5

I've got a new laptop with a Samsung BIOS (version P08AFD) and Aptio Setup Utility. When I try to boot a USB stick with Arch Linux 2016.10.01 it says that the signature is invalid. The documentation seems to assume that I've already booted into Arch Linux. So I'm stumped for how to continue:

  • Are the keys on the ISO somewhere? There is a tool in Aptio to add PK, KEK, DB and DBX files.
  • Has the signature been invalidated by me making a custom USB stick from the official installation medium?
  • Should this "just work"? I'm at a loss for why a Linux distro would stop supporting a common (if controversial) security feature, especially since they seem to have supported it for some time.

The USB stick boots just fine on an older machine without Secure Boot support.

l0b0
  • 50,672
  • 41
  • 197
  • 360

1 Answers1

6

Flash the ISO on the usb key as you would normally do.

Then:

  1. navigate to ~\EFI\boot\
  2. rename BOOTx64.EFI as loader.efi
  3. download signed shim.efi in the same folder
  4. rename it as BOOTx64.EFI
  5. boot the thing and enroll from disk the ~\EFI\boot\loader.efi hash

EDIT: relevant bug

mirh
  • 528
  • 4
  • 11
  • What does "rename the later as such" mean? Like rename `PreLoader.efi` as `bootx64.efi`? – Hendy Apr 28 '18 at 03:06
  • Solved! Wow, this is awesome. For anyone else confused, this translates to replacing `bootx64.efi` with `PreLoader.efi`; when I booted, I then followed [these instructions](https://wiki.archlinux.org/index.php/Secure_Boot#Booting_archiso) and I was all good. – Hendy Apr 28 '18 at 03:13
  • I guess like I should add the instructions for `shim` now, but I lack the hardware to test it atm. – mirh Apr 29 '18 at 10:57