• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
Check out our WINDOWS 11 Support Center info about: OPTIMIZATION, KNOWN ISSUES, FAQs, VIDEOS AND MORE.
HP Recommended
HP Pavilion Plus 14 inch Laptop PC 14-ey0000 (872W4AV)
Linux

Hi guys! Does anyone know how to activate the Secure Boot Setup mode? I deleted all the keys, disabled secure boot, but the utilities like sbctl say that the setup mode is disabled?

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

I contacted support, but they didn't help me. Found a workaround: don't use sbctl, use efitools. Detailed guide [content removed]

 

 

View solution in original post

7 REPLIES 7
HP Recommended

Hi @altynos,

 

Welcome to HP Support Community.

 

Thank you for posting your query, I will be glad to help you.

 

Activating Secure Boot Setup mode on an HP Pavilion Plus 14 laptop typically involves accessing the BIOS/UEFI settings. Here's a general guide on how to activate Secure Boot Setup mode.

 

  • Access BIOS/UEFI: Restart your HP Pavilion Plus 14 laptop and press the appropriate key to access the BIOS/UEFI settings during the startup process. This key is often displayed on the screen during boot, and it's usually one of the function keys (F1, F2, F10, etc.) or the ESC key. You may need to consult your laptop's manual or search online for the specific key for your model.
  • Navigate to Secure Boot Settings: Once you're in the BIOS/UEFI settings, look for the Secure Boot settings. These settings are typically found in the Security or Boot sections of the BIOS/UEFI menu.
  • Enable Secure Boot: In the Secure Boot settings, you should see an option to enable Secure Boot. Enable this option if it's not already enabled.
  • Activate Setup Mode: Some BIOS/UEFI implementations require you to activate Setup Mode before you can modify Secure Boot settings or add custom keys. Look for an option to activate Setup Mode, and enable it if it's available.
  • Save Changes and Exit: After enabling Setup Mode and making any other desired changes to Secure Boot settings, save your changes and exit the BIOS/UEFI settings. This typically involves selecting the option to save changes and reboot the system.

 

Once you've activated Setup Mode and made any necessary changes to Secure Boot settings, you should be able to use utilities like sbctl to manage Secure Boot keys and settings effectively.

 

I hope this helps.

 

Take care and have a good day.

 

Please click “Accepted Solution” if you feel my post solved your issue, it will help others find the solution. Click the “Kudos/Thumbs Up" on the bottom right to say “Thanks” for helping!

 

Alden4

HP Support 

Raj_05
HP Support Community Moderator
HP Recommended

 

  • Activate Setup Mode: Some BIOS/UEFI implementations require you to activate Setup Mode before you can modify Secure Boot settings or add custom keys. Look for an option to activate Setup Mode, and enable it if it's available.

Great, but there is no such option in the BIOS/UEFI. That's exactly what I was talking about.

HP Recommended

Hi @altynos,

 

Thank you for your response, 

 

We apologize for the inconvenience, but it seems that the issue persists even after attempting the troubleshooting steps mentioned above.

 

Unfortunately, there are no further actions we can take through this channel. I recommend reaching out to our phone support for further assistance.

 

This might require one-on-one interaction to fix the issue via remote assistance. 

 

You can reach out at HP USA Customer Support no: 1800 474 6836. 

 

Take care and have a good day.

 

Please feel free to contact us here anytime you need any further assistance.

 

Have a great day!

 

Alden4

HP Support 

Raj_05
HP Support Community Moderator
HP Recommended

I contacted support, but they didn't help me. Found a workaround: don't use sbctl, use efitools. Detailed guide [content removed]

 

 

HP Recommended

thank you mods for censoring the only useful answer in this thread! i'm having the same problem! @Altynos could you please copypaste the steps here?

HP Recommended

Arch Linux Install with BTRFS, LUKS, and systemd-boot, dual-booted with a UKI and Windows 11 on a shared EFI partition

Disclaimer: I have personally tested every step of this. However, I'm not responsible for anything you do.

Pre-install

  1. Boot Windows, install the latest updates, remove OEM bloatware, open Disk Management, and shrink the Windows partition to make room for Arch.
  2. Download the latest Arch ISO and flash it with Etcher.
  3. Control Panel > Power Options > Choose what the power buttons do > Change settings that are currently unavailable > Uncheck Fast startup.
  4. regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation > Create a new DWORD, name it RealTimeIsUniversal, and set it to 1.
  5. Boot gparted-live, move the last two tiny Windows partitions to the left.
  6. Turn off secure boot in BIOS, reboot into the Arch ISO.

Install

Turn down brightness: echo 20 > /sys/class/backlight/<screen>/brightness.

Connect to Ethernet/WiFi: iwctl > station <device> scan > station <device> get-networks > station <device> connect <SSID> > ping 1.1.1.1.

cat /sys/firmware/efi/fw_platform_size > check 64-bit.

timedatectl > check NTP active, RTC not in local TZ.

fdisk -l to check disks.

cfdisk /dev/nvme0n1 > [New] to create a new Linux Filesystem partition. Write and quit.

