The officially official Devuan Forum!

You are not logged in.

#1 2020-11-30 07:36:56

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

How to make devuan boot with Secure Boot enabled the way antiX does it

Devuan does not boot with Secure Boot enabled on my system. Despite the presence of shim packages. But another systemd-free distro, antiX, boots. Without any shim packages at all. How can Devuan be made to boot the same way as antiX when Secure Boot is enabled ?

The plot thickens: the developer of antiX says, word for word, "Secure Boot signing is NOT available on antiX." Then how t.f. does it boot with Secure Boot enabled?

Last edited by Ulysses_ (2020-11-30 08:40:46)

Offline

#2 2020-11-30 07:50:33

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Incidentally, xubuntu boots. It has these shim packages:

shim 15+1552672080.a4a1fbe-0ubuntu2
shim-signed 1.45+15+1552672080.a4a1fbe-0ubuntu2

Devuan has these:

shim-helpers-amd64-signed_1+15+1533136590.3beb971+7_amd64.deb
shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb
shim-signed-common_1.33+15+1533136590.3beb971-7_all.deb
shim-unsigned_15+1533136590.3beb971-7_amd64.deb

Remove some packages from Devuan?  Mix xubuntu packages into Devuan?

Offline

#3 2020-11-30 08:31:49

Magnus
Member
Registered: 2020-03-14
Posts: 29  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Ulysses_ wrote:

Incidentally, xubuntu boots. It has these shim packages:
Devuan has these:

shim-helpers-amd64-signed_1+15+1533136590.3beb971+7_amd64.deb
shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb
shim-signed-common_1.33+15+1533136590.3beb971-7_all.deb
shim-unsigned_15+1533136590.3beb971-7_amd64.deb

Install them and a signed kernel.
But if you use nvidia-dkms, you have to sign it yourself. Otherwise it will not load with secure boot.

Offline

#4 2020-11-30 20:27:53

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,257  
Website

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Some UEFI implementations require that the user mark the EFI loader as "trusted" in the firmware ("BIOS") menus.

This will show exactly what is being booted:

efibootmgr -v

Devuan should be using shimx64.efi.

EDIT: and use this to check if Secure Boot is enabled for the booted system:

mokutil --sb-state

https://pkginfo.devuan.org/stage/beowul … 50f-1.html

Note that it is possible to boot antiX with Secure Boot enabled if my HowTo guide on the MX Linux forums is followed.

Last edited by Head_on_a_Stick (2020-11-30 20:56:07)


Black Lives Matter

Offline

#5 2020-12-01 11:33:55

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Unfortunately "efibootmgr -v" does not say which .efi is being booted when you boot from a USB drive. It outputs this on antiX:

Boot0005* UEFI:  USB DISK 2.0 PMAP    PciRoot(0x0)/Pci(0x14,0x0)/USB(8,0)/HD(1,MBR,0x4f44f,0x800,0x3d4000)..BO

Whereas "mokutil --sb-state" outputs this on antiX:

SecureBoot enabled

That's antiX running with SecureBoot enabled out of the box. Tried MX too, years ago and it booted likewise (EDIT: current MX boots too) but you have a howto for making MX boot with Secure Boot. How can this be?

Last edited by Ulysses_ (2020-12-01 14:35:41)

Offline

#6 2020-12-01 15:55:54

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Is the live kernel of MX the same as debian's whereas the fully-installed kernel is not so it needs your howto?

Does the LIVE MX boot on your system out of the box, with Secure Boot?

Last edited by Ulysses_ (2020-12-01 16:01:14)

Offline

#7 2020-12-01 16:16:01

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,257  
Website

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Ulysses_ wrote:

Unfortunately "efibootmgr -v" does not say which .efi is being booted when you boot from a USB drive. It outputs this on antiX:

Boot0005* UEFI:  USB DISK 2.0 PMAP    PciRoot(0x0)/Pci(0x14,0x0)/USB(8,0)/HD(1,MBR,0x4f44f,0x800,0x3d4000)..BO

That looks to be cropped, can you scroll the output? Or make the terminal bigger so that you can see it all.

Ulysses_ wrote:

How can this be?

Not sure. Which kernel is it using?

uname -a
aptitude search '?narrow(?installed, linux-image)'
ls -l /vmlinuz

Last edited by Head_on_a_Stick (2020-12-01 16:16:39)


Black Lives Matter

Offline

#8 2020-12-01 20:24:04

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

That is the complete line. Similarly in MX booted from a live USB flash drive:

efibootmgr -v
BootCurrent: 0005
[snip...]
Boot0005* UEFI:  USB DISK 2.0 PMAP	PciRoot(0x0)/Pci(0x1d,0x0)/USB(0,0)/USB(1,0)/HD(1,MBR,0x11f75d,0x800,0x3d4000)..BO

uname -a
Linux mx1 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux

ls -l /vmlinuz
lrwxrwxrwx 1 root root 28 Oct 29 20:22 /vmlinuz -> boot/vmlinuz-4.19.0-12-amd64

aptitude search '?narrow(?installed, linux-image)'
i   linux-image-4.19.0-12-amd64               - Linux 4.19 for 64-bit PCs (signed)
i   linux-image-amd64                         - Linux for 64-bit PCs (meta-package)

