The officially official Devuan Forum!

You are not logged in.

#1 2023-12-04 10:07:30

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Live cd unable to boot with secure boot enabled

Hello,

I'd like to boot from daedalus live on an usb key but it doesn't . I can boot Fedora 39 live, Debian 12 live, MX Linux live.

I can not boot Nitrux live either.

Secure boot is enabled and i can't disable it because i don't have the supervisor password.... i guess that it's the problem

Do you have any clues to help me?

Thank you,

Guillaume

Offline

#2 2023-12-04 21:30:29

nahkhiirmees
Member
Registered: 2022-07-24
Posts: 261  

Re: Live cd unable to boot with secure boot enabled

I think that booting from usb stick or optical disc is not supposed to work when secureboot is active.

Offline

#3 2023-12-05 16:27:35

andyp67
Member
Registered: 2022-10-30
Posts: 228  

Re: Live cd unable to boot with secure boot enabled

I have three modern Intel (N3350, J3355,) UEFI BIOS computers.
I am looking at three displays right now, this one I am typing this, and the other two I am playing around with booting.
I have enabled secure boot and booted, both display

----------------------------------
Secure Boot Violation
Invalid signature detected
----------------------------------

I think that if you have managed to boot an OS, secure boot is disabled

Offline

#4 2023-12-05 16:34:58

rolfie
Member
Registered: 2017-11-25
Posts: 1,208  

Re: Live cd unable to boot with secure boot enabled

Try the netinstall ...

Offline

#5 2023-12-05 16:50:53

andyp67
Member
Registered: 2022-10-30
Posts: 228  

Re: Live cd unable to boot with secure boot enabled

dd in Linux
and use Rufus in Windows and choose the dd option if offered.

Offline

#6 2023-12-07 08:11:16

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

nahkhiirmees wrote:

I think that booting from usb stick or optical disc is not supposed to work when secureboot is active.

Secure boot is enabled and i can boot Fedora,... from usb, i think there is a missing part on the devuan live usb (a part signed with a Microsoft key)

Offline

#7 2023-12-07 08:16:51

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

andyp67 wrote:

I have three modern Intel (N3350, J3355,) UEFI BIOS computers.
I am looking at three displays right now, this one I am typing this, and the other two I am playing around with booting.
I have enabled secure boot and booted, both display

----------------------------------
Secure Boot Violation
Invalid signature detected
----------------------------------

I think that if you have managed to boot an OS, secure boot is disabled

As i wrote, I can't disable Secure boot because i don't know the supervisor password. Fedora, MX linux and Debian boot from usb (and i installed Fedora and can boot from the ssd too, a message saying Secure Boot is enabled is displayed on the grub screen... but i don't want to use Fedora)

Offline

#8 2023-12-07 08:18:02

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

rolfie wrote:

Try the netinstall ...

Thank you, I will try to boot the netinstall

Offline

#9 2023-12-07 08:19:08

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

andyp67 wrote:

dd in Linux
and use Rufus in Windows and choose the dd option if offered.

I used dd for the creation of all the installation medias

Offline

#10 2023-12-07 14:37:16

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

GuillaumeWA wrote:
rolfie wrote:

Try the netinstall ...

Thank you, I will try to boot the netinstall

=> It doesn't boot

Offline

#11 2023-12-07 18:50:37

rolfie
Member
Registered: 2017-11-25
Posts: 1,208  

Re: Live cd unable to boot with secure boot enabled

Too bad, I thought it might work. I do disable Secure Boot on every computer I take my hands on.

Offline

#12 2023-12-07 21:55:43

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,520  

Re: Live cd unable to boot with secure boot enabled

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.

Thanks.

Offline

#13 2023-12-08 08:00:36

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

fsmithred wrote:

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.

Thanks.

Ok, I will test it, my guess is that you will need the shim package from debian (signed with a Microsoft's key?). I read that Ubuntu manages to boot with only the efi application signed while Fedora uses a chain of trust with everything signed from efi to loaded modules (you can see the status of secure boot on freebsd with thoose details https://wiki.freebsd.org/SecureBoot)

Offline

#14 2023-12-08 16:35:48

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,520  

Re: Live cd unable to boot with secure boot enabled

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso

sha256sum

4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

Offline

#15 2023-12-09 18:23:37

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

fsmithred wrote:

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso

sha256sum

4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

Hello,

I tested it and it doesn't boot, i don't know your recipe, is it an hybrid iso? because my understanding is that my computer must boot in uefi with a signed efi application (with the third party market key from microsoft)

Offline

#16 2023-12-09 20:42:05

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,520  

Re: Live cd unable to boot with secure boot enabled

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.