Setup and open LUKS

cryptsetup luksFormat --type luks2 /dev/nvme0n1pX
cryptsetup open /dev/nvme0n1pX luks

Create and mount BTRFS

mkfs.btrfs -L arch /dev/mapper/luks
mount /dev/mapper/luks /mnt

 

Create BTRFS subvolumes

btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@swap
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@log
btrfs subvolume create /mnt/@cache
btrfs subvolume create /mnt/@scratch

Remount.

umount /mnt 
mount -o noatime,ssd,compress=zstd,subvol=@ /dev/mapper/luks /mnt

Create mountpoints.

mkdir /mnt/{boot,home,var/log,var/cache,scratch,btrfs}

Mount subvols.

mount -o noatime,ssd,compress=zstd,subvol=@home /dev/mapper/luks /mnt/home
mount -o noatime,ssd,compress=zstd,subvol=@log /dev/mapper/luks /mnt/var/log
mount -o noatime,ssd,compress=zstd,subvol=@cache /dev/mapper/luks /mnt/var/cache
mount -o noatime,ssd,compress=zstd,subvol=@scratch /dev/mapper/luks /mnt/scratch
mount -o noatime,ssd,compress=zstd,subvolid=5 /dev/mapper/luks /mnt/btrfs # const 5 for BTRFS's root

Mount EFI partition.

mount /dev/nvme0n1p1 /mnt/boot

Create swapfile.

cd /mnt/btrfs/@swap
btrfs filesystem mkswapfile --size 20g --uuid clear ./swapfile
swapon ./swapfile
cd

Configure mirrorlist

cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak # backup mirrorlist
reflector -c "RU" -f 12 -l 10 -n 12 --save /etc/pacman.d/mirrorlist #(replace CA with your country)
pacman -Syy

Install base system.

pacstrap -K /mnt base base-devel linux-lts linux-firmware btrfs-progs \
amd-ucode mesa xf86-video-amdgpu vulkan-radeon libva-mesa-driver mesa-vdpau \
networkmanager sudo neovim git reflector

Init fstab and verify after.

genfstab -U /mnt >> /mnt/etc/fstab

Chroot into the new system.

arch-chroot /mnt

Set timezone.

ln -sf /usr/share/zoneinfo/Europe/Moscow /etc/localtime # replace with your timezone
hwclock --systohc --utc

Set locale: uncomment desired locales from /etc/locale.gen.

locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo "LANG=ru_RU.UTF-8" > /etc/locale.conf

Set hostname.

echo "arch" > /etc/hostname # replace with your hostname

Add hosts.

vim /etc/hosts
---
127.0.0.1 <hostname>.localdomain localhost
::1 localhost.localdomain localhost

Set root password.

passwd

Create user.

useradd -mG wheel,storage,power,log,adm,uucp,tss,rfkill -s /bin/bash <username> # replace with your username
passwd <username>

Give user sudo access.

EDITOR=nvim visudo
---
raymo ALL=(ALL:ALL) ALL # for passworded sudo
raymo ALL=(ALL:ALL) NOPASSWD:ALL # for passwordless sudo
# one of the two above, replace raymo with your username

Enable networkmanager.

systemctl enable NetworkManager

mkinitcpio.

vim /etc/mkinitcpio.conf
---
HOOKS=(base keyboard systemd autodetect modconf kms block keymap sd-vconsole sd-encrypt btrfs filesystems fsck)

Configure kernel command line.

vim /etc/kernel/cmdline
---
root=/dev/mapper/luks rootflags=subvol=@,x-system.device-timeout=30 rw quiet splash bgrt_disable resume=/dev/mapper/luks resume_offset=<offset>

Get offset from:

trfs inspect-internal map-swapfile -r /btrfs/@swap/swapfile

Create /etc/crypttab.initramfs.

luks           UUID=<uuid>    -                       discard,tpm2-device=auto

Get UUID from:

lkid /dev/nvme0n1pX

Configure .preset.

vim /etc/mkinitcpio.d/linux-lts.preset

Uncomment *_uki= lines, replace any /efi/* with /boot/*, comment out *_image= lines, uncomment splash if desired.

Process all preset files mkinitcpio -P

Make sure /boot/EFI/Linux exists (where uki points to)

Install systemd-boot.

chmod 700 /boot /boot/loader/random-seed
bootctl --path=/boot install

Install userspace apps.

pacman -S --needed gdm
pacman -S --needed xorg-xwayland xorg-xlsclients glfw-wayland
sudo pacman -S --needed gnome gnome-tweaks nautilus-sendto gnome-nettool gnome-usage gnome-multi-writer adwaita-icon-theme xdg-user-dirs-gtk fwupd arc-gtk-theme

Enable gdm & nm.

sudo systemctl enable gdm
sudo systemctl enable NetworkManager

Configure make.

vim /etc/makepkg.conf
---
MAKEFLAGS="-j$(nproc --ignore=2)" # 2 less than total threads

Install yay.

git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si

Exit chroot, unmount, shutdown.

exit
umount -R /mnt
shutdown now

If target is busy error, check with:

user -m /mnt

Configure BIOS boot order. Set Linux as first boot option because systemd-boot will auto-detect Windows and add it to the boot menu.

