The officially official Devuan Forum!

You are not logged in.

#1 2023-12-04 10:07:30

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Live cd unable to boot with secure boot enabled

Hello,

I'd like to boot from daedalus live on an usb key but it doesn't . I can boot Fedora 39 live, Debian 12 live, MX Linux live.

I can not boot Nitrux live either.

Secure boot is enabled and i can't disable it because i don't have the supervisor password.... i guess that it's the problem

Do you have any clues to help me?

Thank you,

Guillaume

Offline

#2 2023-12-04 21:30:29

nahkhiirmees
Member
Registered: 2022-07-24
Posts: 196  

Re: Live cd unable to boot with secure boot enabled

I think that booting from usb stick or optical disc is not supposed to work when secureboot is active.

Offline

#3 2023-12-05 16:27:35

andyp67
Member
Registered: 2022-10-30
Posts: 228  

Re: Live cd unable to boot with secure boot enabled

I have three modern Intel (N3350, J3355,) UEFI BIOS computers.
I am looking at three displays right now, this one I am typing this, and the other two I am playing around with booting.
I have enabled secure boot and booted, both display

----------------------------------
Secure Boot Violation
Invalid signature detected
----------------------------------

I think that if you have managed to boot an OS, secure boot is disabled

Offline

#4 2023-12-05 16:34:58

rolfie
Member
Registered: 2017-11-25
Posts: 1,088  

Re: Live cd unable to boot with secure boot enabled

Try the netinstall ...

Offline

#5 2023-12-05 16:50:53

andyp67
Member
Registered: 2022-10-30
Posts: 228  

Re: Live cd unable to boot with secure boot enabled

dd in Linux
and use Rufus in Windows and choose the dd option if offered.

Offline

#6 2023-12-07 08:11:16

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

nahkhiirmees wrote:

I think that booting from usb stick or optical disc is not supposed to work when secureboot is active.

Secure boot is enabled and i can boot Fedora,... from usb, i think there is a missing part on the devuan live usb (a part signed with a Microsoft key)

Offline

#7 2023-12-07 08:16:51

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

andyp67 wrote:

I have three modern Intel (N3350, J3355,) UEFI BIOS computers.
I am looking at three displays right now, this one I am typing this, and the other two I am playing around with booting.
I have enabled secure boot and booted, both display

----------------------------------
Secure Boot Violation
Invalid signature detected
----------------------------------

I think that if you have managed to boot an OS, secure boot is disabled

As i wrote, I can't disable Secure boot because i don't know the supervisor password. Fedora, MX linux and Debian boot from usb (and i installed Fedora and can boot from the ssd too, a message saying Secure Boot is enabled is displayed on the grub screen... but i don't want to use Fedora)

Offline

#8 2023-12-07 08:18:02

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

rolfie wrote:

Try the netinstall ...

Thank you, I will try to boot the netinstall

Offline

#9 2023-12-07 08:19:08

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

andyp67 wrote:

dd in Linux
and use Rufus in Windows and choose the dd option if offered.

I used dd for the creation of all the installation medias

Offline

#10 2023-12-07 14:37:16

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

GuillaumeWA wrote:
rolfie wrote:

Try the netinstall ...

Thank you, I will try to boot the netinstall

=> It doesn't boot

Offline

#11 2023-12-07 18:50:37

rolfie
Member
Registered: 2017-11-25
Posts: 1,088  

Re: Live cd unable to boot with secure boot enabled

Too bad, I thought it might work. I do disable Secure Boot on every computer I take my hands on.

Offline

#12 2023-12-07 21:55:43

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,441  

Re: Live cd unable to boot with secure boot enabled

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.

Thanks.

Offline

#13 2023-12-08 08:00:36

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

fsmithred wrote:

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.

Thanks.

Ok, I will test it, my guess is that you will need the shim package from debian (signed with a Microsoft's key?). I read that Ubuntu manages to boot with only the efi application signed while Fedora uses a chain of trust with everything signed from efi to loaded modules (you can see the status of secure boot on freebsd with thoose details https://wiki.freebsd.org/SecureBoot)

Offline

#14 2023-12-08 16:35:48

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,441  

Re: Live cd unable to boot with secure boot enabled

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso

sha256sum

4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

Offline

#15 2023-12-09 18:23:37

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

fsmithred wrote:

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso

sha256sum

4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

Hello,

I tested it and it doesn't boot, i don't know your recipe, is it an hybrid iso? because my understanding is that my computer must boot in uefi with a signed efi application (with the third party market key from microsoft)

Offline

#16 2023-12-09 20:42:05

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,441  

Re: Live cd unable to boot with secure boot enabled

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.

Edit:
When I get to fast internet, I'll download debian-live to compare.

Offline

#17 2023-12-10 13:26:22

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

fsmithred wrote:

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.

Edit:
When I get to fast internet, I'll download debian-live to compare.

Ok, i'll look at it too

Offline

#18 2023-12-20 18:52:00

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

It seems that your iso image doesn't contain the right efi application : for secure boot with Microsoft signature, i need the efi application from /usr/lib/shim/shimx64.efi.signed (package shim-signed) and a grub efi application signed with the debian signature (package grub-efi-amd64-signed), both in the ESP partition inside the /EFI/boot/ directory

Offline

#19 2024-03-19 19:41:29

nahkhiirmees
Member
Registered: 2022-07-24
Posts: 196  

Re: Live cd unable to boot with secure boot enabled

After some experiments it became clear to me that when secureboot is on, it verifies the signatures on removable media too. For some reason i thought that when SB is on it just refuses to boot from that kind of media.

Offline

#20 2024-03-19 22:19:42

GlennW
Member
From: Brisbane, Australia
Registered: 2019-07-18
Posts: 596  

Re: Live cd unable to boot with secure boot enabled

Hi, I noticed on my bios settings when secureboot is switched on another menu becomes available

where I can select forbidden devices like cdrom, usb, wake on lan (or something like that)

maybe you have that setting as well.

Generally I haven't used secureboot since I found a way to turn it off, so I'm no expert.


pic from 1993, new guitar day.

Offline

Board footer