Question regarding Secure Boot on Arch on ZFS

[little-helper-001]

Hi there,

I followed the instructions to install Arch on a ZFS root partition. The instructions worked nicely. An additional requirement for me is Secure Boot. Since the last time I followed the instructions on this page the instructions have undergone a lot of changes. I am currently unable to make SecureBoot via Shim work on Arch after following the instructions on this page.

The Arch Wiki article is about changing the files in /boot/efi/EFI/BOOT/, but I m not sure if this is even still the right place to change the files. Also the behavior of GRUB seems to have changed in recent versions. Somehow it boots not without creating an entry via efibootmgr.

Any tips how to make this work are greatly appreciates. Maybe the instructions to enable SecureBoot can be added as an optional step to the Arch on ZFS pages.

I need to use a preloader since I know for a fact that my motherboard won't survive enrolling my own key chain in the UEFI menu. I had to return it twice for that reason.

Thank you.

[ghost]

Hi. You can still follow the instructions on Arch Wiki verbatim, the changes in the guides here does not affect the use of Secure Boot. You should still change /boot/efi/EFI/BOOT/.

Somehow it boots not without creating an entry via efibootmgr.

That's because the UEFI specification said that the firmware must boot from the fallback location /boot/efi/EFI/BOOT/BOOT${arch}.efi or /boot/efi/EFI/BOOT/BOOTX64.efi if no other valid boot entry is found.

little-helper-001 @.***> writes:

Hi there,

I followed the instructions to install Arch on a ZFS root partition. The instructions worked nicely. An additional requirement for me is Secure Boot. Since the last time I followed the instructions on this page the instructions have undergone a lot of changes. I am currently unable to make SecureBoot via Shim work on Arch after following the instructions on this page.

The Arch Wiki article is about changing the files in /boot/efi/EFI/BOOT/, but I m not sure if this is even still the right place to change the files. Also the behavior of GRUB seems to have changed in recent versions. Somehow it boots not without creating an entry via efibootmgr.

Any tips how to make this work are greatly appreciates. Maybe the instructions to enable SecureBoot can be added as an optional step to the Arch on ZFS pages.

Thank you.

-- Reply to this email directly or view it on GitHub: https://github.com/openzfs/openzfs-docs/issues/406 You are receiving this because you are subscribed to this thread.

Message ID: @.***>

[little-helper-001]

Thank you for your quick response. Indeed one can follow the instructions from the Arch wiki closely, there where other issue that threw me off.

It seems now with the current UEFI version that there is a problem with my motherboard. Previously I enabled Secure Boot and Shim did it's thing, but now it seems it is tailored to Windows. There is "Other OS" which seems to be equivalent to disabled and "Windows UEFI" which mean enabled. The Windows mode however won't accept manually created certificates at all and the shim binary seems be accepted since the MOK manager start, but it won't enroll my own certificates. The Windows mode also needs a UEFI driver directly on the storage device otherwise it won't work or will fall back to BIOS/legacy mode if available. What a shit show ...

I will open a case with the manufacturer now, thanks for you help tough.

[little-helper-001]

So a quick follow up. AGESA 1.0.0.5 seems to completely break compatibility for Secure Boot on Linux! Shim works, but enrolling keys with the MOK manager does not, self generated keys do not work at all. I downgraded my UEFI to the previous version and was able to setup Secure Boot on the first try.

Thank you again for you quick response and instructions!