-
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
-
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
- HP Community
- Notebooks
- Notebook Software and How To Questions
- Secure Boot Setup Mode

Create an account on the HP Community to personalize your profile and ask a question
02-13-2024 02:58 AM
Hi guys! Does anyone know how to activate the Secure Boot Setup mode? I deleted all the keys, disabled secure boot, but the utilities like sbctl say that the setup mode is disabled?
Solved! Go to Solution.
Accepted Solutions
02-26-2024
11:51 AM
- last edited on
02-26-2024
02:30 PM
by
RodrigoB
I contacted support, but they didn't help me. Found a workaround: don't use sbctl, use efitools. Detailed guide [content removed]
02-15-2024 11:31 AM
Hi @altynos,
Welcome to HP Support Community.
Thank you for posting your query, I will be glad to help you.
Activating Secure Boot Setup mode on an HP Pavilion Plus 14 laptop typically involves accessing the BIOS/UEFI settings. Here's a general guide on how to activate Secure Boot Setup mode.
- Access BIOS/UEFI: Restart your HP Pavilion Plus 14 laptop and press the appropriate key to access the BIOS/UEFI settings during the startup process. This key is often displayed on the screen during boot, and it's usually one of the function keys (F1, F2, F10, etc.) or the ESC key. You may need to consult your laptop's manual or search online for the specific key for your model.
- Navigate to Secure Boot Settings: Once you're in the BIOS/UEFI settings, look for the Secure Boot settings. These settings are typically found in the Security or Boot sections of the BIOS/UEFI menu.
- Enable Secure Boot: In the Secure Boot settings, you should see an option to enable Secure Boot. Enable this option if it's not already enabled.
- Activate Setup Mode: Some BIOS/UEFI implementations require you to activate Setup Mode before you can modify Secure Boot settings or add custom keys. Look for an option to activate Setup Mode, and enable it if it's available.
- Save Changes and Exit: After enabling Setup Mode and making any other desired changes to Secure Boot settings, save your changes and exit the BIOS/UEFI settings. This typically involves selecting the option to save changes and reboot the system.
Once you've activated Setup Mode and made any necessary changes to Secure Boot settings, you should be able to use utilities like sbctl to manage Secure Boot keys and settings effectively.
I hope this helps.
Take care and have a good day.
Please click “Accepted Solution” if you feel my post solved your issue, it will help others find the solution. Click the “Kudos/Thumbs Up" on the bottom right to say “Thanks” for helping!
Alden4
HP Support
HP Support Community Moderator
02-19-2024 10:19 AM
- Activate Setup Mode: Some BIOS/UEFI implementations require you to activate Setup Mode before you can modify Secure Boot settings or add custom keys. Look for an option to activate Setup Mode, and enable it if it's available.
Great, but there is no such option in the BIOS/UEFI. That's exactly what I was talking about.
02-19-2024 01:32 PM
Hi @altynos,
Thank you for your response,
We apologize for the inconvenience, but it seems that the issue persists even after attempting the troubleshooting steps mentioned above.
Unfortunately, there are no further actions we can take through this channel. I recommend reaching out to our phone support for further assistance.
This might require one-on-one interaction to fix the issue via remote assistance.
You can reach out at HP USA Customer Support no: 1800 474 6836.
Take care and have a good day.
Please feel free to contact us here anytime you need any further assistance.
Have a great day!
Alden4
HP Support
HP Support Community Moderator
04-01-2024 03:26 AM
Arch Linux Install with BTRFS, LUKS, and systemd-boot, dual-booted with a UKI and Windows 11 on a shared EFI partition
Disclaimer: I have personally tested every step of this. However, I'm not responsible for anything you do.
Pre-install
- Boot Windows, install the latest updates, remove OEM bloatware, open Disk Management, and shrink the Windows partition to make room for Arch.
- Download the latest Arch ISO and flash it with Etcher.
- Control Panel > Power Options > Choose what the power buttons do > Change settings that are currently unavailable > Uncheck Fast startup.
- regedit > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation > Create a new DWORD, name it RealTimeIsUniversal, and set it to 1.
- Boot gparted-live, move the last two tiny Windows partitions to the left.
- Turn off secure boot in BIOS, reboot into the Arch ISO.
Install
Turn down brightness: echo 20 > /sys/class/backlight/<screen>/brightness.
Connect to Ethernet/WiFi: iwctl > station <device> scan > station <device> get-networks > station <device> connect <SSID> > ping 1.1.1.1.
cat /sys/firmware/efi/fw_platform_size > check 64-bit.
timedatectl > check NTP active, RTC not in local TZ.
fdisk -l to check disks.
cfdisk /dev/nvme0n1 > [New] to create a new Linux Filesystem partition. Write and quit.
Setup and open LUKS
cryptsetup luksFormat --type luks2 /dev/nvme0n1pX cryptsetup open /dev/nvme0n1pX luks
Create and mount BTRFS
mkfs.btrfs -L arch /dev/mapper/luks mount /dev/mapper/luks /mnt
Create BTRFS subvolumes
btrfs subvolume create /mnt/@ btrfs subvolume create /mnt/@swap btrfs subvolume create /mnt/@home btrfs subvolume create /mnt/@log btrfs subvolume create /mnt/@cache btrfs subvolume create /mnt/@scratch
Remount.
umount /mnt mount -o noatime,ssd,compress=zstd,subvol=@ /dev/mapper/luks /mnt
Create mountpoints.
mkdir /mnt/{boot,home,var/log,var/cache,scratch,btrfs}
Mount subvols.
mount -o noatime,ssd,compress=zstd,subvol=@home /dev/mapper/luks /mnt/home mount -o noatime,ssd,compress=zstd,subvol=@log /dev/mapper/luks /mnt/var/log mount -o noatime,ssd,compress=zstd,subvol=@cache /dev/mapper/luks /mnt/var/cache mount -o noatime,ssd,compress=zstd,subvol=@scratch /dev/mapper/luks /mnt/scratch mount -o noatime,ssd,compress=zstd,subvolid=5 /dev/mapper/luks /mnt/btrfs # const 5 for BTRFS's root
Mount EFI partition.
mount /dev/nvme0n1p1 /mnt/boot
Create swapfile.
cd /mnt/btrfs/@swap btrfs filesystem mkswapfile --size 20g --uuid clear ./swapfile swapon ./swapfile cd
Configure mirrorlist
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak # backup mirrorlist reflector -c "RU" -f 12 -l 10 -n 12 --save /etc/pacman.d/mirrorlist #(replace CA with your country) pacman -Syy
Install base system.
pacstrap -K /mnt base base-devel linux-lts linux-firmware btrfs-progs \ amd-ucode mesa xf86-video-amdgpu vulkan-radeon libva-mesa-driver mesa-vdpau \ networkmanager sudo neovim git reflector
Init fstab and verify after.
genfstab -U /mnt >> /mnt/etc/fstab
Chroot into the new system.
arch-chroot /mnt
Set timezone.
ln -sf /usr/share/zoneinfo/Europe/Moscow /etc/localtime # replace with your timezone hwclock --systohc --utc
Set locale: uncomment desired locales from /etc/locale.gen.
locale-gen echo "LANG=en_US.UTF-8" > /etc/locale.conf echo "LANG=ru_RU.UTF-8" > /etc/locale.conf
Set hostname.
echo "arch" > /etc/hostname # replace with your hostname
Add hosts.
vim /etc/hosts --- 127.0.0.1 <hostname>.localdomain localhost ::1 localhost.localdomain localhost
Set root password.
passwd
Create user.
useradd -mG wheel,storage,power,log,adm,uucp,tss,rfkill -s /bin/bash <username> # replace with your username passwd <username>
Give user sudo access.
EDITOR=nvim visudo --- raymo ALL=(ALL:ALL) ALL # for passworded sudo raymo ALL=(ALL:ALL) NOPASSWD:ALL # for passwordless sudo # one of the two above, replace raymo with your username
Enable networkmanager.
systemctl enable NetworkManager
mkinitcpio.
vim /etc/mkinitcpio.conf --- HOOKS=(base keyboard systemd autodetect modconf kms block keymap sd-vconsole sd-encrypt btrfs filesystems fsck)
Configure kernel command line.
vim /etc/kernel/cmdline --- root=/dev/mapper/luks rootflags=subvol=@,x-system.device-timeout=30 rw quiet splash bgrt_disable resume=/dev/mapper/luks resume_offset=<offset>
Get offset from:
trfs inspect-internal map-swapfile -r /btrfs/@swap/swapfile
Create /etc/crypttab.initramfs.
luks UUID=<uuid> - discard,tpm2-device=auto
Get UUID from:
lkid /dev/nvme0n1pX
Configure .preset.
vim /etc/mkinitcpio.d/linux-lts.preset
Uncomment *_uki= lines, replace any /efi/* with /boot/*, comment out *_image= lines, uncomment splash if desired.
Process all preset files mkinitcpio -P
Make sure /boot/EFI/Linux exists (where uki points to)
Install systemd-boot.
chmod 700 /boot /boot/loader/random-seed bootctl --path=/boot install
Install userspace apps.
pacman -S --needed gdm pacman -S --needed xorg-xwayland xorg-xlsclients glfw-wayland sudo pacman -S --needed gnome gnome-tweaks nautilus-sendto gnome-nettool gnome-usage gnome-multi-writer adwaita-icon-theme xdg-user-dirs-gtk fwupd arc-gtk-theme
Enable gdm & nm.
sudo systemctl enable gdm sudo systemctl enable NetworkManager
Configure make.
vim /etc/makepkg.conf --- MAKEFLAGS="-j$(nproc --ignore=2)" # 2 less than total threads
Install yay.
git clone https://aur.archlinux.org/yay.git cd yay makepkg -si
Exit chroot, unmount, shutdown.
exit umount -R /mnt shutdown now
If target is busy error, check with:
user -m /mnt
Configure BIOS boot order. Set Linux as first boot option because systemd-boot will auto-detect Windows and add it to the boot menu.
Boot into Arch and pat yourself on the back.
Enroll TPM so you don't have to keep typing in your LUKS password.
sudo systemd-cryptenroll --tpm2-device=<path> --tpm2-pcrs=7 /dev/nvme0n1pX
Get path from:
udo systemd-cryptenroll --tpm2-device=list
Install UKI pacman hook to trigger rebuild after ucode update:
vim /etc/pacman.d/hooks/ucode.hook --- [Trigger] Operation=Install Operation=Upgrade Operation=Remove Type=Package # Change to appropriate microcode package Target=amd-ucode # Change the linux part above and in the Exec line if a different kernel is used Target=linux-lts [Action] Description=Update Microcode module in initcpio Depends=mkinitcpio When=PostTransaction NeedsTargets Exec=/bin/sh -c 'while read -r trg; do case $trg in linux-lts) exit 0; esac; done; /usr/bin/mkinitcpio -P'
Install efitools.
Backup your existing keys:
for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done
Reboot into bios and delete the manufacturer PK.
Creating keys, Setup sbctl, sbsigntool:
cd ~ mkdir uefi-keys cd uefi-keys # Create PK openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=My Platform Key/" -out PK.crt openssl x509 -outform DER -in PK.crt -out PK.cer #Create KEK openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=My Key Exchange Key/" -out KEK.crt #Create database signing key openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=My Signature Database key/" -out db.crt openssl x509 -outform DER -in db.crt -out db.cer
Convert to ESL.
uuidgen -r > guid.txt #Unique guid cert-to-efi-sig-list -g "$(< guid.txt)" PK.crt PK.esl cert-to-efi-sig-list -g "$(< guid.txt)" KEK.crt KEK.esl cert-to-efi-sig-list -g "$(< guid.txt)" db.crt db.esl
Signing certificate lists.
sign-efi-sig-list -g "$(< guid.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth sign-efi-sig-list -g "$(< guid.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth sign-efi-sig-list -g "$(< guid.txt)" -k KEK.key -c KEK.crt db db.esl db.auth sign-efi-sig-list -g "$(< guid.txt)" -k KEK.key -c KEK.crt dbx old_dbx.esl dbx.auth
Add Microsoft trust for windows.
wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt echo "77fa9abd-0359-4d32-bd60-28f4e78f784b" > msguid.txt sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output ms_win_db.esl MicWinProPCA2011_2011-10-19.crt sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db ms_win_db.esl add_ms_db.auth
Adding keys to system.
mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK} cp db.auth /etc/secureboot/keys/db cp add_ms_db.auth /etc/secureboot/keys/db cp add_ms_uef_db.auth /etc/secureboot/keys/db cp PK.auth /etc/secureboot/keys/PK cp KEK.auth /etc/secureboot/keys/KEK cp dbx.auth /etc/secureboot/keys/dbx chattr -i /sys/firmware/efi/efivars/* sbkeysync --verbose efi-updatevar -f /etc/secureboot/keys/PK/PK.auth PK
Signing UKI.
sbsign --key db.key --cert db.crt --output /boot/EFI/Linux/arch-linux-lts.efi /boot/EFI/Linux/arch-linux-lts.efi sbsign --key db.key --cert db.crt --output /boot/EFI/Linux/arch-linux-lts-fallback.efi /boot/EFI/Linux/arch-linux-lts-fallback.efi sbsign --key db.key --cert db.crt --output /boot/EFI/systemd/systemd-bootx64.efi /boot/EFI/systemd/systemd-bootx64.efi sbsign --key db.key --cert db.crt --output /boot/EFI/Boot/bootx64.efi /boot/EFI/Boot/bootx64.efi
FInalizing settings.
chattr -i /sys/firmware/efi/efivars/* # Reboot & enable SecureBoot in UEFI, set UEFI master password
Add a hook for automatically signing after upgrades:
sudo vim /etc/initcpio/post/uki-resign --- #!/usr/bin/env bash sbsign --key /home/r2d2/Documents/uefi-keys/db.key --cert /home/r2d2/Documents/uefi-keys/db.crt --output /boot/EFI/Linux/arch-linux-lts.efi /boot/EFI/Linux/arch-linux-lts.efi sbsign --key /home/r2d2/Documents/uefi-keys/db.key --cert /home/r2d2/Documents/uefi-keys/db.crt --output /boot/EFI/Linux/arch-linux-lts-fallback.efi /boot/EFI/Linux/arch-linux-lts-fallback.efi --- sudo chmod +x /etc/initcpio/post/uki-resign
Thanks Raymo111, Green-Hamster github users!