Portable Arch Linux: Secure Boot with sbctl on ASUS X670E (Dual-Boot Windows)


estimated read time: 6 minutes

Why Secure Boot Matters for a Portable Drive

If you have followed along with the LUKS2 encryption article, your drive is now encrypted at rest — data is unreadable without the passphrase or TPM2 unlock. Secure Boot adds a second layer: it ensures that the bootloader and kernel loaded at startup have not been tampered with. Without it, an attacker with physical access could replace your bootloader with a malicious one, even if the filesystem itself is encrypted.

On a portable drive that travels with you, this matters.

There is also a practical reason specific to dual-boot setups: anti-cheat systems in games (notably on Windows) require Secure Boot to be enabled. If you disable it every time you boot Arch and forget to re-enable it before switching back to Windows, you will lose access to those games.

This article covers the full Secure Boot setup using sbctl, including how to recover when a BIOS update wipes your enrolled keys — which it will, eventually.

How Secure Boot Works (the short version)

UEFI Secure Boot maintains a database of trusted signing keys. When the firmware loads a bootloader or kernel, it checks the signature against those keys. If there is no match, it refuses to boot.

By default, the database contains Microsoft’s keys — which is why Windows boots fine. Arch Linux is not signed by Microsoft. The solution is to generate your own Platform Key (PK), Key Exchange Key (KEK), and Database key (db), enrol them in the firmware, and use them to sign your own bootloader and kernel.

sbctl handles all of this cleanly. It also maintains a list of signed binaries, so after a kernel update sbctl can re-sign everything automatically via a pacman hook.

Prerequisites

Phase 1: Recover Access After a BIOS Update

If your BIOS has just been updated, your custom keys are gone and Arch will refuse to boot with Secure Boot enabled. The first step is to get back in.

Step 1 — Temporarily disable Secure Boot:

Enter the BIOS (press DEL at POST) and navigate to:

Advanced > Boot > Secure Boot > Secure Boot Control

Change the mode from Windows UEFI mode to Other OS. This disables Secure Boot entirely.

Step 2 — Fix the boot order:

While in BIOS, check that your Arch drive is first:

Boot > Boot Option Priorities > Boot Option #1

If Windows has stomped the boot order (it will, regularly), fix it here.

Step 3 — Clear the Secure Boot keys:

Before leaving the BIOS:

Advanced > Boot > Secure Boot > Clear Secure Boot Keys

⚠️ Do not skip this step. If you leave old keys in place, you cannot enrol new ones later. You will have to repeat the entire recovery process, including waiting for RAM training again. Ask me how I know.

Save with F10 and boot into Arch.

Phase 2: Generate and Enrol Custom Keys

Once you are back in Arch, generate fresh Secure Boot keys:

sbctl create-keys

Enrol them into the firmware. The -m flag includes Microsoft’s keys alongside yours — this is required so Windows can still boot after Secure Boot is re-enabled:

sbctl enrol-keys -m

Phase 3: Sign the Bootloader and Kernel

You need to sign every binary that Secure Boot will verify at boot time. The -s flag tells sbctl to save the path so it can re-sign automatically after future kernel updates:

sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi
sbctl sign -s /boot/vmlinuz-linux
sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI

If you have the Windows bootloader on the same EFI partition:

sbctl sign -s /boot/EFI/Microsoft/Boot/bootmgfw.efi

Check everything is signed:

sbctl status

The output will list all tracked binaries and show whether they are signed. Healthy output looks like:

Installed:    ✓ sbctl is installed
Owner GUID:   <your-guid>
Setup Mode:   ✗ Disabled
Secure Boot:  ✗ Disabled
Vendor Keys:  microsoft

At this point Secure Boot is still disabled — we have signed the binaries but not re-enabled it yet. If any file shows as unsigned, sign it before proceeding.

Phase 4: Re-enable Secure Boot

Return to the BIOS:

Advanced > Boot > Secure Boot > Secure Boot Control

Change the mode back to Windows UEFI mode. Despite the name, this is the setting that enables Secure Boot on ASUS boards. “Other OS” disables it; “Windows UEFI mode” enables it and uses whatever keys are enrolled in the db — which now includes your own.

Double-check the boot order one more time, then save with F10.

Arch should now boot with Secure Boot enabled. Verify once you are in:

sbctl status

You should now see:

Secure Boot:  ✓ Enabled

The ASUS Gotcha: “Windows UEFI mode” Enables Secure Boot

This trips up a lot of people. On ASUS PRIME X670E boards, the Secure Boot setting is labelled as a choice between Windows UEFI mode and Other OS. The naming is confusing — it implies the Windows UEFI mode option is Windows-specific. It is not. It is simply the option that enables Secure Boot validation. Other OS disables it.

If you have been toggling Other OS every time you boot Arch, you have been running without Secure Boot entirely. With sbctl and your own custom keys enrolled, you can leave it on Windows UEFI mode permanently, and both Windows and Arch will boot correctly.

Keeping It Working After Kernel Updates

sbctl installs a pacman hook that re-signs binaries automatically when you update the kernel with pacman -Syu. You can verify the hook is active:

cat /usr/share/libalpm/hooks/zz-sbctl.hook

If the hook is present, kernel updates are handled automatically. If you ever manually rebuild the kernel or update the bootloader, run sbctl sign-all to re-sign everything tracked in the database.

What Happens After the Next BIOS Update

BIOS updates wipe the Secure Boot key database. When this happens:

  1. Secure Boot will block Arch from booting
  2. Disable Secure Boot (Other OS), clear the keys, boot into Arch
  3. Re-run sbctl create-keys, sbctl enrol-keys -m
  4. Re-run sbctl sign-all (re-signs all tracked paths)
  5. Re-enable Secure Boot in BIOS

The whole process takes about five minutes once you have done it once. The only annoying part is the RAM training cycle after clearing keys.


Portable Arch Linux Series