I installed POP! OS on my laptop a few days ago but secure boot wont let me boot it. I cant disable secure boot or UEFI mode because after installing a bios update my BIOS setup menu wont open anymore. Its a bug and many similar models have it. My bios is read write protected so I cant install a old version of it either. I have heard that Ubuntu and some other popular OSes use a small bootloader known as shim to boot the main bootloader. How can I achieve this on POP! OS?
How to boot POP! OS in UEFI mode without disabling secure boot on the computer
biosbootloaderoperating systemssecure-bootuefi
Related Solutions
On modern Linux distributions using systemd, you can go straight to the Firmware setup menu using:
systemctl reboot --firmware-setup
Documentation: https://www.freedesktop.org/software/systemd/man/systemctl.html#--firmware-setup
By design, Secure Boot cannot be disabled from within an OS; you must enter your firmware's setup utility in order to disable it. With most computers, you can enter the firmware setup utility by hitting a function key, or sometimes Del, early in the boot process. Some computers don't enable the keyboard, though, or don't provide this option at all. If you've got such a system, you could try unplugging the hard disk from the motherboard and booting without a disk; that might kick the system into the firmware setup utility.
IIRC, the HashTool.efi program that comes with PreLoader.efi provides an option to reboot into the firmware's setup utility. This option doesn't work on all computers, though. If yours is one on which this feature works, you could get in by preparing a USB flash drive as follows:
- Download
PreLoader.efiandHashTool.efi. - Prepare a USB flash drive with a FAT filesystem. You may need to partition it with GPT and mark the partition as an ESP by giving it a type code of EF00 in
gdiskor by setting its "boot flag" inpartedor GParted. - Copy and rename
PreLoader.efito the USB flash drive asEFI/BOOT/bootx64.efiand copyHashTool.efiasEFI/BOOT/HashTool.efi. - Move the USB flash drive to your currently-unbootable computer and try to boot from it. With any luck, HashTool will come up and give you an option to reboot into the firmware setup utility.
Another option would be to prepare a USB flash drive or the like with a Secure Boot-enabled boot loader (PreLoader or shim). This would enable you to boot to Linux and install the Secure Boot-enabled boot loader on your hard disk. If you use PreLoader, you can begin as just described, but you'll also need to copy a regular Linux boot loader to the USB drive as EFI/BOOT/loader.efi. When you boot, HashTool will then let you register that program as valid, and thereafter it will work. You'll still have to configure the boot loader to boot off your regular hard disk, though. For more information or if you want to use shim rather than PreLoader, see my Web page on the topic for details.
Update: Recent versions of rEFInd, and I believe also gummiboot, provide an option to reboot into the firmware setup utility. To be useful, you'll need to install these programs to launch from PreLoader.efi or shim.efi. My rEFInd Secure Boot documentation covers this process in detail for rEFInd.
Best Answer
I was able to setup Secure boot on Pop OS using PreLoader. As always arch wiki has a great explanation how to set it up.
After installing pop OS don't reboot but mount your EFI partition. Download PreLoader and Hashtool https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/ Then copy preloader and hashtool to the /efi/EFI/systemd. Finally rename systemd-bootx64.efi to loader.efi and create another copy of preloader and name it systemd-bootx64.efi (this is for allowing EFI to boot straight to preloader without creating a new UEFI entry).
After this enjoy the Pop OS. Sometimes after Kernel update your system would boot to prelaoder where you will have to accept the new hash. But most of the time your system would boot straight to pop os.
Hope it helps!