Edit:
When I get to fast internet, I'll download debian-live to compare.

Offline

#17 2023-12-10 13:26:22

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

fsmithred wrote:

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.

Edit:
When I get to fast internet, I'll download debian-live to compare.

Ok, i'll look at it too

Offline

#18 2023-12-20 18:52:00

GuillaumeWA
Member
Registered: 2023-12-04
Posts: 10  

Re: Live cd unable to boot with secure boot enabled

It seems that your iso image doesn't contain the right efi application : for secure boot with Microsoft signature, i need the efi application from /usr/lib/shim/shimx64.efi.signed (package shim-signed) and a grub efi application signed with the debian signature (package grub-efi-amd64-signed), both in the ESP partition inside the /EFI/boot/ directory

Offline

#19 2024-03-19 19:41:29

nahkhiirmees
Member
Registered: 2022-07-24
Posts: 261  

Re: Live cd unable to boot with secure boot enabled

After some experiments it became clear to me that when secureboot is on, it verifies the signatures on removable media too. For some reason i thought that when SB is on it just refuses to boot from that kind of media.

Offline

#20 2024-03-19 22:19:42

GlennW
Member
From: Brisbane, Australia
Registered: 2019-07-18
Posts: 655  

Re: Live cd unable to boot with secure boot enabled

Hi, I noticed on my bios settings when secureboot is switched on another menu becomes available

where I can select forbidden devices like cdrom, usb, wake on lan (or something like that)

maybe you have that setting as well.

Generally I haven't used secureboot since I found a way to turn it off, so I'm no expert.


pic from 1993, new guitar day.

Offline

#21 2025-01-10 17:30:05

Torclyn
Member
From: MoN, Northern Germany
Registered: 2019-06-09
Posts: 8  

Re: Live cd unable to boot with secure boot enabled

I can confirm that neither the Daedalus live ISO nor the netinstall seems to work on a machine with secureboot enabled. If that's of any help, I'll volunteer to test any new images - fsmithreds link above gives me a 404.


Everyone has a right to their own opinion, but not their own facts

Offline

#22 2025-01-10 19:04:00

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,520  

Re: Live cd unable to boot with secure boot enabled

Thanks for testing. Here's a new live iso. This one has bootx64.efi and shimx64.efi.signed in efi/boot. I made this one using refractasnapshot and had to copy the shim into the iso build tree manually. If it works, I'll work it into live-sdk so it gets into the official isos.

devuan_5_signed-test_amd64-20250110_1825.iso
https://distro.ibiblio.org/refracta/files/experimental/

sha256sum:

ec458d2e023b7d6abc982c8c0f690250c562133a5b0491ced3226602d662903d  devuan_5_signed-test_amd64-20250110_1825.iso

Offline

#23 2025-01-10 20:47:20

Torclyn
Member
From: MoN, Northern Germany
Registered: 2019-06-09
Posts: 8  

Re: Live cd unable to boot with secure boot enabled

Thanks for the quick reply!

I'm downloading right now and will hopefully get to test it over the weekend.


Everyone has a right to their own opinion, but not their own facts

Offline

#24 2025-01-15 18:52:26

Torclyn
Member
From: MoN, Northern Germany
Registered: 2019-06-09
Posts: 8  

Re: Live cd unable to boot with secure boot enabled

Hi fsmithred,
I got around to some testing at last - sorry for the delay.
Unfortunataly it doesn't seem the image works:
While booting from a USB stick (created with dd) the computer will complain it didn't find a valid signature and not boot at all. When using a Ventoy medium, we get as far as the grub menu, whereafter - no matter which entry has been selected - the following message is displayed:

error: shim_lock protocol not found.
error: you need do load the kernel first.

Tested on two different machines with the same results. Debian boots without trouble on both of them.
Please let me know if there is anything else I can do!


Everyone has a right to their own opinion, but not their own facts

Offline

Board footer