You are not logged in.
Devuan does not boot with Secure Boot enabled on my system. Despite the presence of shim packages. But another systemd-free distro, antiX, boots. Without any shim packages at all. How can Devuan be made to boot the same way as antiX when Secure Boot is enabled ?
The plot thickens: the developer of antiX says, word for word, "Secure Boot signing is NOT available on antiX." Then how t.f. does it boot with Secure Boot enabled?
Last edited by Ulysses_ (2020-11-30 08:40:46)
Offline
Incidentally, xubuntu boots. It has these shim packages:
shim 15+1552672080.a4a1fbe-0ubuntu2
shim-signed 1.45+15+1552672080.a4a1fbe-0ubuntu2
Devuan has these:
shim-helpers-amd64-signed_1+15+1533136590.3beb971+7_amd64.deb
shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb
shim-signed-common_1.33+15+1533136590.3beb971-7_all.deb
shim-unsigned_15+1533136590.3beb971-7_amd64.deb
Remove some packages from Devuan? Mix xubuntu packages into Devuan?
Offline
Incidentally, xubuntu boots. It has these shim packages:
Devuan has these:shim-helpers-amd64-signed_1+15+1533136590.3beb971+7_amd64.deb
shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb
shim-signed-common_1.33+15+1533136590.3beb971-7_all.deb
shim-unsigned_15+1533136590.3beb971-7_amd64.deb
Install them and a signed kernel.
But if you use nvidia-dkms, you have to sign it yourself. Otherwise it will not load with secure boot.
Offline
Some UEFI implementations require that the user mark the EFI loader as "trusted" in the firmware ("BIOS") menus.
This will show exactly what is being booted:
efibootmgr -v
Devuan should be using shimx64.efi.
EDIT: and use this to check if Secure Boot is enabled for the booted system:
mokutil --sb-state
https://pkginfo.devuan.org/stage/beowul … 50f-1.html
Note that it is possible to boot antiX with Secure Boot enabled if my HowTo guide on the MX Linux forums is followed.
Last edited by Head_on_a_Stick (2020-11-30 20:56:07)
Brianna Ghey — Rest In Power
Offline
Unfortunately "efibootmgr -v" does not say which .efi is being booted when you boot from a USB drive. It outputs this on antiX:
Boot0005* UEFI: USB DISK 2.0 PMAP PciRoot(0x0)/Pci(0x14,0x0)/USB(8,0)/HD(1,MBR,0x4f44f,0x800,0x3d4000)..BO
Whereas "mokutil --sb-state" outputs this on antiX:
SecureBoot enabled
That's antiX running with SecureBoot enabled out of the box. Tried MX too, years ago and it booted likewise (EDIT: current MX boots too) but you have a howto for making MX boot with Secure Boot. How can this be?
Last edited by Ulysses_ (2020-12-01 14:35:41)
Offline
Is the live kernel of MX the same as debian's whereas the fully-installed kernel is not so it needs your howto?
Does the LIVE MX boot on your system out of the box, with Secure Boot?
Last edited by Ulysses_ (2020-12-01 16:01:14)
Offline
Unfortunately "efibootmgr -v" does not say which .efi is being booted when you boot from a USB drive. It outputs this on antiX:
Boot0005* UEFI: USB DISK 2.0 PMAP PciRoot(0x0)/Pci(0x14,0x0)/USB(8,0)/HD(1,MBR,0x4f44f,0x800,0x3d4000)..BO
That looks to be cropped, can you scroll the output? Or make the terminal bigger so that you can see it all.
How can this be?
Not sure. Which kernel is it using?
uname -a
aptitude search '?narrow(?installed, linux-image)'
ls -l /vmlinuz
Last edited by Head_on_a_Stick (2020-12-01 16:16:39)
Brianna Ghey — Rest In Power
Offline
That is the complete line. Similarly in MX booted from a live USB flash drive:
efibootmgr -v
BootCurrent: 0005
[snip...]
