Skip to content
CachyOS

Secure Boot with CachyOS

How to dual boot CachyOS and Windows with Secure Boot ON ?

We are going to use rEFInd boot manager for this.

  1. Temporarily turn off Secure Boot and boot using the cachyos bootable usb.

  2. You’ll need an active internet connection now. Click Launch Installer > Online > Refind

  3. Continue with the installation then in partition select Manual Partition and create a partition of following: • Size: 500mb • Filesystem: fat32 • Mount point: /boot/efi • Flags: boot

  4. Create rest of the partitions (root, swap etc.) and continue with the installation and restart when completed.

  5. Install shim-signed and sbsigntools packages from the aur.

  6. Now run this command to re-install Refind with the installed shim and generate keys to sign the Refind binaries automatically. refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys

  7. Enter Y for the incoming prompts and complete the installation.

  8. Now sign the kernel binary with the keys generated by Refind using the following command. sudo sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux-cachyos /boot/vmlinuz-linux-cachyos The name of your kernel may vary!

  9. We are almost done! Now restart your device and turn on Secure Boot then boot normally.

  10. You will see a message saying Verification failed: Security Violation. Press Enter.

  11. It will open the Shim UEFI Key Management. Press any key to open the MokManager.

  12. In the Perform MOK management screen, select Enroll key from disk and browse to /EFI/refind/keys. Select refind_local.cer.

  13. Press Enter > Continue > Yes.

  14. Reboot your device.

Everything should work perfectly now. Run bootctl to check Secure Boot status.

Tips and Tricks

Signing with Hook

The kernel signing can be automated with a mkinitcpio post hook, see Secure Boot#Signing the kernel with a mkinitcpio post hook (https://wiki.archlinux.org/title/Secure_Boot#Signing_the_kernel_with_a_mkinitcpio_post_hook).

Using KeyTool

The KeyTool can be used to add/remove/replace keys from NVRAM of your device. To use it

  • Copy KeyTool.efi sudo cp /usr/share/efitools/KeyTool.efi /boot/efi/EFI/refind/

  • Sign KeyTool.efi sudo sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/efi/EFI/refind/KeyTool.efi /boot/efi/EFI/refind/KeyTool.efi

  • Select KeyTool from the Refind boot screen to open it.

Credits

Thanks to Aritra Karak for writing this guide!