How To Setup a Dual Boot System with Batocera and Windows 11 with Secure Boot Support

Byjsiazar

If you’re looking to set up a dual-boot system with Batocera Linux and Windows, you’ll need to use rEFInd, a versatile boot manager. Installing rEFInd on Batocera can be a bit more challenging compared to regular Linux distributions, mainly because Batocera is a read-only, appliance-style OS. However, with a few manual steps, you can get dual-booting with Windows and Batocera (or another Linux system) while enabling Secure Boot.

This guide will walk you through the installation process of rEFInd and how to set up your dual-boot system with Windows and Batocera Linux.

Prerequisites

Before you begin, make sure your system meets the following requirements:

  1. A system with multiple OS installed (whether on the same drive or separate drives).
  2. UEFI system (not legacy). You can verify your system’s boot mode by following this guide: How to Check if Windows is Using UEFI or Legacy.
  3. Secure Boot enabled in your BIOS/UEFI settings.
  4. Access to a PC with another Linux distro installed, such as Ubuntu or Debian.
    • This is required if you are dual-booting Windows with Batocera.
    • This is optional if you have a different Linux distribution installed, like Ubuntu.

Example Setup:

  • Two drives: One with Windows 11 and the other with Batocera.
  • Secure Boot enabled on both systems.

Step 1: Install rEFInd on Batocera

  1. Boot into your Linux distro and open the Terminal.
  2. Remount Batocera’s system directories with read-write (rw) permissions: Open a terminal and run the following commands: 
    mount -o remount,rw /
mount -o remount,rw /boot
  3. Identify and mount the EFI partition:
    a. To identify your EFI partition, run:
    lsblk -f
    Look for the /boot/efi partition. If it’s not mounted, create a mount point and mount it:
    mkdir /mnt/efi
    mount /dev/sdX1 /mnt/efi
    b. Replace /dev/sdX1 with the actual partition name for your EFI partition.
  4. Download rEFInd: Download the latest rEFInd package by running:
    wget https://sourceforge.net/projects/refind/files/0.14.2/refind-bin-0.14.2.zip
    unzip refind-bin-0.14.2.zip
  5. Run the rEFInd install script: Execute the following command to install rEFInd: 
    ./refind-install --shim /boot/EFI/batocera/shimx64.efi

Step 2: Sign the rEFInd and Batocera Kernel Files

Since Batocera doesn’t have the necessary signing tools, you’ll need to manually sign the rEFInd and Batocera kernel files using sbsign. You have two options for this:

Option 1: Sign Files on Another Linux System

  1. Copy refind_x64.efi from Batocera to a USB flash drive.
  2. Boot into a different Linux system (e.g., Ubuntu or Debian).
  3. Sign the refind_x64.efi file on this system using the following command: 
    sbsign --key /path/to/refind_key.pem --cert /path/to/refind_cert.pem --output refind_x64.efi /path/to/refind_x64.efi

Option 2: Sign Using a Live Linux USB

  1. Boot into a live Linux USB (e.g., Ubuntu or Debian).
  2. Sign the refind_x64.efi file using the same sbsign command as in Option 1.

Step 3: Copy Signed Files Back to Batocera

Once the rEFInd files are signed, you need to copy them back to your Batocera system:

  1. Copy the signed refind_x64.efi file to /boot/EFI/refind on Batocera, replacing the existing unsigned file.
  2. Copy the signing keys (refind_cert.pem and refind_key.pem) to the /boot/EFI/refind/keys directory.

Step 4: Enroll Secure Boot Keys

To enable Secure Boot, you must enroll the keys into your BIOS/UEFI settings.

  1. Reboot your system and enter the UEFI/BIOS settings.
  2. In the Secure Boot section, enroll the following files:
    • refind_x64.efi
    • shimx64.efi
    • mmx64.efi

Step 5: Reboot into rEFInd

  1. Save the changes in the BIOS/UEFI and restart your system.
  2. Upon reboot, your system should now boot into rEFInd, allowing you to select between Windows and Batocera (or your chosen Linux distro).

Troubleshooting Tips

  • If rEFInd doesn’t show up after rebooting, ensure that the Secure Boot keys were properly enrolled in the BIOS/UEFI settings.
  • If you run into issues signing the EFI files, double-check that sbsign is installed on the Linux system you’re using to sign the files.

Conclusion

By following these steps, you should now have a functional dual-boot system with Batocera Linux and Windows, using rEFInd as your boot manager. You’ve also enabled Secure Boot to ensure your system remains secure. Enjoy the flexibility of accessing multiple operating systems on a single machine!