Boot0005* UEFI: USB DISK 2.0 PMAP PciRoot(0x0)/Pci(0x1d,0x0)/USB(0,0)/USB(1,0)/HD(1,MBR,0x11f75d,0x800,0x3d4000)..BO
uname -a
Linux mx1 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
ls -l /vmlinuz
lrwxrwxrwx 1 root root 28 Oct 29 20:22 /vmlinuz -> boot/vmlinuz-4.19.0-12-amd64
aptitude search '?narrow(?installed, linux-image)'
i linux-image-4.19.0-12-amd64 - Linux 4.19 for 64-bit PCs (signed)
i linux-image-amd64 - Linux for 64-bit PCs (meta-package)
These are all the files ending in .efi:
find / | grep -i '\.efi$'
/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/live/linux/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/live/linux/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/live/linux/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/live/linux/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/live/linux/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/live/linux/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/live/linux/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/live/linux/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/live/linux/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/live/boot-dev/EFI/BOOT/BOOTia32.efi
/live/boot-dev/EFI/BOOT/BOOTx64.efi
/live/boot-dev/EFI/BOOT/grubx64.efi
/live/boot-dev/boot/uefi-mt/mtest-32.efi
/live/boot-dev/boot/uefi-mt/mtest-64.efi
It is almost certainly EFI/BOOT/BOOTx64.efi or EFI/BOOT/grubx64.efi that is being used, or both.
Last edited by Ulysses_ (2020-12-01 21:15:40)
Offline
In devuan, booted from a live CD with EFI but with Secure Boot disabled in a VM because vmware does not seem to support Secure Boot and the laptop does not boot devuan with Secure Boot enabled as I said:
efibootmgr -v
BootCurrent: 0001
BootOrder: 0000,0001,0002,0003
Boot0000* EFI VMware Virtual SATA Hard Drive (0.0) PciRoot(0x0)/Pci(0x11,0x0)/Pci(0x4,0x0)/Sata(0,0,0)
Boot0001* EFI VMware Virtual IDE CDROM Drive (IDE 1:0) PciRoot(0x0)/Pci(0x7,0x1)/Ata(1,0,0)
uname -a
Linux devuan 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
ls -l /vmlinuz
lrwxrwxrwx 1 root root 27 May 30 2020 /vmlinuz -> boot/vmlinuz-4.19.0-9-amd64
aptitude search '?narrow(?installed, linux-image)'
i A linux-image-4.19.0-9-amd64 - Linux 4.19 for 64-bit PCs (signed)
i linux-image-amd64 - Linux for 64-bit PCs (meta-package)
find / 2> /dev/null | grep -i '\.efi$'
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/shim/fbx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/shim/mmx64.efi
/lib/live/mount/rootfs/filesystem.squashfs/usr/lib/shim/shimx64.efi
/lib/live/mount/medium/efi/boot/bootia32.efi
/lib/live/mount/medium/efi/boot/bootx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/shim/fbx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/shim/mmx64.efi
/run/live/rootfs/filesystem.squashfs/usr/lib/shim/shimx64.efi
/run/live/medium/efi/boot/bootia32.efi
/run/live/medium/efi/boot/bootx64.efi
/usr/lib/grub/i386-efi/monolithic/gcdia32.efi
/usr/lib/grub/i386-efi/monolithic/grubia32.efi
/usr/lib/grub/i386-efi/monolithic/grubnetia32-installer.efi
/usr/lib/grub/i386-efi/monolithic/grubnetia32.efi
/usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi
/usr/lib/grub/x86_64-efi/monolithic/grubnetx64-installer.efi
/usr/lib/grub/x86_64-efi/monolithic/grubnetx64.efi
/usr/lib/grub/x86_64-efi/monolithic/grubx64.efi
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/shimx64.efi
Last edited by Ulysses_ (2020-12-01 21:17:04)
Offline
Also tried installing MX as a full install to a USB flash drive (not a live boot). It fails to boot and the usual error message shows up:
Invalid signature detected.
Check Secure Boot Policy in Setup
What do you make of this? Live MX is signed, full install is not?
Last edited by Ulysses_ (2020-12-01 20:50:46)
Offline
That is the complete line
I really don't think so. Try xterm instead, that wraps the output. Or run
efibootmgr -v | grep efi
What do you make of this? Live is correctly signed, full install is not?
Some UEFI implementations will allow live ISO images to run with Secure Boot enabled even if they do not support it.
From your output Devuan has the signed kernel and the shim EFI loader so you probably just need to mark shimx64.efi in the installed system as "trusted" from the firmware ("BIOS") menus.
And please edit your posts to use code tags for any terminal output, it greatly improves readability.
Brianna Ghey — Rest In Power
Offline
I did this too to be certain:
efibootmgr -v > temp
featherpad temp
Other lines have parts like ".E.F.I.\.M.I.C.R.O.S.O.F.T.\.B.O.O.T.\.B.O.O.T.M.G.F.W...E.F.I" and ".E.F.I.\.B.O.O.T.\.B.O.O.T.X.6.4...E.F.I" but we should be looking at the line pointed to in "BootCurrent: 0005" shouldn't we.