These are all the files ending in .efi:

find / | grep -i '\.efi$'
/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/live/linux/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/live/linux/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/live/linux/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/live/linux/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/live/linux/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/live/linux/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/live/linux/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/live/linux/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/live/linux/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/live/boot-dev/EFI/BOOT/BOOTia32.efi
/live/boot-dev/EFI/BOOT/BOOTx64.efi
/live/boot-dev/EFI/BOOT/grubx64.efi
/live/boot-dev/boot/uefi-mt/mtest-32.efi
/live/boot-dev/boot/uefi-mt/mtest-64.efi

It is almost certainly EFI/BOOT/BOOTx64.efi or EFI/BOOT/grubx64.efi that is being used, or both.

Last edited by Ulysses_ (2020-12-01 21:15:40)

Offline

#9 2020-12-01 20:36:41

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

In devuan, booted from a live CD with EFI but with Secure Boot disabled in a VM because vmware does not seem to support Secure Boot and the laptop does not boot devuan with Secure Boot enabled as I said:

efibootmgr -v
BootCurrent: 0001
BootOrder: 0000,0001,0002,0003
Boot0000* EFI VMware Virtual SATA Hard Drive (0.0)	PciRoot(0x0)/Pci(0x11,0x0)/Pci(0x4,0x0)/Sata(0,0,0)
Boot0001* EFI VMware Virtual IDE CDROM Drive (IDE 1:0)	PciRoot(0x0)/Pci(0x7,0x1)/Ata(1,0,0)

uname -a
Linux devuan 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux

ls -l /vmlinuz 
lrwxrwxrwx 1 root root 27 May 30  2020 /vmlinuz -> boot/vmlinuz-4.19.0-9-amd64

aptitude search '?narrow(?installed, linux-image)'
i A linux-image-4.19.0-9-amd64      - Linux 4.19 for 64-bit PCs (signed)        
i   linux-image-amd64               - Linux for 64-bit PCs (meta-package)       

find / 2> /dev/null | grep -i '\.efi$'
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/shim/fbx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/shim/mmx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/shim/shimx64.efi
/lib/live/mount/medium/efi/boot/bootia32.efi
/lib/live/mount/medium/efi/boot/bootx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/shim/fbx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/shim/mmx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/shim/shimx64.efi
/run/live/medium/efi/boot/bootia32.efi
/run/live/medium/efi/boot/bootx64.efi
/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/shimx64.efi

Last edited by Ulysses_ (2020-12-01 21:17:04)

Offline

#10 2020-12-01 20:45:22

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Also tried installing MX as a full install to a USB flash drive (not a live boot). It fails to boot and the usual error message shows up:

Invalid signature detected.
Check Secure Boot Policy in Setup

What do you make of this? Live MX is signed, full install is not?

Last edited by Ulysses_ (2020-12-01 20:50:46)

Offline

#11 2020-12-01 20:52:11

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,257  
Website

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Ulysses_ wrote:

That is the complete line

I really don't think so. Try xterm instead, that wraps the output. Or run

efibootmgr -v | grep efi
Ulysses_ wrote:

What do you make of this? Live is correctly signed, full install is not?

Some UEFI implementations will allow live ISO images to run with Secure Boot enabled even if they do not support it.

From your output Devuan has the signed kernel and the shim EFI loader so you probably just need to mark shimx64.efi in the installed system as "trusted" from the firmware ("BIOS") menus.

And please edit your posts to use code tags for any terminal output, it greatly improves readability.


Black Lives Matter

Offline

#12 2020-12-01 21:04:28

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

I did this too to be certain:

efibootmgr -v > temp
featherpad temp

Other lines have parts like ".E.F.I.\.M.I.C.R.O.S.O.F.T.\.B.O.O.T.\.B.O.O.T.M.G.F.W...E.F.I" and ".E.F.I.\.B.O.O.T.\.B.O.O.T.X.6.4...E.F.I" but we should be looking at the line pointed to in "BootCurrent: 0005" shouldn't we.

Offline

#13 2020-12-01 21:11:25

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Head_on_a_Stick wrote:

Devuan has the signed kernel and the shim EFI loader so you probably just need to mark shimx64.efi in the installed system as "trusted" from the firmware ("BIOS") menus.

The menus here are very rudimentary. They do not have anything like that.

Offline

#14 2020-12-01 21:13:09

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Can't we mix some of MX into devuan?

Offline

#15 2020-12-01 22:00:25

anticapitalista
Member
Registered: 2018-06-10
Posts: 19  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Ulysses_ wrote:

Can't we mix some of MX into devuan?

Why would you want to do that after this post of yours?

