#[ABANDONED/TO BE CONTINUED...] Idiot Tries Installing Arch Manually: Installing a Boot Loader

Yeah, this seems to be very complicated. For a couple reasons:

1. I've got a Windows 11 install on a separate drive (with it's own boot and EFI stuff btw) that must remain reliable and relatively secure. It's for schoolwork.
2. That seemingly means enabling Secure Boot to get updates. Which gets complicated and dangerous quite quickly. Throughout the wiki I see mentions of accidentally bricking your hardware if you do something wrong while setting it up and that's a huge nono obviously.
3. I preferably want to have a GRUB (or similar) boot menu that lets me select either OS. I switch between them rather frequently. This also means extra steps apparently.
4. I hardly know what I'm doing when it comes to anything boot related. And really don't want to brick my PC.

For context, my PC supports TPM 2.0 and Secure Boot just fine as far as I can tell. It's a built PC, not a laptop.
CPU: Intel, don't have the exact model on hand nor in memory so I'll have to check. (I've already reformatted the disk and got an arch live USB plugged in)
GPU: Nvidia GTX 1660 SUPER
Motherboard: Asus Prime H310M-R R2.0 (what a mouthful)

I've already made my way through the Installation Guide up until 3.8 Boot loader... I could just cave, start over and go with archinstall since I've already learned a lot about computers and would like my Linux PC back. But I'm nearly there...

Anyways, with that textwall out the way, what route do y'all recommend I take?

Yeah GRUB is good for multiple OSes. Although I dont really understand what you're having trouble with exactly. You can add Windows to GRUB after your installation with sudo pacman -S os-prober. After that installs you edit /etc/default/ and uncomment the bottom line that says disable os-prober. The you update grub with sudo grub-mkconfig -o /boot/grub/grub.cfg

I know other bootloaders also have this but I haven't used them and wouldn't know how to set that up

Well, to start, reading through this doesn't give me much confidence
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
Does this warning apply to my case?

No clue. I don't use secure boot. I don't believe you need secure boot for updates and I would recommend disabling it in a dual boot system

I've had Windows complain that TPM and secure boot weren't enabled and refuse to update until I re-enabled it :P

really? Never had that issue on windows 11.

I suppose I could just turn it on when it needs to update, then turn it back off. But I have a nagging feeling that Windows won't tolerate that forever and start whining harder and cooperating even less

And besides going back and forth like that doesn't seem like a good idea (if I'm wrong please do correct me)

And you're 100% sure you cant update without secure boot? I can't find anything like this online.

It probably doesnt matter, its just a big hassle and pretty annoying

For me it actually did update just fine for a good while. But one day it suddenly had an error updating. When I opened that it said my PC "didn't support TPM" (well it does, windows, you jackass. I just disabled it :])

tried only enabling that
still not happy
enabled secure boot
worked

Never heard of anything like this before ngl

When did this happen? Maybe it won't care if you disable it now?

Happened a week or so ago I believe?

It might've just been TPM being disabled and that it just so happened to only register TPM being enabled again after enabling Secure Boot as well but eh who knows

But it quite explicitly stated something about TPM not being supported

Yeah I mean I have TPM enabled and secure boot off, never any issues. I can imagine WIndows wouldnt be able to tell if you turned it off or didn't have it for TPM

Well I know what I saw mate :P

Dual booting Windows and Linux these days really is like getting a mature adult and whiney baby to cooperate as coworkers... -<-

Honestly if this issue persists I have no clue how to fix it. I would recommend turning TPM on but keeping secure boot off and just using GRUB to dual boot

Hopefully that solves it

Yea, probably going with that since it seems setting up Secure Boot with all the fiddling with BIOS-level keys or whatever you gotta do is more risky than just not having it enabled to begin with.

Would still like to see what other people have to say about this though

yep

sounds good

Also P.S. I really want to have a good Linux setup to start with this time round. On my previous distro I also just kinda did whatever seemed right at the time. Made me have to do stuff like switching a BIOS install to UEFI so I could upgrade Win10 to 11 and boot either OS without having to dive into my bios to switch between BIOS and UEFI.

it's really not risky if you're using sbctl, which is the recommended and most painless way to do it. The actual painful thing is setting up secure boot with grub specifically.

