How to boot Arch Linux installation medium with Secure Boot enabled?

I’ve got a new laptop with a Samsung BIOS (version P08AFD) and Aptio Setup Utility. When I try to boot a USB stick with Arch Linux 2016.10.01 it says that the signature is invalid. The documentation seems to assume that I’ve already booted into Arch Linux. So I’m stumped for how to continue:

  • Are the keys on the ISO somewhere? There is a tool in Aptio to add PK, KEK, DB and DBX files.
  • Has the signature been invalidated by me making a custom USB stick from the official installation medium?
  • Should this “just work”? I’m at a loss for why a Linux distro would stop supporting a common (if controversial) security feature, especially since they seem to have supported it for some time.

The USB stick boots just fine on an older machine without Secure Boot support.

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

Flash the ISO on the usb key as you would normally do.


  1. navigate to ~\EFI\boot\
  2. rename BOOTx64.EFI as loader.efi
  3. download signed shim.efi in the same folder
  4. rename it as BOOTx64.EFI
  5. boot the thing and enroll from disk the ~\EFI\boot\loader.efi hash

EDIT: relevant bug

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply