu ~]# ls -l -h /boot/efi
total 42M
drwx------ 5 root root 1,0K 21 feb 12:59  EFI
drwx------ 2 root root 1,0K 21 feb 13:35  loader
-rwx------ 1 root root  42M 21 feb 12:42  main.efi
drwx------ 2 root root 1,0K 21 feb 11:37 'System Volume Information'

Maintenance

The bundle is a static configuration - it will not change automagically - e.g. triggered by a hook.

The kernel maintenance within a release e.g. 6.12 is not an issue as the definition has not changed.

But when you decide you want to switch kernel e.g. from 6.12 to 6.14 - then you need to maintain your bundle.

This can be done by recreating your bundle configuration

sudo sbctl bundle --esp '/boot/efi' \
                  --amducode '/boot/amd-ucode.img' \
                  --cmdline '/etc/kernel/cmdline' \
                  --initramfs '/boot/initramfs-6.14-xx86_64.img' \
                  --kernel-img '/boot/vmlinuz-6.14-x86_64' \
                  --save '/boot/efi/main.efi'

Then generate the bundle and sign it

sudo sbctl generate-bundles --sign

Protect Your Firmware

It is strongly suggested to lock your computers firmware with an administrative password - otherwise it is easy to circumvent the boot measures applied.

The firmware will now be enabled and your system may now be compliant with your corporate policies stating Secure Boot must be enabled.

Before you rejoice too much - ask your Corporate IT department.

Crossposted on my notepad https://root.nix.dk/en/manjaro/manjaro-and-windows-secure-boot-repo-only