Complete guide for setting up Arch Linux with Secure Boot using Ubuntu’s signed shim and systemd-boot on systems with locked BIOS (cannot disable Secure Boot or enroll custom keys).
Prerequisites
- Ventoy USB with Secure Boot support enabled
- Official Arch Linux ISO
- System with Secure Boot enabled (locked BIOS)
- Internet connection for AUR packages
Overview
This setup uses:
- Ventoy to boot the official Arch ISO with Secure Boot enabled
- Ubuntu’s signed shim (trusted by Microsoft) as first-stage bootloader
- systemd-boot as second-stage bootloader (renamed to grubx64.efi)
- Personal MOK keys to sign kernel and bootloader
- Pacman hooks for automatic signing on updates
Step 1: Install Arch Linux
Boot from Ventoy, select the Arch Linux ISO, and perform a standard Arch installation with systemd-boot as your bootloader.
Install systemd-boot
# During installation, after chroot
bootctl install
This creates /boot/EFI/systemd/systemd-bootx64.efi
Step 2: Install Required Packages
# Install AUR helper if not already installed
# Example with yay:
pacman -S --needed git base-devel
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
# Install shim-signed from AUR
yay -S shim-signed
# Install signing tools
pacman -S sbsigntools efibootmgr mokutil
Step 3: Setup Shim Files
# Create directory for Arch boot files
sudo mkdir -p /boot/EFI/arch
# Copy Ubuntu's signed shim files
sudo cp /usr/share/shim-signed/shimx64.efi /boot/EFI/arch/
sudo cp /usr/share/shim-signed/mmx64.efi /boot/EFI/arch/
# CRITICAL: Rename systemd-boot to grubx64.efi
# This is required because shim is hardcoded to load grubx64.efi
sudo cp /boot/EFI/systemd/systemd-bootx64.efi /boot/EFI/arch/grubx64.efi
Step 4: Generate MOK (Machine Owner Key)
# Create secure directory for keys
sudo mkdir -p /etc/secureboot/keys
sudo chmod 700 /etc/secureboot
# Generate RSA key pair and self-signed certificate
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/secureboot/keys/MOK.key \
-new -x509 -sha256 -days 3650 \
-subj "/CN=Arch Linux MOK/" \
-out /etc/secureboot/keys/MOK.crt
# Convert certificate to DER format (required by MOK)
sudo openssl x509 -outform DER \
-in /etc/secureboot/keys/MOK.crt \
-out /etc/secureboot/keys/MOK.cer
Step 5: Sign Bootloader and Kernel
# Sign the renamed systemd-boot (grubx64.efi)
sudo sbsign --key /etc/secureboot/keys/MOK.key \
--cert /etc/secureboot/keys/MOK.crt \
--output /boot/EFI/arch/grubx64.efi \
/boot/EFI/arch/grubx64.efi
# Sign the kernel
sudo sbsign --key /etc/secureboot/keys/MOK.key \
--cert /etc/secureboot/keys/MOK.crt \
--output /boot/vmlinuz-linux \
/boot/vmlinuz-linux
Step 6: Enroll MOK Key
# Schedule MOK enrollment for next boot
sudo mokutil --import /etc/secureboot/keys/MOK.cer
# You will be prompted to set a password
# Remember this password - you'll need it on next boot!
Step 7: Create EFI Boot Entry
Important: Replace /dev/sdX with your actual disk device (e.g., /dev/sda or /dev/nvme0n1)
# Find your disk device
lsblk
# Create boot entry pointing to shim
sudo efibootmgr --create --disk /dev/sdX --part 1 \
--loader /EFI/arch/shimx64.efi \
--label "Arch Linux" --unicode
If efibootmgr fails with “No such file or directory”, ensure efivarfs is mounted:
sudo mount -t efivarfs efivarfs /sys/firmware/efi/efivars
Step 8: Setup Automatic Signing Hooks
Hook for systemd-boot Updates
Create /etc/pacman.d/hooks/999-sign-systemd-boot.hook:
[Trigger]
Operation = Install
Operation = Upgrade
Type = Path
Target = usr/lib/systemd/boot/efi/systemd-boot*.efi
[Action]
Description = Signing systemd-boot for Secure Boot
When = PostTransaction
Exec = /bin/sh -c 'sbsign --key /etc/secureboot/keys/MOK.key --cert /etc/secureboot/keys/MOK.crt --output /boot/EFI/arch/grubx64.efi /boot/EFI/systemd/systemd-bootx64.efi'
Depends = sbsigntools
Hook for Kernel Updates
Create /etc/pacman.d/hooks/999-sign-kernel.hook:
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = linux
Target = linux-lts
[Action]
Description = Signing kernel for Secure Boot
When = PostTransaction
Exec = /usr/bin/sbsign --key /etc/secureboot/keys/MOK.key --cert /etc/secureboot/keys/MOK.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux
Depends = sbsigntools
Note: Adjust Target lines and Exec paths based on which kernel(s) you use.
Step 9: First Boot and MOK Enrollment
- Reboot your system (Secure Boot should already be enabled)
- MOK Manager will appear (blue screen with white text)
- Select “Enroll MOK”
- Select “Continue”
- Select “Yes”
- Enter the password you set with
mokutil - Select “Reboot”
- System will boot normally into Arch Linux
Verification
After successful boot, verify your Secure Boot setup:
Check Secure Boot Status
# Method 1: Using bootctl
bootctl status | grep "Secure Boot"
# Method 2: Using mokutil
mokutil --sb-state
# Expected output: "SecureBoot enabled" or "Secure Boot: enabled"
Verify MOK Keys are Enrolled
# List enrolled MOK keys
mokutil --list-enrolled
# You should see your "Arch Linux MOK" certificate
Verify Signatures
# Verify kernel signature
sudo sbverify --cert /etc/secureboot/keys/MOK.crt /boot/vmlinuz-linux
# Verify bootloader signature
sudo sbverify --cert /etc/secureboot/keys/MOK.crt /boot/EFI/arch/grubx64.efi
# Expected output: "Signature verification OK"
Check Boot Entry
# View boot entries
efibootmgr -v | grep -i arch
# Should show shimx64.efi as the loader