Skip to content

Instantly share code, notes, and snippets.

@Jai-JAP

Jai-JAP/1000-signGrub.hook

Last active February 28, 2026 15:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Jai-JAP/5d5d9f67f19e5e5eaf6825b371a17d5d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Jai-JAP/5d5d9f67f19e5e5eaf6825b371a17d5d to your computer and use it in GitHub Desktop.
Download ZIP
Manjaro SecureBoot Setup Guide
Raw
1000-signGrub.hook
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Path
Target = /boot/efi/EFI/Manjaro/grubx64.efi
[Action]
Description = Signing GRUB with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/share/secureboot/signGrub.sh ;
Depends = sbsigntools
Depends = findutils
Depends = grep
Depends = grub
Raw
999-signKernel.hook
[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Operation = Remove
Target = linux*
[Action]
Description = Signing kernel with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output {} {}; fi' \;
Depends = sbsigntools
Depends = findutils
Depends = grep
Raw
README.md

Steps to setup secure-boot on Manjaro

NOTE: Using this guide on Arch Linux requires a few changes

Enter a rooted shell

sudo -i

Enable AUR

sed -Ei '/EnableAUR=true/s/^#//' /etc/pacman.conf

Install shim-signed & set as default boot option

pamac build shim-signed
mv /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/grubx64.efi
cp /usr/share/shim-signed/shimx64.efi /boot/efi/EFI/boot/bootx64.efi
cp /usr/share/shim-signed/mmx64.efi /boot/efi/EFI/boot/

Find boot partition & device

fdisk -l | grep "EFI System" | awk '{print $1}'
  • Eg: If the command prints /dev/sdaX
    • /dev/sda is device & X is partition number

Register Shim BootEntry to NVRAM

efibootmgr --unicode --disk /dev/vda --part 1 --create --label "Shim" --loader /EFI/boot/bootx64.efi

Generate MOK

mkdir -p /usr/share/secureboot/keys/ 
openssl req -newkey rsa:4096 -nodes -keyout /usr/share/secureboot/keys/MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=Manjaro MOK/" -out /usr/share/secureboot/keys/MOK.crt
openssl x509 -outform DER -in /usr/share/secureboot/keys/MOK.crt -out /usr/share/secureboot/keys/MOK.cer
mkdir /boot/efi/keys
cp /usr/share/secureboot/keys/MOK.cer /boot/efi/keys/

Sign all available kernels

sudo pacman -Sy sbsigntools
find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec sh -c \
'if ! sbverify --list {} 2>/dev/null | grep -q "signature certificates"; then 
   sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output {} {}
 fi' \;

Grub requires modules to be built in the .efi file with .sbat section for secureboot

MODULES="all_video
boot
btrfs
cat
chain
configfile
cpuid
cryptodisk
echo
efifwsetup
efinet
ext2
fat
font
gcry_arcfour
gcry_blowfish
gcry_camellia
gcry_cast5
gcry_crc
gcry_des
gcry_dsa
gcry_idea
gcry_md4
gcry_md5
gcry_rfc2268
gcry_rijndael
gcry_rmd160
gcry_rsa
gcry_seed
gcry_serpent
gcry_sha1
gcry_sha256
gcry_sha512
gcry_tiger
gcry_twofish
gcry_whirlpool
gettext
gfxmenu
gfxterm
gfxterm_background
gzio
halt
help
hfsplus
iso9660
jpeg
keystatus
linux
loadenv
loopback
ls
lsefi
lsefimmap
lsefisystab
lssal
luks
luks2
lvm
mdraid09
mdraid1x
memdisk
minicmd
normal
ntfs
part_apple
part_gpt
part_msdos
password_pbkdf2
play
png
probe
raid5rec
raid6rec
reboot
regexp
search
search_fs_file
search_fs_uuid
search_label
serial
sleep
smbios
squash4
test
tpm
true
video
xfs
zfs
zfscrypt
zfsinfo"
grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="${MODULES}" --sbat /usr/share/grub/sbat.csv
sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/Manjaro/grubx64.efi
cp /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/boot/

This may require updating in future versions. Refer to https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/debian/build-efi-images for latest modules

Fix prohibited due to secure boot police error in GRUB

Note: Does not work [broken]. Your system will still probably boot with errors.

Default Manjaro GRUB configuration files inserts insmod * to /boot/grub/grub.cfg
Edit /etc/grub.d/* & /usr/share/grub/grub-mkconfig_lib files to comment out any instances of insmod * or echo insmod *.
Do the same for /etc/default/grub & comment out GRUB_PRELOAD_MODULES=* line.

Automatically sign linux images and grub on updade

Download 999-signKernel.hook & 1000-signGrub.hook from this gist and place it into /etc/pacman.d/hooks

  • Create the directory if if does not exist
  • Also 1000-signGrub.hook is probably not required. As grubx64.efi is created only once.

Download signGrub.sh from this gist and place it into /usr/share/secureboot/

  • Omit this step if you skipped sign Grub hook.

Run

chmod a+x /etc/pacman.d/hooks/{999-signKernel.hook,1000-signGrub.hook} /usr/share/secureboot/signGrub.sh

Now Your Manjaro installation is ready for secureboot

Reboot the system & Enable SecureBoot from the UEFI An error will be displayed about security violation. Ignore this and press Enter twice, to enter MOK Management. Now Enroll the MOK from keys/MOK.cer of the device ESP on the MOK Management screen.

