Last active
May 14, 2026 01:37
-
-
Save leodutra/d20a9d7dc62f654888f55da089339040 to your computer and use it in GitHub Desktop.
Omarchy + Windows 11 Dual Boot Guide (Separate Drives, Secure Boot, Limine) - 05/2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # ========================================================= | |
| # OMARCHY + WINDOWS SECURE BOOT GUIDE | |
| # Limine + sbctl + Custom Keys | |
| # ========================================================= | |
| # | |
| # WHAT THIS DOES: | |
| # - Enables Secure Boot on Omarchy | |
| # - Keeps Windows bootable | |
| # - Uses your own Secure Boot keys | |
| # - Signs Limine + Linux kernel | |
| # | |
| # IMPORTANT: | |
| # - BACK UP YOUR DATA | |
| # - SAVE BITLOCKER RECOVERY KEYS | |
| # - KNOW HOW TO DISABLE SECURE BOOT IN BIOS | |
| # | |
| # ========================================================= | |
| # STEP 0 — VERIFY UEFI MODE | |
| # ========================================================= | |
| bootctl status | |
| # EXPECT: | |
| # | |
| # Firmware: UEFI ... | |
| # | |
| # If system is NOT using UEFI: | |
| # STOP HERE. | |
| # | |
| # Secure Boot requires UEFI. | |
| # ========================================================= | |
| # STEP 1 — VERIFY EFI MOUNTS | |
| # ========================================================= | |
| findmnt /boot | |
| findmnt /boot/EFI | |
| # Typical Omarchy layout: | |
| # | |
| # /boot | |
| # /boot/EFI | |
| # | |
| # If /boot/EFI does not exist, | |
| # inspect your EFI mount layout before continuing. | |
| # ========================================================= | |
| # STEP 2 — VERIFY WINDOWS IS DETECTED | |
| # ========================================================= | |
| sudo limine-entry-tool --scan | |
| # Reboot and VERIFY: | |
| # - Omarchy boots | |
| # - Windows boots | |
| # | |
| # DO NOT CONTINUE until both work. | |
| # ========================================================= | |
| # STEP 3 — ENTER BIOS / UEFI | |
| # ========================================================= | |
| systemctl reboot --firmware-setup | |
| # INSIDE BIOS: | |
| # | |
| # 1. Disable Secure Boot | |
| # | |
| # 2. Clear ALL Secure Boot keys: | |
| # - Clear PK | |
| # - Clear KEK | |
| # - Clear db | |
| # | |
| # Sometimes called: | |
| # - Reset to Setup Mode | |
| # - Delete Secure Boot Variables | |
| # - Clear Secure Boot Keys | |
| # | |
| # 3. SAVE AND REBOOT | |
| # | |
| # DO NOT ENABLE SECURE BOOT YET. | |
| # ========================================================= | |
| # STEP 4 — INSTALL SBCTL | |
| # ========================================================= | |
| sudo pacman -S sbctl | |
| # Verify firmware is in Setup Mode | |
| sudo sbctl status | |
| # EXPECT: | |
| # | |
| # Secure Boot: Disabled | |
| # Setup Mode: Enabled | |
| # | |
| # If Setup Mode is NOT enabled: | |
| # go back to BIOS and clear keys again. | |
| # ========================================================= | |
| # STEP 5 — CREATE CUSTOM KEYS | |
| # ========================================================= | |
| sudo sbctl create-keys | |
| # Creates: | |
| # - Platform Key (PK) | |
| # - Key Exchange Key (KEK) | |
| # - Signature Database (db) | |
| # ========================================================= | |
| # STEP 6 — ENROLL KEYS | |
| # ========================================================= | |
| # VERY IMPORTANT: | |
| # -m preserves Microsoft keys | |
| # so Windows remains bootable | |
| sudo sbctl enroll-keys -m | |
| # Verify | |
| sudo sbctl status | |
| # ========================================================= | |
| # STEP 7 — FIND EFI FILES | |
| # ========================================================= | |
| find /boot -iname "*.efi" | |
| # Typical Omarchy output: | |
| # | |
| # /boot/EFI/BOOT/BOOTX64.EFI | |
| # /boot/EFI/limine/liminex64.efi | |
| # ========================================================= | |
| # STEP 8 — SIGN LIMINE EFI BINARIES | |
| # ========================================================= | |
| sudo sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI | |
| sudo sbctl sign -s /boot/EFI/limine/liminex64.efi | |
| # If your paths differ: | |
| # adjust accordingly. | |
| # ========================================================= | |
| # STEP 9 — SIGN KERNELS | |
| # ========================================================= | |
| # Standard kernel | |
| sudo sbctl sign -s /boot/vmlinuz-linux | |
| # OPTIONAL: | |
| # LTS kernel | |
| # | |
| # sudo sbctl sign -s /boot/vmlinuz-linux-lts | |
| # ========================================================= | |
| # STEP 10 — VERIFY SIGNATURES | |
| # ========================================================= | |
| sudo sbctl verify | |
| # DO NOT ENABLE SECURE BOOT | |
| # unless verify succeeds. | |
| # ========================================================= | |
| # STEP 11 — INSTALL AUTO-SIGNING HOOKS | |
| # ========================================================= | |
| sudo sbctl install | |
| # Automatically re-signs files | |
| # after kernel updates. | |
| # ========================================================= | |
| # STEP 12 — REBUILD INITRAMFS | |
| # ========================================================= | |
| # Omarchy may provide: | |
| # | |
| # sudo limine-mkinitcpio | |
| # | |
| # Otherwise use: | |
| sudo mkinitcpio -P | |
| # ========================================================= | |
| # STEP 13 — ENABLE SECURE BOOT | |
| # ========================================================= | |
| systemctl reboot --firmware-setup | |
| # INSIDE BIOS: | |
| # | |
| # 1. Enable Secure Boot | |
| # | |
| # 2. Ensure mode is: | |
| # Custom | |
| # | |
| # 3. Save and reboot | |
| # ========================================================= | |
| # STEP 14 — FINAL VERIFICATION | |
| # ========================================================= | |
| sudo sbctl status | |
| # EXPECT: | |
| # | |
| # Installed: ✓ | |
| # Setup Mode: ✗ | |
| # Secure Boot: ✓ | |
| # ========================================================= | |
| # TROUBLESHOOTING | |
| # ========================================================= | |
| # --------------------------------------------------------- | |
| # BLACK SCREEN / BOOT FAILURE | |
| # --------------------------------------------------------- | |
| # | |
| # 1. Disable Secure Boot in BIOS | |
| # 2. Boot Omarchy | |
| # 3. Run: | |
| # | |
| # sudo sbctl verify | |
| # | |
| # 4. Sign missing files again | |
| # --------------------------------------------------------- | |
| # WINDOWS MISSING | |
| # --------------------------------------------------------- | |
| sudo limine-entry-tool --scan | |
| # --------------------------------------------------------- | |
| # KERNEL UPDATE BROKE BOOT | |
| # --------------------------------------------------------- | |
| sudo sbctl verify | |
| sudo sbctl sign -s /boot/vmlinuz-linux | |
| # ========================================================= | |
| # USEFUL COMMANDS | |
| # ========================================================= | |
| # Status | |
| # sudo sbctl status | |
| # Verify signatures | |
| # sudo sbctl verify | |
| # List enrolled keys | |
| # sudo sbctl list-keys | |
| # Sign file | |
| # sudo sbctl sign -s /path/to/file | |
| # Rebuild initramfs | |
| # sudo mkinitcpio -P | |
| # Re-scan Windows | |
| # sudo limine-entry-tool --scan |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment