Arch Linux – How to Boot Installation Medium with Secure Boot Enabled

arch linuxlinuxsecure-boot

I've got a new laptop with a Samsung BIOS (version P08AFD) and Aptio Setup Utility. When I try to boot a USB stick with Arch Linux 2016.10.01 it says that the signature is invalid. The documentation seems to assume that I've already booted into Arch Linux. So I'm stumped for how to continue:

  • Are the keys on the ISO somewhere? There is a tool in Aptio to add PK, KEK, DB and DBX files.
  • Has the signature been invalidated by me making a custom USB stick from the official installation medium?
  • Should this "just work"? I'm at a loss for why a Linux distro would stop supporting a common (if controversial) security feature, especially since they seem to have supported it for some time.

The USB stick boots just fine on an older machine without Secure Boot support.

Best Answer

Flash the ISO on the usb key as you would normally do.

Then:

  1. navigate to ~\EFI\boot\
  2. rename BOOTx64.EFI as loader.efi
  3. download signed shim.efi in the same folder
  4. rename it as BOOTx64.EFI
  5. boot the thing and enroll from disk the ~\EFI\boot\loader.efi hash

EDIT: relevant bug

Related Question