Live cd unable to boot with secure boot enabled

GuillaumeWA · 2023-12-04 10:07:30

Hello,

I'd like to boot from daedalus live on an usb key but it doesn't . I can boot Fedora 39 live, Debian 12 live, MX Linux live.

I can not boot Nitrux live either.

Secure boot is enabled and i can't disable it because i don't have the supervisor password.... i guess that it's the problem

Do you have any clues to help me?

Thank you,

Guillaume

nahkhiirmees · 2023-12-04 21:30:29

I think that booting from usb stick or optical disc is not supposed to work when secureboot is active.

andyp67 · 2023-12-05 16:27:35

I have three modern Intel (N3350, J3355,) UEFI BIOS computers.
I am looking at three displays right now, this one I am typing this, and the other two I am playing around with booting.
I have enabled secure boot and booted, both display

----------------------------------
Secure Boot Violation
Invalid signature detected
----------------------------------

I think that if you have managed to boot an OS, secure boot is disabled

rolfie · 2023-12-05 16:34:58

Try the netinstall ...

andyp67 · 2023-12-05 16:50:53

dd in Linux
and use Rufus in Windows and choose the dd option if offered.

GuillaumeWA · 2023-12-07 08:11:16

nahkhiirmees wrote:

I think that booting from usb stick or optical disc is not supposed to work when secureboot is active.

Secure boot is enabled and i can boot Fedora,... from usb, i think there is a missing part on the devuan live usb (a part signed with a Microsoft key)

GuillaumeWA · 2023-12-07 08:16:51

andyp67 wrote:

I have three modern Intel (N3350, J3355,) UEFI BIOS computers.
I am looking at three displays right now, this one I am typing this, and the other two I am playing around with booting.
I have enabled secure boot and booted, both display
----------------------------------
Secure Boot Violation
Invalid signature detected
----------------------------------
I think that if you have managed to boot an OS, secure boot is disabled

As i wrote, I can't disable Secure boot because i don't know the supervisor password. Fedora, MX linux and Debian boot from usb (and i installed Fedora and can boot from the ssd too, a message saying Secure Boot is enabled is displayed on the grub screen... but i don't want to use Fedora)

GuillaumeWA · 2023-12-07 08:18:02

rolfie wrote:

Try the netinstall ...

Thank you, I will try to boot the netinstall

GuillaumeWA · 2023-12-07 08:19:08

andyp67 wrote:

dd in Linux
and use Rufus in Windows and choose the dd option if offered.

I used dd for the creation of all the installation medias

GuillaumeWA · 2023-12-07 14:37:16

GuillaumeWA wrote:

rolfie wrote:
Try the netinstall ...
Thank you, I will try to boot the netinstall

=> It doesn't boot

rolfie · 2023-12-07 18:50:37

Too bad, I thought it might work. I do disable Secure Boot on every computer I take my hands on.

fsmithred · 2023-12-07 21:55:43

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.

Thanks.

GuillaumeWA · 2023-12-08 08:00:36

fsmithred wrote:

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.
Thanks.

Ok, I will test it, my guess is that you will need the shim package from debian (signed with a Microsoft's key?). I read that Ubuntu manages to boot with only the efi application signed while Fedora uses a chain of trust with everything signed from efi to loaded modules (you can see the status of secure boot on freebsd with thoose details https://wiki.freebsd.org/SecureBoot)

fsmithred · 2023-12-08 16:35:48

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso

sha256sum

4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

GuillaumeWA · 2023-12-09 18:23:37

fsmithred wrote:

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso
sha256sum
4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

Hello,

I tested it and it doesn't boot, i don't know your recipe, is it an hybrid iso? because my understanding is that my computer must boot in uefi with a signed efi application (with the third party market key from microsoft)

fsmithred · 2023-12-09 20:42:05

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.

Edit:
When I get to fast internet, I'll download debian-live to compare.

GuillaumeWA · 2023-12-10 13:26:22

fsmithred wrote:

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.
Edit:
When I get to fast internet, I'll download debian-live to compare.

Ok, i'll look at it too

GuillaumeWA · 2023-12-20 18:52:00

It seems that your iso image doesn't contain the right efi application : for secure boot with Microsoft signature, i need the efi application from /usr/lib/shim/shimx64.efi.signed (package shim-signed) and a grub efi application signed with the debian signature (package grub-efi-amd64-signed), both in the ESP partition inside the /EFI/boot/ directory

nahkhiirmees · 2024-03-19 19:41:29

After some experiments it became clear to me that when secureboot is on, it verifies the signatures on removable media too. For some reason i thought that when SB is on it just refuses to boot from that kind of media.

GlennW · 2024-03-19 22:19:42

Hi, I noticed on my bios settings when secureboot is switched on another menu becomes available

where I can select forbidden devices like cdrom, usb, wake on lan (or something like that)

maybe you have that setting as well.

Generally I haven't used secureboot since I found a way to turn it off, so I'm no expert.

The officially official Devuan Forum!

#1 2023-12-04 10:07:30

Live cd unable to boot with secure boot enabled

#2 2023-12-04 21:30:29

Re: Live cd unable to boot with secure boot enabled

#3 2023-12-05 16:27:35

Re: Live cd unable to boot with secure boot enabled

#4 2023-12-05 16:34:58

Re: Live cd unable to boot with secure boot enabled

#5 2023-12-05 16:50:53

Re: Live cd unable to boot with secure boot enabled

#6 2023-12-07 08:11:16

Re: Live cd unable to boot with secure boot enabled

#7 2023-12-07 08:16:51

Re: Live cd unable to boot with secure boot enabled

#8 2023-12-07 08:18:02

Re: Live cd unable to boot with secure boot enabled

#9 2023-12-07 08:19:08

Re: Live cd unable to boot with secure boot enabled

#10 2023-12-07 14:37:16

Re: Live cd unable to boot with secure boot enabled

#11 2023-12-07 18:50:37

Re: Live cd unable to boot with secure boot enabled

#12 2023-12-07 21:55:43

Re: Live cd unable to boot with secure boot enabled

#13 2023-12-08 08:00:36

Re: Live cd unable to boot with secure boot enabled

#14 2023-12-08 16:35:48

Re: Live cd unable to boot with secure boot enabled

#15 2023-12-09 18:23:37

Re: Live cd unable to boot with secure boot enabled

#16 2023-12-09 20:42:05

Re: Live cd unable to boot with secure boot enabled

#17 2023-12-10 13:26:22

Re: Live cd unable to boot with secure boot enabled

#18 2023-12-20 18:52:00

Re: Live cd unable to boot with secure boot enabled

#19 2024-03-19 19:41:29

Re: Live cd unable to boot with secure boot enabled

#20 2024-03-19 22:19:42

Re: Live cd unable to boot with secure boot enabled

Board footer