Secure Boot to grub/Ventoy/agFM/Linux, etc.
Secure Boot is supported by many Linux distributions and is an important security feature for ensuring that your boot loader and kernel have not been tampered with. Linux distributions use a Microsoft signed ‘shim’ executable that is then able to verify the subsequent boot stages - that have been signed with the distribution key. The Microsoft-signed shim is signed using the “Microsoft 3rd Party UEFI Certificate”, and this certificate is stored in the BIOS database.
Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default. This means that for any of these platforms shipped with Windows preinstalled an extra step is needed to allow Linux or grub2 or Ventoy or E2B to boot with secure boot enabled.
To enable secure boot to work with a non-Microsoft bootloader such as used with Linux or grub2 or Ventoy, etc. you will need to enable the “Allow Microsoft 3rd Party UEFI CA” option in the BIOS setup.
Use the following steps (example Lenovo):
1. Boot into the BIOS setup menu.
e.g. On a Lenovo - Reboot your PC and when the “To interrupt normal startup, press Enter” message is displayed - press the F1 key. Other BIOSes may respond to F8 or F12 or F11 or ESC.
2. In the BIOS menu select the “Security” option and the “Secure Boot” sub-menu.
Toggle the “Allow Microsoft 3rd party UEFI CA” to be “On” or "Enabled".
 |
| Enable Microsoft UEFI CA and and 3rd-Party CA if available |
No comments:
Post a Comment