I used arch linux. I used either grub and systemd-boot. With secure boot enabled, it will only flash a black screen. When secure boot is disabled my computer loads fine.
Why is this?
Linux requires secure boot to be off, right in the base of Linux this happens, even in the most lightweight version. I’m not a software developer so I have no clue.
Not all versions of Linux
Secure Boot relies upon a digital certificate signed by Microsoft to establish Root of Trust
A few distros have such certificates, such as Debian, Ubuntu, Fedora, RHEL and OPEN Suse
You should be able to generate your own MOK,enroll this to the bios and use this to boot your self signed kernel if you desire to boot into your custom kernel, using your own keys.
In some linux distro even with older kernels such as RHEL, CentOS, Almalinux and Rocky, UEFI and secure boot is no longer an issue.
You can follow the steps here:
This file has been truncated.
# Building a Secure Arch Linux Device
Locking down a linux machine is getting easier by the day. Recent advancements in systemd-boot have enabled a host of features to help users ensure that their machines have not been tampered with. This guide provides a walkthrough of how to turn on many of these features during installation, as well as reasoning for why certain features help improve security.
The steps laid out below draw on a wide variety of existing resources, and in places I'll point to them rather than attempt to regurgitate full explanations of the various security components. The most significant one, which I highly encourage everyone to read, is Rod Smith's [site about secure boot](https://www.rodsbooks.com/efi-bootloaders/secureboot.html), which is the most comprehensive and cogent explanation of UEFI, boot managers and boot loaders, and secure boot. Another incredibly useful resources is [Safeboot](https://safeboot.dev), which encapsulates many of the setup steps below in a Debian application. Finally, the Arch Wiki pages for [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot), [disk encryption](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system), and [systemd-boot](https://wiki.archlinux.org/title/Systemd-boot). Many of the decisions to use certain technologies were inspired by Matthew Garret's [Producing a trustworthy x86-based Linux appliance](https://mjg59.dreamwidth.org/57199.html).
## How best to use this guide
Using Linux is designed to be an empowering and enriching experience. Therefore, I'd like to issue a word of caution about blindly following this gude (no judgment though, I do it too). At many points in this guide there will be a series of steps with fairly complex commands, but I urge you to pause and think about each one. It may be slow and painful, and it will definitely require some googling, but if you don't proceed with intent it's possible to end up with a system that has and does a bunch of stuff that you don't understand. As this is a guide about security, that's, like, bad. Not that you should know how every intricate detail of Arch Linux, UEFI, TPMs, etc. work; I'm pretty sure no one does. But you should at least know how to find out if you come across something that is causing you trouble. It's a hard-earned skill, but you can get almost all of the way there by just paying close attention. I'll try to tip you off to when you should pay closer attention where I can, but neither of us is perfect, so make your best effort and I'll make mine.
To enable secure boot for arch. The gist also sets up other things which you can optionally use (or not). I have secure boot running successfully for Manjaro using this idea. Unfortunately the boot entries get messed up every kernel update so I have this script:
sed -i 's#linux.*$#efi /EFI/Linux/5.14-x86_64-signed.efi#' /boot/loader/entries/manjarolinux5.14.conf
to fix the EFI/ path for the bootloader.
My sbupdate.conf settings look like this:
CMDLINE_DEFAULT="initrd=\amd-ucode.img initrd=\intel-ucode.img initrd=\initramfs-5.14-x86_64.img root=UUID=692da64a-1de3-4554-ac67-2ac60e5107b3 rw rootflags=subvol=/@ cryptdevice=UUID=afff539f-cc12-4fbc-988e-d616b8776fa0:defloofed quiet mem_sleep_default=deep splash"