Okay, I think following these instructions (link) and then doing sbctl enroll-keys -m also enrolls Microsoft's keys (-m), thereby validating my GPU as well and not bricking my PC... That means that the "necessary issuers" in this warning are retained as mentioned after running that command right? (attached screenshot) Or do I need to do something manually for that? https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Assisted_process_with_sbctl

Another Question: From where do I run this in the first place? While chrooted into the system from my USB? Or while directly booted into it?

when you try to run enroll-keys in a way that would brick your pc, sbctl will halt itself and tell you to either rerun with the -m flag or --yes-this-can-brick-my-pc or something like that, kind of like trying to rm rf your root without the --no-preserve-root flag

Right, got it.

Do I run it from inside the installed OS or while chrooted from outside though? Or does that not really matter?

when I used sbctl I just did it from within my Linux install. You have to do it that way so it gets added as a pacman hook and will re-sign your kernel after updates

well, again, you'll have to figure out how to do secure boot with grub as it's a pretty messy thing afaik. I've only ever done secure boot with a UKI which is dead simple

Ok, didn't work. GRUB threw something along the lines of requested verification but nobody cares and entered recovery mode. :P

I would try using systemd-boot instead by this point but supposedly that also gets really complicated when trying to get it to boot Windows as well

I could maybe try going with shim instead 🤔

oh my days

Ok, so I could also just drop the whole Secure Boot thing and just run Win11 without it, only with TPM enabled. That would make things so much easier for me right now. It should just work. Whether it'll work forever or whether Microsoft might pull some temper tantrum that breaks it one day is the question.

Really don't wanna wake up one day and have Windows suddenly present me an ultimatum boiling down to "it's me or your videogames." in a frankly already toxic relationship inside my own computer.

Again I really just want a setup for the forseable future. I like having my computer just how I want it (I think I'll really love Arch) but I hate the looooong set up that comes with it (right now I hate Arch) and don't want to do that to future me 😭

my head hurts

I'm no expert on this, haven't used windows at all since xp.. but if you have a full win setup including efi on a completely separate drive, and linux also on its own drive, might I suggest looking into efistub as your boot manager, it writes the boot selections to bios, so you have a normal boot that goes straight in, and if you want to boot the other one you just go into bios and do a boot override (so in other words the bios acts like the grub screen) efibootmgr is the thing you use to manage it

Right, that could also work. I used to dual boot like that since previously the boot manager didn't detect Windows, only Fedora, but it got annoying really quickly having to completely reboot if I didn't press the BIOS menu key in time (which admittedly is very often)

Might've found something.

If you are not actually interested in the security brought by Secure Boot and are only enabling it to meet the requirements posed by Windows 11, you may want to consider disabling the validation process in shim with mokutil --disable-validation. In that case you will not need to sign grub (sbat probably still needed) or the kernel images and at the same time be able to boot Windows with chainloader in grub.

shim seems like yet another set up nightmare but oh well it'll have to do

no pain no gain, the arch mantra

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim_with_key Currently here

I did

sbsign --key MOK.key --cert MOK.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux`

It returned:

warning: data remaining[16169016 vs 16607480] gaps between PE/COFF sections?
Image was already signed; adding additional signature

Wooaa hold on... Is that bad?

I tried signing them before with sbctl and I'm pretty sure there's no other reason for them to be signed besides that... Nor do I believe having two is a good idea... Any way to run that command to remove any other signatures and overwrite instead? And should I?

i was following the wrong instructions

🎉

Welp I probably completely borked the install in place on my disk but oh well

Or at least in a way that I can't undo with my currently already severe braincell deficit

It's probably a good idea to start over anyway since I tried several methods and clearly previous attempts were already interfering with each other (it was otherwise a fresh install so not that I'm losing much anyway)

Which I will be doing sometime tomorrow probably

I'll probably be giving installing with shim another go when I do, in the meantime I would really appreciate any words of advice ^^"

I don't really know what stage you're on, but if going into manual boot override to swap OSs isn't an issue for you like Jim mentioned, then things would become absolutely dead simple

like I said before, and you saw yourself, doing secure boot with grub is

a fucking mess to put it bluntly

if you'll want to just use the boot menu provided by your bios you can resort to using a UKI for your Linux which makes secure boot genuinely easy to do

I can help you set that up if you want

I'm giving shim one final go before resorting to a setup without a boot menu, mostly so I can maybe write or contribute to a guide about it.