Offline
Devuan has the signed kernel and the shim EFI loader so you probably just need to mark shimx64.efi in the installed system as "trusted" from the firmware ("BIOS") menus.
The menus here are very rudimentary. They do not have anything like that.
Offline
Can't we mix some of MX into devuan?
Offline
Can't we mix some of MX into devuan?
Why would you want to do that after this post of yours?
MX/AntiX is the work of a state-sponsored political extremist who is openly in the payroll of a state and at the same time pretends to be against the system. Can't be trusted for anything to do with security, privacy, cryptocurrencies, anti-surveillance. Might as well install ubuntu.
https://www.linuxquestions.org/question … ost6188829
Read on for more laughs later in the same thread
Last edited by anticapitalista (2020-12-01 22:02:08)
Offline
You haven't heard the last of me in that topic. People are not as naive or stupid as you think and that is why they have left. If the .efi's and grub configs you and ubuntu are using are open source it makes sense to have people check them and include them elsewhere if they have to.
Offline
You haven't heard the last of me in that topic. People are not as naive or stupid as you think and that is why they have left. If the .efi's and grub configs you and ubuntu are using are open source it makes sense to have people check them and include them elsewhere if they have to.
More comedy gold from you.
1. "that is why they have left." More vagueness from you. Who has left and what have they left?
2. "If the .efi's and grub configs you and ubuntu are using are open source it makes sense to have people check them and include them elsewhere if they have to." - and yet you ask Devuan to 'mix some of MX into devuan', the same stuff that antiX uses!
Offline
I am formally withdrawing my assistance in this thread as an act of solidarity with anticapitalista. I fully support their fight to overthrow the capitalist system.
EDIT: and for the record Microsoft charge a nominal fee of $99 for use of their Secure Boot keys.
Last edited by Head_on_a_Stick (2020-12-02 19:45:18)
Brianna Ghey — Rest In Power
Offline
Who has left and what have they left?
They left the thread because politics is very serious in places like America and Britain where people can lose their jobs for posting the wrong thing online. And because my case against state-supported leftists is valid even if you are not a teacher as the state still protects you as you vandalise property and harass people protesting at anything. No laughs to be had at losing one's job, or worse. Unless one is a genocidal lunatic laughing hysterically at the controlled demolition of America like those crazy villains in James Bond movies. Keep laughing as I recite the number of dead from communism in Cambodia, China, Russia.
Offline
"If the .efi's and grub configs you and ubuntu are using are open source it makes sense to have people check them and include them elsewhere if they have to." - and yet you ask Devuan to 'mix some of MX into devuan', the same stuff that antiX uses!
What a mess from such a simple statement. The ".efi and grub configs" are a tiny, tiny percentage of MX that people can check as I said, as in check the source code, and only copy what they need after checking it.
Instead of answering the question that you know the answer to better than anyone, you are just trying to distract and insult.
Some UEFI implementations will allow live ISO images to run with Secure Boot enabled even if they do not support it.
If so, what's to stop devuan from modifying its live ISO image to take advantage of such a feature? Question to the admin if they are reading.
Last edited by Ulysses_ (2020-12-02 21:25:22)
Offline
@Ulysses_ . . . no one here is interested in your political rants. If you want to continue posting here, please leave them at the door.
Online
Alright. How do you feel about this?
Instead of answering the question that you know the answer to better than anyone
Offline
Microsoft charge a nominal fee of $99 for use of their Secure Boot keys.
One more reason to ask the developers of devuan then if they are reading, why not?
Offline
Alright. How do you feel about this?
Instead of answering the question that you know the answer to better than anyone
Pass.
Offline
Devuan does not boot with Secure Boot enabled on my system. Despite the presence of shim packages. But another systemd-free distro, antiX, boots. Without any shim packages at all. How can Devuan be made to boot the same way as antiX when Secure Boot is enabled ?
It works on my system. I have no idea how it works on MX, but in devuan, it works exactly the same way it works in debian, because we don't fork any of the packages necessary for secure boot. Make sure grub-efi-amd64-signed is installed. The bootloader directory in /boot/efi/EFI/ will be named 'debian'. You'll probably see that name in the boot menu, too. Rest assured, it's still really devuan.
With some troubleshooting, it might work on your system, too. Or maybe not. UEFI implementations vary widely and don't necessarily conform to any actual uefi standards.
The amd64 desktop-live iso already has the signed grub package and the shim packages.
Offline