You should be careful before deleting all the secure boot keys from your BIOS.
Reading the warning at https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys : Warning: Replacing the platform keys with your own can end up bricking > hardware on some machines, including laptops, making it impossible to get > into the firmware settings to rectify the situation. This is due to the > fact that some device (e.g GPU) firmware (OpROMs), that get executed during > boot, are signed using Microsoft 3rd Party UEFI CA certificate. And it would be best to backup those keys before deleting them. There is a command to do so on the same wiki page, a few paragraphs below. Personally, I am just sticking to shim method to stay on the safe side. Le lun. 17 juil. 2023 à 14:24, Simon Perry <a...@sanxion.net> a écrit : > On 2023-07-17 09:29 PM, Sergey Filatov wrote: > > > So the boot sequence in my case is this: > > > > EFI -> shim -> MOK-signed GRUB2 with MOK-signed modules -> MOK-signed > > Linux kernel > > From what I've learned you don't need shim at all, you can boot a signed > grub and kernel directly. > > Apparently you can chainload Windows using shim because it's an MS > signed binary but I never got it to work. > > If you just want Linux to boot have a look at: > > > https://www.reddit.com/r/archlinux/comments/10pq74e/my_easy_method_for_setting_up_secure_boot_with/ > > My general method was: > > - Get UEFI boot working first > - Delete all the secure boot keys from your BIOS, ensure setup mode is > enabled > - Boot and set up and sign everything with sbctl > - Enable secure boot in the BIOS, boot > - If it doesn't work, enter your BIOS, delete all the keys and go to > setup mode again > - Try again > > Cheers. > > P.S. Always use --disable-shim-lock when installing grub > > -- > Simon Perry (aka Pezz) >