In theory all I need to do is install shim and then install GRUB with the SBAT thing, and then use mokutil --disable-validation to avoid having to sign anything while still being able to boot Windows with chainloader in GRUB. If I am to believe the note in the docs here, also mentioned above. I.E. running mokutil --disable-validation and skipping any signing steps. Not sure if that command disables some important kind of validation globally, which probably wouldn't be great. But I'll roll with it for now just to see what happens.

Additionally, the directories they're suggesting me to copy to don't exist. Interesting.

$ mount /dev/sdb1 /boot
$ ls /boot
EFI  grub  initramfs-linux.img  intel-ucode.img  vmlinuz-linux
$ ls /boot/EFI
GRUB

There's no /boot/EFI/BOOT, I think. Everything works without any Secure Boot setup though.

Oh well that didn't take very long to find this time!

I'm gaining braincells ❤️‍🩹

I remember getting quite confused about the naming of the boot directory, but in the end it doesn't really matter what you call it, you just need a dir to put the boot files in

Ohhhh that makes sense, that's very good to know thank you

Ahhhhh right and you can just specify that directory when making the NVRAM entry :0

yes, just decide where you want your boot and then reference that dir when you generate your boot files (by whatever method) - mine is /boot

Yea I went with that too

the wiki makes it seem like there has to be a specific dir name for boot including the word 'efi'

I suppose I could contribute to the wiki by adding a note here!

esp/EFI/BOOT might not exist for you. If you're using GRUB, shim should just detect it and you should not need to move nor rename anything. Otherwise, find your boot loader (.efi or .EFI) and then rename it there. There should be a folder for it under esp/EFI.

And above the copying steps

If esp/EFI/BOOT doesn't exist you can create it now with mkdir esp/EFI/BOOT

I'm not 100% sure if shim can actually find grubx64.efi if it is anywhere other than in the same directory though

Alright, I actually got smart enough to install shim in a way I liked more; just dropping it into what was there (esp/EFI/arch with GRUB in it) and creating a separate boot entry for using it. I also kept a separate boot entry for booting GRUB directly in case it doesn't work.

It actually seems to partly work! It presented a shim hash/key enrollment menu the first time with a countdown (not after that, just instant GRUB from then on), then booted GRUB. I think I forgot the --disable-shim-lock flag while installing GRUB since it threw a Security Violation when I actually tried booting arch from there. I did run mokutil --disable-validation beforehand after all.

Anyways, that's it from me for today. I'll actually have more time tomorrow and I'll be spending it tinkering some more and maybe writing some docs too!

awesome!

glad to hear you got it to work

and if you think you could improve the guide the arch wiki has, you should definitely look into contributing there!

it's always good to see

the arch wiki is as much a resource for others as it is a place for you to write down solutions to problems you may want to remember later

True,,,
Anyways, progress report: shim is now throwing a security violation on boot when having SB enabled, and showed a big scary red screen about unauthorised modifications blahblahblah, anyways. Not the big success I was hoping for but oh well.
When I was trying to go the keys route with sbctl earlier and couldn't get that working I just went into the settings for them in the UEFI/BIOS menu and reset them to factory default temporarily. I did save the keys from before I started messing with them, restoring those oughta work.

Don't know how to do that reliably

It does all work with SB disabled by the way, including shim presumably. It probably just detects SB is disabled and just immediately boots GRUB but it's something

After an hour of Googling I somehow still haven't found out how to restore these backed up keys

Asking in #quick-questions rq

Actually on second thought, restoring those keys probably won't do much anyways. Giving mokutil --disable-validation another go.

I had to follow some extra steps, I.E. open mokmanagement in shim and then disable "Secure Boot" there. Now it actually gets to GRUB (booted in insecure mode)! And when trying to boot Arch it just doesn't do anything. Wow.

Well, okay. Literally nothing I tried worked, but I think I worked my way well out of "idiot" territory, so that's a major win. Gee what a rodeo.
I also realized that I could also just keep going with all this later when Windows actually starts having a temper tantrum about Secure Boot not being enabled. And just keep it disabled for now. Everything is modular and changeable down the line with tinkering (thank you Arch for starting my journey learning this arcane art). The actual filesystem for Arch was persistent the entire time. I could also just give myself a comfortable desktop that works first (for now) and do all this BS from there... With a disk image backup of course. Since everything is also destructible. :)

This thing went on for more than long enough (thank me being stubborn) so I'm marking this post as "resolved" for now. Really a...