Hi,
So I just got the 1st Win11 laptop in the house and evidently it's set up to refuse to boot even from the harddisk that came out of the Win10 laptop it replaces (one in which I had disabled secure boot [SB]).
Not that it's in any way urgent, it's my partner's laptop and she never got annoyed sufficiently by Win10 slowness to use the Linux environment I'd set up for her - but I like to think ahead and also don't mind having Linux access to/on what's probably the fastest machine in the house at the moment.
For that I could of course just disable SB temporarily - assuming that the machine will boot into Win11 again after re-enabling SB. That's supposed to be the idea, right?!
Anyway, what do people do nowadays to make systems multi-bootable? Do distros come with SB-compatible bootloaders (and install images), nowadays?
And is it even enough to have an SB-compatible bootloader or do you also need a signed kernel and/or initrd image?
Someone pointed me to sbctl which looks like a very handy utility to make your familiar bootloaders SB-compatible by signing them. Does anyone have hands-on experience doing this, on a machine that needs to continue to boot into the MSWin install it came with?
I downloaded the prebuilt package on my own old Linux rig, running on hardware of which I'm not entirely certain it does have SB (I did not reboot to check but if it does it's disabled). Playing around to get acquainted I thought I'd see if I could export the keys present in the EFI, and got this:
That got me thinking and realising that there might be a chicken-and-egg problem and I would thus probably not be able to sign my bootloaders on my own rig and then copy them to the system on which they are needed. So I'd need to find a way to boot into Linux on the target machine, work the magic there and then hope Win11 still boots afterwards?
I also started to realise that I might get my own system into an unbootable state, so I haven't yet tried to enroll the keys I generated...
So I just got the 1st Win11 laptop in the house and evidently it's set up to refuse to boot even from the harddisk that came out of the Win10 laptop it replaces (one in which I had disabled secure boot [SB]).
Not that it's in any way urgent, it's my partner's laptop and she never got annoyed sufficiently by Win10 slowness to use the Linux environment I'd set up for her - but I like to think ahead and also don't mind having Linux access to/on what's probably the fastest machine in the house at the moment.
For that I could of course just disable SB temporarily - assuming that the machine will boot into Win11 again after re-enabling SB. That's supposed to be the idea, right?!
Anyway, what do people do nowadays to make systems multi-bootable? Do distros come with SB-compatible bootloaders (and install images), nowadays?
And is it even enough to have an SB-compatible bootloader or do you also need a signed kernel and/or initrd image?
Someone pointed me to sbctl which looks like a very handy utility to make your familiar bootloaders SB-compatible by signing them. Does anyone have hands-on experience doing this, on a machine that needs to continue to boot into the MSWin install it came with?
I downloaded the prebuilt package on my own old Linux rig, running on hardware of which I'm not entirely certain it does have SB (I did not reboot to check but if it does it's disabled). Playing around to get acquainted I thought I'd see if I could export the keys present in the EFI, and got this:
Code:
> sbctl/sbctl enroll-keys --export esl
Could not find any TPM Eventlog in the system. This means we do not know if there is any OptionROM present on the system.That got me thinking and realising that there might be a chicken-and-egg problem and I would thus probably not be able to sign my bootloaders on my own rig and then copy them to the system on which they are needed. So I'd need to find a way to boot into Linux on the target machine, work the magic there and then hope Win11 still boots afterwards?
I also started to realise that I might get my own system into an unbootable state, so I haven't yet tried to enroll the keys I generated...