MX/AntiX is the work of a state-sponsored political extremist who is openly in the payroll of a state and at the same time pretends to be against the system. Can't be trusted for anything to do with security, privacy, cryptocurrencies, anti-surveillance. Might as well install ubuntu.

https://www.linuxquestions.org/question … ost6188829

Read on for more laughs later in the same thread

Last edited by anticapitalista (2020-12-01 22:02:08)

Offline

#16 2020-12-01 22:16:59

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

You haven't heard the last of me in that topic. People are not as naive or stupid as you think and that is why they have left. If the .efi's and grub configs you and ubuntu are using are open source it makes sense to have people check them and include them elsewhere if they have to.

Offline

#17 2020-12-01 22:54:54

anticapitalista
Member
Registered: 2018-06-10
Posts: 19  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Ulysses_ wrote:

You haven't heard the last of me in that topic. People are not as naive or stupid as you think and that is why they have left. If the .efi's and grub configs you and ubuntu are using are open source it makes sense to have people check them and include them elsewhere if they have to.

More comedy gold from you.

1.  "that is why they have left." More vagueness from you. Who has left and what have they left?

2. "If the .efi's and grub configs you and ubuntu are using are open source it makes sense to have people check them and include them elsewhere if they have to." - and yet you ask Devuan to 'mix some of MX into devuan', the same stuff that antiX uses!

Offline

#18 2020-12-02 18:35:38

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,257  
Website

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

I am formally withdrawing my assistance in this thread as an act of solidarity with anticapitalista. I fully support their fight to overthrow the capitalist system.

EDIT: and for the record Microsoft charge a nominal fee of $99 for use of their Secure Boot keys.

Last edited by Head_on_a_Stick (2020-12-02 19:45:18)


Black Lives Matter

Offline

#19 2020-12-02 20:44:39

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Who has left and what have they left?

They left the thread because politics is very serious in places like America and Britain where people can lose their jobs for posting the wrong thing online. And because my case against state-supported leftists is valid even if you are not a teacher as the state still protects you as you vandalise property and harass people protesting at anything. No laughs to be had at losing one's job, or worse. Unless one is a genocidal lunatic laughing hysterically at the controlled demolition of America like those crazy villains in James Bond movies. Keep laughing as I recite the number of dead from communism in Cambodia, China, Russia.

Offline

#20 2020-12-02 20:50:15

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

"If the .efi's and grub configs you and ubuntu are using are open source it makes sense to have people check them and include them elsewhere if they have to." - and yet you ask Devuan to 'mix some of MX into devuan', the same stuff that antiX uses!

What a mess from such a simple statement. The ".efi and grub configs" are a tiny, tiny percentage of MX that people can check as I said, as in check the source code, and only copy what they need after checking it.

Instead of answering the question that you know the answer to better than anyone, you are just trying to distract and insult.

Some UEFI implementations will allow live ISO images to run with Secure Boot enabled even if they do not support it.

If so, what's to stop devuan from modifying its live ISO image to take advantage of such a feature? Question to the admin if they are reading.

Last edited by Ulysses_ (2020-12-02 21:25:22)

Offline

#21 2020-12-02 20:51:46

golinux
Administrator
Registered: 2016-11-25
Posts: 2,099  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

@Ulysses_ . . . no one here is interested in your political rants.  If you want to continue posting here, please leave them at the door.

Offline

#22 2020-12-02 20:55:37

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Alright. How do you feel about this?

Instead of answering the question that you know the answer to better than anyone

Offline

#23 2020-12-02 21:17:43

Ulysses_
Member
Registered: 2020-05-07
Posts: 25  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Microsoft charge a nominal fee of $99 for use of their Secure Boot keys.

One more reason to ask the developers of devuan then if they are reading, why not?

Offline

#24 2020-12-02 21:19:26

anticapitalista
Member
Registered: 2018-06-10
Posts: 19  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Ulysses_ wrote:

Alright. How do you feel about this?

Instead of answering the question that you know the answer to better than anyone

Pass.

Offline

#25 2020-12-03 01:25:55

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,693  

Re: How to make devuan boot with Secure Boot enabled the way antiX does it

Ulysses_ wrote:

Devuan does not boot with Secure Boot enabled on my system. Despite the presence of shim packages. But another systemd-free distro, antiX, boots. Without any shim packages at all. How can Devuan be made to boot the same way as antiX when Secure Boot is enabled ?

It works on my system. I have no idea how it works on MX, but in devuan, it works exactly the same way it works in debian, because we don't fork any of the packages necessary for secure boot. Make sure grub-efi-amd64-signed is installed. The bootloader directory in /boot/efi/EFI/ will be named 'debian'. You'll probably see that name in the boot menu, too. Rest assured, it's still really devuan.

With some troubleshooting, it might work on your system, too. Or maybe not. UEFI implementations vary widely and don't necessarily conform to any actual uefi standards.

The amd64 desktop-live iso already has the signed grub package and the shim packages.

Offline

Board footer