Reboot the system and your Manjaro install is ready with secure-boot working.

Raw
signGrub.sh
#!/bin/bash
MODULES="all_video
boot
btrfs
cat
chain
configfile
cpuid
cryptodisk
echo
efifwsetup
efinet
ext2
fat
font
gcry_arcfour
gcry_blowfish
gcry_camellia
gcry_cast5
gcry_crc
gcry_des
gcry_dsa
gcry_idea
gcry_md4
gcry_md5
gcry_rfc2268
gcry_rijndael
gcry_rmd160
gcry_rsa
gcry_seed
gcry_serpent
gcry_sha1
gcry_sha256
gcry_sha512
gcry_tiger
gcry_twofish
gcry_whirlpool
gettext
gfxmenu
gfxterm
gfxterm_background
gzio
halt
help
hfsplus
iso9660
jpeg
keystatus
linux
loadenv
loopback
ls
lsefi
lsefimmap
lsefisystab
lssal
luks
luks2
lvm
mdraid09
mdraid1x
memdisk
minicmd
normal
ntfs
part_apple
part_gpt
part_msdos
password_pbkdf2
play
png
probe
raid5rec
raid6rec
reboot
regexp
search
search_fs_file
search_fs_uuid
search_label
serial
sleep
smbios
squash4
test
tpm
true
video
xfs
zfs
zfscrypt
zfsinfo"
if ! /usr/bin/sbverify --list /boot/efi/EFI/Manjaro/grubx64.efi 2>/dev/null | /usr/bin/grep -q "signature certificates"; then
/usr/bin/grub-install --target=x86_64-efi --efi-directory=/boot/efi/ --modules="${MODULES}" --sbat /usr/share/grub/sbat.csv
/usr/bin/sbsign --key /usr/share/secureboot/keys/MOK.key --cert /usr/share/secureboot/keys/MOK.crt --output /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/Manjaro/grubx64.efi
/usr/bin/cp /boot/efi/EFI/Manjaro/grubx64.efi /boot/efi/EFI/boot/
fi
@criscola
Copy link

criscola commented Feb 28, 2026

With newer kernels, it could be that kernel signatures end up broken, so you will correctly boot into grub, but you won't be able to get into the actual OS with an error like "bad shim lock signature". To debug, for example (adapt depending on your kernel versions):

sudo bash -c '
echo "=== Verify kernel against MOK explicitly ==="
sbverify --cert /usr/share/secureboot/keys/MOK.crt /boot/vmlinuz-6.18-x86_64 2>&1
echo ""
sbverify --cert /usr/share/secureboot/keys/MOK.crt /boot/vmlinuz-6.12-x86_64 2>&1
echo ""
sbverify --cert /usr/share/secureboot/keys/MOK.crt /boot/vmlinuz-6.6-x86_64 2>&1

echo ""
echo "=== Verify GRUB against MOK explicitly ==="
sbverify --cert /usr/share/secureboot/keys/MOK.crt /boot/efi/EFI/Manjaro/grubx64.efi 2>&1

echo ""
echo "=== Check kernel PE signature details ==="
pesign -S -i /boot/vmlinuz-6.18-x86_64 2>&1 || echo "pesign not available"

echo ""
echo "=== Check if kernel has proper PE format ==="
file /boot/vmlinuz-6.18-x86_64

echo ""
echo "=== Kernel sbverify verbose ==="
sbverify --verbose --cert /usr/share/secureboot/keys/MOK.crt /boot/vmlinuz-6.18-x86_64 2>&1

echo ""
echo "=== Which kernel is GRUB actually trying to boot? Check grub.cfg linux line ==="
grep "^[[:space:]]*linux[[:space:]]" /boot/grub/grub.cfg | head -3

echo ""
echo "=== Does the initrd need signing too? ==="
echo "initramfs files:"
ls -lh /boot/initramfs-*.img /boot/amd-ucode.img 2>/dev/null
'

if you see:

Signature verification failed for ALL kernels, even with the correct cert
warning: data remaining[16161032 vs 16599496]: gaps between PE/COFF sections? — the kernel's PE structure has gaps, and sbsign signed it incorrectly

this comment applies to you. The issue is that sbsign from the guide does an in-place sign (--output {} {}) which corrupts the signature when the PE/COFF sections have gaps (which is common with modern Linux kernels). The signature covers the wrong byte range.

You will need to re-sign everything properly:

sudo bash -c '
for kernel in /boot/vmlinuz-*; do
    echo "=== Signing $kernel ==="
    
    # Remove existing (bad) signature first
    sbattach --remove "$kernel" 2>/dev/null
    
    # Sign to temp file, then move
    sbsign --key /usr/share/secureboot/keys/MOK.key \
           --cert /usr/share/secureboot/keys/MOK.crt \
           --output "${kernel}.signed" \
           "$kernel"
    
    mv "${kernel}.signed" "$kernel"
    
    # Verify
    echo "Verifying..."
    sbverify --cert /usr/share/secureboot/keys/MOK.crt "$kernel" 2>&1
    echo ""
done
'

this has fixed it for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment