Boot arch labs with enabled secure boot

Hi guys,

after getting my new Notebook I need to run arch labs live system but I can not disable secure boot on my system for security reasons.

I did some research but was unable to find a solution to sign my EFI to get archlabs boot from usb with secure boot enabled. Are there any plans for secure boot support for arch labs?

by the way I really like the latestet release I tested inside virtualbox but I need my hardware accessable to do some security tests with arch labs.

I have a HP ZBook 15u G5 Workstation if anyone knows a tool that has the possiblity to sign the efi through HP :slight_smile:

best regards,
k1ngf15h3r

Arch supports secure boot, by extension so do we, you need to add the bootloader to your firmwares trusted bootloaders with some devices if you are using multi-boot with a windows os. I’ve always just left secure boot enabled and personally haven’t had a problem.

Cheers

This is a good to know. But I can not find the f**king Option to add my device to trusted list :see_no_evil:

HP added so much own security options to bios/uefi that made it really difficult to configure

I think I will need to call the support

The upstream Arch Linux live ISO image no longer supports Secure Boot:

https://bugs.archlinux.org/task/53864

It is possible to implement Secure Boot once the system is installed by using sbsigntools and this guide:

https://www.rodsbooks.com/efi-bootloaders/secureboot.html#signing

1 Like

Thank you for posting and correcting me on the matter, I wasn’t aware of this before.

Thanks for your reply.

My Problem is that i Need to run live System in Secure Boot. Any possabilities to manually sign the live efi file?

Try and install Plop on your Windows Operating System. When your computer starts up, before you see the Windows logo you should see the Plop boot manager, and it will give you two options, whether to boot into Windows or to start Plop manager, start Plop and then you will be given the option to boot via USB

1 Like

You could try https://wiki.archlinux.org/index.php/Remastering_the_Install_ISO but it’s a bit of a chicken & egg situation unless you can get Arch working under the Windows Subsystem For Linux.

It is part of the UEFI standard to have an option to disable Secure Boot (and also to boot in CSM or “Legacy” mode) so perhaps have a rifle through the firmware menus and see if you can find it.

This sounds interessting but fails on my system even if I do it with admin rights. Maybe bitlocker or HP prevents to change the boot menu.

The sign „Protected by HP Sure Start“ is read like an evil laugh on every boot :smirk:

If I found more time I will try to get this fixed. For now I will keep beautiful arch labs in my VM :heart_eyes:

1 Like

What error message do you get? May I please see a screenshot of this?

Does it lag for you when running in VM?

It does not lag with virtualbox. With HyperV I had Performance issues. But my intention to run it Ort of my vm is, that i Need to Access my wifi Controller and my physical gpu for hashcat testings :smirk:

1 Like

Doesn’t hashcat like take forever to decrypt a password with a length of 10 characters?

So have you managed to get Plop to work by any chance, I really want to see your error that you get cause this is quite strange to see this happen with Plop.

Did not found the time to get plop running. A new possible solution could be using shim because it is signed by microsoft. But I need to figure out, how to get this on my archlabs live usb stick

Well good luck mate (only litreally takes a few seconds to run Plop :wink: )

Did you try using Rufus?

Tried rufus but I need to replace files on my stick to get shim running. For now no luck with shim.

Did you know (maybe a german) tutorial for adding plop to a live usb stick as boot manager?

I have never heard of shim, can you please tell me what this is and what it does?

Nope not at all sorry about that. As far as I am aware, the way Plop works is by doing something to Windows that whenever you start your computer, before seeing the boot screen you will get two options, either to start Windows or to start Plop. After you click on Plop then you can boot from USB connection. That is all I know.

There is another option however. I can say that in Plop you are also given the option to write to MBR if you click on the file called InstallToMBR.bat. An alternative is to install EasyBCD and through that you can install Plop and I don’t know if it can bypass the HP protection or not.

https://wiki.archlinux.org/index.php/Secure_Boot#shim

here is something about shim for arch

Thanks man,

I hope my other solutions help you out.