Overview
This comprehensive guide demonstrates how to enable Secure Boot on a dual-boot system running both Linux and Windows. While maintaining the ability to boot into both operating systems, this setup ensures UEFI Secure Boot verification for enhanced system security.
Although demonstrated using Arch Linux and a Gigabyte motherboard, these procedures are applicable across most Linux distributions and motherboard manufacturers with minor variations in UEFI interface layouts.
This guide was specifically created to enable Secure Boot for applications requiring stringent security measures, such as FACEIT Anti-Cheat (used in Counter-Strike), while preserving full Linux functionality. Many modern gaming anti-cheat systems and enterprise applications mandate Secure Boot for enhanced security.
Important Prerequisites
Before modifying your UEFI firmware settings, complete these essential preparation steps:
-
Backup Your UEFI (BIOS) Configuration
- The procedure requires clearing existing and generating new Secure Boot keys
- While most modern motherboards provide options to restore factory Secure Boot keys, this capability varies by manufacturer
- Document all current UEFI settings thoroughly, especially boot sequence and security options
-
Locate Essential UEFI Settings
- Navigate through your motherboard's UEFI interface to familiarize yourself with its layout
- Identify these critical security settings:
- Secure Boot activation toggle
- Secure Boot key management interface (for key deletion and restoration)
Step-by-Step Implementation
1. Disable Secure Boot
Initially, disable Secure Boot in your UEFI settings. This step is necessary because Linux cannot boot with the default Secure Boot keys, and we need to establish our own custom keys.
2. Delete Secure Boot Keys
Navigate through your UEFI settings to prepare for custom key enrollment:
First, switch to "Custom" secure boot mode. This enables granular control over Secure Boot keys.
Next, remove all existing Secure Boot keys to prepare for custom key enrollment. This step places the system in Setup Mode.
Verify the keys have been deleted and boot into Linux. The system should now be in Setup Mode.
3. Install and Configure sbctl
Install sbctl, the Secure Boot key management utility. For installation instructions specific to your distribution, consult the official README file.
For Arch Linux users:
sudo pacman -S sbctl
4. Check Status
Verify the current Secure Boot configuration:
sudo sbctl status
Expected output indicating proper setup mode:
Installed: ✘ Sbctl is not installed
Owner GUID: bbbfcaf8-3102-47f9-a921-2e5245da7e9f
Setup Mode: ✗ Enabled
Secure Boot: ✗ Disabled
Vendor Keys: none
5. Generate and Enroll Keys
Generate a new set of custom Secure Boot keys:
sudo sbctl create-keys
Upon successful key creation, you'll see:
Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Creating secure boot keys...✔
Secure boot keys created!
Enroll both your custom keys and Microsoft's keys (required for Windows boot compatibility):
sudo sbctl enroll-keys --microsoft
Successful enrollment confirmation:
Enrolling keys to EFI variables...
With vendor keys from microsoft...✓
Enrolled keys to the EFI variables!
6. Configure GRUB Bootloader
Install GRUB with TPM support and security modules enabled:
sudo grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
7. Sign Boot Files
First, check for unsigned boot files:
sudo sbctl verify
The system will identify unsigned files:
Verifying file database and EFI images in /boot...
✗ /boot/EFI/BOOT/BOOTX64.EFI is not signed
✗ /boot/EFI/GRUB/grubx64.efi is not signed
✗ /boot/grub/x86_64-efi/core.efi is not signed
✗ /boot/grub/x86_64-efi/grub.efi is not signed
✗ /boot/vmlinuz-linux is not signed
✗ /boot/vmlinuz-linux-lts is not signed
Sign all boot files with your custom keys:
sudo sbctl sign-all
Successful signing confirmation:
✓ Signed /boot/EFI/BOOT/BOOTX64.EFI
✓ Signed /boot/EFI/GRUB/grubx64.efi
✓ Signed /boot/grub/x86_64-efi/core.efi
✓ Signed /boot/grub/x86_64-efi/grub.efi
✓ Signed /boot/vmlinuz-linux
✓ Signed /boot/vmlinuz-linux-lts
Verify all files are now properly signed:
sudo sbctl verify
Expected verification output:
Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/GRUB/grubx64.efi is signed
✓ /boot/grub/x86_64-efi/core.efi is signed
✓ /boot/grub/x86_64-efi/grub.efi is signed
✓ /boot/vmlinuz-linux is signed
✓ /boot/vmlinuz-linux-lts is signed
8. Enable Secure Boot
Return to UEFI settings to activate Secure Boot with your new keys:
- Reboot and enter UEFI settings
- Navigate to Secure Boot configuration
- Enable Secure Boot
- Save changes and exit
9. Verify Configuration
After booting into Linux, confirm Secure Boot is properly enabled:
sudo sbctl status
Expected configuration status:
Installed: ✓ sbctl is installed
Owner GUID: bbbfcaf8-3102-47f9-a921-2e5245da7e9f
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft
Troubleshooting Guide
Common Issues and Solutions
-
Boot Failures
- If boot fails, temporarily disable Secure Boot through UEFI settings
- Boot into Linux and verify all boot files are correctly signed
- If problems persist, consider regenerating and re-enrolling keys
-
Windows Boot Problems
- Verify Microsoft keys were properly enrolled using the
--microsoftflag - Ensure Windows Boot Manager maintains proper signatures
- Verify Microsoft keys were properly enrolled using the
-
Key Management Issues
- For corrupted keys, use UEFI options to restore factory Secure Boot keys
- Repeat the key generation and enrollment process from the beginning
Maintenance Notes
- Sign new kernel images after system updates:
sudo sbctl sign-all - Monitor Secure Boot status regularly, especially following system updates
- Store custom key backups securely in a separate location
Security Considerations
- Custom Secure Boot keys enhance security only when properly managed
- Implement a strong UEFI administrator password
- Consider enabling TPM for additional hardware-based security features
Top comments (0)