Boot into Arch and pat yourself on the back.

Enroll TPM so you don't have to keep typing in your LUKS password.

sudo systemd-cryptenroll --tpm2-device=<path> --tpm2-pcrs=7 /dev/nvme0n1pX

Get path from:

udo systemd-cryptenroll --tpm2-device=list

Install UKI pacman hook to trigger rebuild after ucode update:

vim /etc/pacman.d/hooks/ucode.hook
---
[Trigger]
Operation=Install
Operation=Upgrade
Operation=Remove
Type=Package
# Change to appropriate microcode package
Target=amd-ucode
# Change the linux part above and in the Exec line if a different kernel is used
Target=linux-lts

[Action]
Description=Update Microcode module in initcpio
Depends=mkinitcpio
When=PostTransaction
NeedsTargets
Exec=/bin/sh -c 'while read -r trg; do case $trg in linux-lts) exit 0; esac; done; /usr/bin/mkinitcpio -P'

Install efitools.

Backup your existing keys:

for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done

Reboot into bios and delete the manufacturer PK.

Creating keys, Setup sbctl, sbsigntool:

cd ~
mkdir uefi-keys
cd uefi-keys
# Create PK
openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=My Platform Key/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
#Create KEK
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=My Key Exchange Key/" -out KEK.crt
#Create database signing key
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=My Signature Database key/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer	

Convert to ESL.

    uuidgen -r > guid.txt #Unique guid
    cert-to-efi-sig-list -g "$(< guid.txt)" PK.crt PK.esl
    cert-to-efi-sig-list -g "$(< guid.txt)" KEK.crt KEK.esl
    cert-to-efi-sig-list -g "$(< guid.txt)" db.crt db.esl

Signing certificate lists.

    sign-efi-sig-list -g "$(< guid.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
    sign-efi-sig-list -g "$(< guid.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth
    sign-efi-sig-list -g "$(< guid.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
    sign-efi-sig-list -g "$(< guid.txt)" -k KEK.key -c KEK.crt dbx old_dbx.esl dbx.auth

Add Microsoft trust for windows.

    wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
    echo "77fa9abd-0359-4d32-bd60-28f4e78f784b" > msguid.txt
    sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output ms_win_db.esl MicWinProPCA2011_2011-10-19.crt
    sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db ms_win_db.esl add_ms_db.auth

Adding keys to system.

    mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK}
    cp db.auth /etc/secureboot/keys/db
    cp add_ms_db.auth /etc/secureboot/keys/db
    cp add_ms_uef_db.auth /etc/secureboot/keys/db
    cp PK.auth /etc/secureboot/keys/PK
    cp KEK.auth /etc/secureboot/keys/KEK
    cp dbx.auth /etc/secureboot/keys/dbx

    chattr -i /sys/firmware/efi/efivars/*
    sbkeysync --verbose
    efi-updatevar -f /etc/secureboot/keys/PK/PK.auth PK

Signing UKI.

    sbsign --key db.key --cert db.crt --output /boot/EFI/Linux/arch-linux-lts.efi /boot/EFI/Linux/arch-linux-lts.efi
    sbsign --key db.key --cert db.crt --output /boot/EFI/Linux/arch-linux-lts-fallback.efi /boot/EFI/Linux/arch-linux-lts-fallback.efi
    sbsign --key db.key --cert db.crt --output /boot/EFI/systemd/systemd-bootx64.efi /boot/EFI/systemd/systemd-bootx64.efi
    sbsign --key db.key --cert db.crt --output /boot/EFI/Boot/bootx64.efi /boot/EFI/Boot/bootx64.efi

FInalizing settings.

    chattr -i /sys/firmware/efi/efivars/*
    # Reboot & enable SecureBoot in UEFI, set UEFI master password

Add a hook for automatically signing after upgrades:

	sudo vim /etc/initcpio/post/uki-resign
	---
	#!/usr/bin/env bash
    sbsign --key /home/r2d2/Documents/uefi-keys/db.key --cert /home/r2d2/Documents/uefi-keys/db.crt --output /boot/EFI/Linux/arch-linux-lts.efi /boot/EFI/Linux/arch-linux-lts.efi
    sbsign --key /home/r2d2/Documents/uefi-keys/db.key --cert /home/r2d2/Documents/uefi-keys/db.crt --output /boot/EFI/Linux/arch-linux-lts-fallback.efi /boot/EFI/Linux/arch-linux-lts-fallback.efi
	---
	sudo chmod +x /etc/initcpio/post/uki-resign

 Thanks Raymo111, Green-Hamster github users!

HP Recommended

thank you so much!

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.