<![CDATA[Dev1 Galaxy Forum / Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?id=6209 Wed, 15 Jan 2025 18:52:26 +0000 FluxBB <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=54094#p54094 Hi fsmithred,
I got around to some testing at last - sorry for the delay.
Unfortunataly it doesn't seem the image works:
While booting from a USB stick (created with dd) the computer will complain it didn't find a valid signature and not boot at all. When using a Ventoy medium, we get as far as the grub menu, whereafter - no matter which entry has been selected - the following message is displayed:

error: shim_lock protocol not found.
error: you need do load the kernel first.

Tested on two different machines with the same results. Debian boots without trouble on both of them.
Please let me know if there is anything else I can do!

]]> Wed, 15 Jan 2025 18:52:26 +0000 https://dev1galaxy.org/viewtopic.php?pid=54094#p54094 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=54009#p54009 Thanks for the quick reply!

I'm downloading right now and will hopefully get to test it over the weekend.

]]> Fri, 10 Jan 2025 20:47:20 +0000 https://dev1galaxy.org/viewtopic.php?pid=54009#p54009 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=54008#p54008 Thanks for testing. Here's a new live iso. This one has bootx64.efi and shimx64.efi.signed in efi/boot. I made this one using refractasnapshot and had to copy the shim into the iso build tree manually. If it works, I'll work it into live-sdk so it gets into the official isos.

devuan_5_signed-test_amd64-20250110_1825.iso
https://distro.ibiblio.org/refracta/files/experimental/

sha256sum:

ec458d2e023b7d6abc982c8c0f690250c562133a5b0491ced3226602d662903d  devuan_5_signed-test_amd64-20250110_1825.iso
]]> Fri, 10 Jan 2025 19:04:00 +0000 https://dev1galaxy.org/viewtopic.php?pid=54008#p54008 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=54006#p54006 I can confirm that neither the Daedalus live ISO nor the netinstall seems to work on a machine with secureboot enabled. If that's of any help, I'll volunteer to test any new images - fsmithreds link above gives me a 404.

]]> Fri, 10 Jan 2025 17:30:05 +0000 https://dev1galaxy.org/viewtopic.php?pid=54006#p54006 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=49052#p49052 Hi, I noticed on my bios settings when secureboot is switched on another menu becomes available

where I can select forbidden devices like cdrom, usb, wake on lan (or something like that)

maybe you have that setting as well.

Generally I haven't used secureboot since I found a way to turn it off, so I'm no expert.

]]> Tue, 19 Mar 2024 22:19:42 +0000 https://dev1galaxy.org/viewtopic.php?pid=49052#p49052 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=49048#p49048 After some experiments it became clear to me that when secureboot is on, it verifies the signatures on removable media too. For some reason i thought that when SB is on it just refuses to boot from that kind of media.

]]> Tue, 19 Mar 2024 19:41:29 +0000 https://dev1galaxy.org/viewtopic.php?pid=49048#p49048 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46392#p46392 It seems that your iso image doesn't contain the right efi application : for secure boot with Microsoft signature, i need the efi application from /usr/lib/shim/shimx64.efi.signed (package shim-signed) and a grub efi application signed with the debian signature (package grub-efi-amd64-signed), both in the ESP partition inside the /EFI/boot/ directory

]]> Wed, 20 Dec 2023 18:52:00 +0000 https://dev1galaxy.org/viewtopic.php?pid=46392#p46392 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46108#p46108 fsmithred wrote:

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.

Edit:
When I get to fast internet, I'll download debian-live to compare.

Ok, i'll look at it too

]]> Sun, 10 Dec 2023 13:26:22 +0000 https://dev1galaxy.org/viewtopic.php?pid=46108#p46108 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46086#p46086 Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.

Edit:
When I get to fast internet, I'll download debian-live to compare.

]]> Sat, 09 Dec 2023 20:42:05 +0000 https://dev1galaxy.org/viewtopic.php?pid=46086#p46086 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46082#p46082 fsmithred wrote:

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso

sha256sum

4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

Hello,

I tested it and it doesn't boot, i don't know your recipe, is it an hybrid iso? because my understanding is that my computer must boot in uefi with a signed efi application (with the third party market key from microsoft)

]]> Sat, 09 Dec 2023 18:23:37 +0000 https://dev1galaxy.org/viewtopic.php?pid=46082#p46082 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46041#p46041 I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso

sha256sum

4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso
]]> Fri, 08 Dec 2023 16:35:48 +0000 https://dev1galaxy.org/viewtopic.php?pid=46041#p46041 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46030#p46030 fsmithred wrote:

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.

Thanks.

Ok, I will test it, my guess is that you will need the shim package from debian (signed with a Microsoft's key?). I read that Ubuntu manages to boot with only the efi application signed while Fedora uses a chain of trust with everything signed from efi to loaded modules (you can see the status of secure boot on freebsd with thoose details https://wiki.freebsd.org/SecureBoot)

]]> Fri, 08 Dec 2023 08:00:36 +0000 https://dev1galaxy.org/viewtopic.php?pid=46030#p46030 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46014#p46014 If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.

Thanks.

]]> Thu, 07 Dec 2023 21:55:43 +0000 https://dev1galaxy.org/viewtopic.php?pid=46014#p46014 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46011#p46011 Too bad, I thought it might work. I do disable Secure Boot on every computer I take my hands on.

]]> Thu, 07 Dec 2023 18:50:37 +0000 https://dev1galaxy.org/viewtopic.php?pid=46011#p46011 <![CDATA[Re: Live cd unable to boot with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=46004#p46004 GuillaumeWA wrote:
rolfie wrote:

Try the netinstall ...

Thank you, I will try to boot the netinstall

=> It doesn't boot

]]> Thu, 07 Dec 2023 14:37:16 +0000 https://dev1galaxy.org/viewtopic.php?pid=46004#p46004