Skip Navigation

Issues with rEFInd & Secure Boot

So two questions regarding some boot issues I've encountered on my dual-boot linux setup:

  1. I want to know if there is any way at all to reduce and ideally eliminate the screen flickering that happens when rEFInd initially boots? My screen flashes gray three times before rEFInd shows up and I've tried adding & removing linux from the usegraphicsfor option and mess with resolutions to no avail.
  2. Is there anyway I can get an encrypted Garuda system to work with Secure Boot? I've gotten rEFInd and OpenSUSE Tumbleweed to work, but no lock with Garuda despite attempting all of the MOK enrollment and shim copying.
    Any help is greatly appreciated!
4 comments
  • I've tried to set up rEFInd but couldn't get the proper configs / kernel parameters to work for my LUKS-enabled setup. If you're willing to try another loader out, I was able to make systemd-boot work with both plymouth (flicker-less loading), luks (with graphical prompt), and secure boot too.

    • Oh man that sounds like exactly what I'm looking for: dual-booting two distros, one encrypted, all with secure boot and a nice graphical boot process. I just went through the fiasco of rebuilding my EFI partition and grub setups. Is switching to systemd-boot much harder?

      • Follow the Arch wiki. Just make sure that your distro has a hook for the package manager for signing the kernel. Eg. for Arch there's the systemd-boot-pacman-hook aur package.
        It's not hard to set it up with a LUKS-enabled system, just put the relevant kernel parameters in your /esp/loader/entries/entry.conf file.
        For example, here's my arch.conf entry (with LVM on LUKS):

         undefined
            
        title    Arch Linux
        linux   /vmlinuz-linux
        initrd  /intel-ucode.img
        initrd  /initramfs-linux.img
        options loglevel=2 quiet splash cryptdevice=PARTLABEL=partlabel-from-blkid:pvname root=/dev/mapper/rootlvname rw  
        
        
          

        If your keys are already enrolled, you can just use sbctl sign-all once, your package manager hook should do the rest.

        Overall, the general directory structure should look like this in the end (files omitted):

         undefined
            
        /boot
        ├── initramfs-linux-fallback.img
        ├── initramfs-linux.img
        ├── intel-ucode.img
        ├── loader
        │   ├── entries
        │   │   ├── arch.conf
        │   │   └── arch-fallback.conf
        │   ├── entries.srel
        │   ├── loader.conf
        │   └── random-seed
        └── vmlinuz-linux