Skip to content

Instantly share code, notes, and snippets.

@aschiavon91

aschiavon91/popos+win11_secureboot.md

Last active March 16, 2026 15:36
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aschiavon91/43491417d22b7362865c13b8ffa74688 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aschiavon91/43491417d22b7362865c13b8ffa74688 to your computer and use it in GitHub Desktop.
Download ZIP
Dual‑Boot Pop!_OS 24.04 + Windows 11 with SecureBoot
Raw
popos+win11_secureboot.md

  • Enable SecureBoot with default options.

  • Wait for Windows installation normally.

  • After windows setup finishes, enter in BIOS and complettly disable secure boot.

  • cleanup all SecureBoot keys from BIOS, disable plataform key injection and then disable SecureBoot, be sure all keys are delete before continue.

  • Install PopOS normally.

  • After PopOS setup finishes, ensure that the boot order in bios is setted to firstly boot to the disk used to install PopOS not to the system partition.

  • Boot into PopOS and install/reinstall shim-signed, mokutil and sbctl.

  • check sbctl status, u should see something like:

    # sbctl status
Installed:   ✘ Sbctl is not installed
Setup Mode:  ✘ Enabled
Secure Boot: ✘ Disabled

  • Setup the sbctl, sbctl setup --migrate

  • Check if keys are created with sbctl status, if not, create it sbctl create-keys

  • After keys creation, enroll the keys sbctl enroll-keys ---microsoft

  • Sign the EFIs, use sbctl verify list all entries, os-probe can help too, and sbctl sign -s <file> to sign.

    • /boot/efi/EFI/Pop_OS-6e009c73-3743-49b8-8204-10494b681a60/vmlinuz.efi
    • /boot/efi/EFI/Recovery-742A-6D9F/vmlinuz.efi
    • /boot/efi/EFI/systemd/systemd-bootx64-signed.efi
    • /boot/efi/EFI/systemd/systemd-bootx64.efi
    • /boot/efi/EFI/BOOT/mmx64.efi
    • /boot/efi/EFI/Microsoft/Boot/bootmgfw.efi

  • Edit DKMS config file /etc/dkms/framework.conf, to setup mok keys

    mok_signing_key=/var/lib/shim-signed/mok/MOK.priv
mok_certificate=/var/lib/shim-signed/mok/MOK.der

  • Disable sbat policy sudo mokutil --set-sbat-policy delete

  • Install MOK certificate sudo update-secureboot-policy --enroll-key, it will ask for some password, this will be used in the MokManager screen in the next step.

  • Reboot, u should see MokManager screen, enroll the key, u will bee asked for the password from the previous step, reboot again.

  • After PopOS bootup, check if keys was enrolled, mokutil --list-enrolled, if don't, try to import the shim key again, mokutil -i /var/lib/shim-signed/mok/MOK.der

@yauhenbarysik
Copy link

yauhenbarysik commented Mar 16, 2026

@aschiavon91 hey! Sorry for bothering and thank you for sharing this guide (it is a great starting point for making SB working on Pop_OS! 24.04 on my laptop), but maybe you can help with Secure Boot without Custom Mode or keys injecting directly into BIOS/firmware as on my laptop (Razer Blade 14 Ryzen 7940HS RTX4070) I can only enable/disable SB and that's it. No key deletion/injection/custom mode, etc.

So only option is MOK+shim with some tinkering available (and even with MOK I have to make another boot entry in order to "inject" MOK Manager summoning to enroll keys)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment