Secure Boot with CachyOS
How to dual boot CachyOS and Windows with Secure Boot on
We are going to use rEFInd boot manager for this.
- Temporarily turn off Secure Boot and boot using the cachyos bootable usb.
- You’ll need an active internet connection now. Click Launch Installer > Online > Refind
- Continue with the installation then in partition select Manual Partition and create a partition of following: • Size: 500mb • Filesystem: fat32 • Mount point: /boot/efi • Flags: boot
- Create rest of the partitions (root, swap etc.) and continue with the installation and restart when completed.
- Install shim-signed and sbsigntools packages from the aur.
- Now run this command to re-install Refind with the installed shim and generate keys to sign the Refind binaries automatically.
- Enter
Y
for the incoming prompts and complete the installation. - Now sign the kernel binary with the keys generated by Refind using the following command.
The name of your kernel may vary!
- We are almost done! Now restart your device and turn on Secure Boot then boot normally.
- You will see a message saying Verification failed: Security Violation. Press Enter.
- It will open the Shim UEFI Key Management. Press any key to open the MokManager.
- In the Perform MOK management screen, select Enroll key from disk and browse to /EFI/refind/keys. Select refind_local.cer.
- Press Enter > Continue > Yes.
- Reboot your device.
Everything should work perfectly now. Run bootctl to check Secure Boot status.
Tips and Tricks
Signing with Hook
The kernel signing can be automated with a mkinitcpio post hook, see Secure Boot#Signing the kernel with a mkinitcpio post hook.
Using KeyTool
The KeyTool can be used to add/remove/replace keys from NVRAM of your device. To use it
- Copy KeyTool.efi
- Sign KeyTool.efi
- Select KeyTool from the Refind boot screen to open it.
Credits
Thanks to Aritra Karak for writing this guide!