Live cd unable to boot with secure boot enabled

GuillaumeWA · 2023-12-04 10:07:30

Hello,

I'd like to boot from daedalus live on an usb key but it doesn't . I can boot Fedora 39 live, Debian 12 live, MX Linux live.

I can not boot Nitrux live either.

Secure boot is enabled and i can't disable it because i don't have the supervisor password.... i guess that it's the problem

Do you have any clues to help me?

Thank you,

Guillaume

nahkhiirmees · 2023-12-04 21:30:29

I think that booting from usb stick or optical disc is not supposed to work when secureboot is active.

andyp67 · 2023-12-05 16:27:35

I have three modern Intel (N3350, J3355,) UEFI BIOS computers.
I am looking at three displays right now, this one I am typing this, and the other two I am playing around with booting.
I have enabled secure boot and booted, both display

----------------------------------
Secure Boot Violation
Invalid signature detected
----------------------------------

I think that if you have managed to boot an OS, secure boot is disabled

rolfie · 2023-12-05 16:34:58

Try the netinstall ...

andyp67 · 2023-12-05 16:50:53

dd in Linux
and use Rufus in Windows and choose the dd option if offered.

GuillaumeWA · 2023-12-07 08:11:16

nahkhiirmees wrote:

I think that booting from usb stick or optical disc is not supposed to work when secureboot is active.

Secure boot is enabled and i can boot Fedora,... from usb, i think there is a missing part on the devuan live usb (a part signed with a Microsoft key)

GuillaumeWA · 2023-12-07 08:16:51

andyp67 wrote:

I have three modern Intel (N3350, J3355,) UEFI BIOS computers.
I am looking at three displays right now, this one I am typing this, and the other two I am playing around with booting.
I have enabled secure boot and booted, both display
----------------------------------
Secure Boot Violation
Invalid signature detected
----------------------------------
I think that if you have managed to boot an OS, secure boot is disabled

As i wrote, I can't disable Secure boot because i don't know the supervisor password. Fedora, MX linux and Debian boot from usb (and i installed Fedora and can boot from the ssd too, a message saying Secure Boot is enabled is displayed on the grub screen... but i don't want to use Fedora)

GuillaumeWA · 2023-12-07 08:18:02

rolfie wrote:

Try the netinstall ...

Thank you, I will try to boot the netinstall

GuillaumeWA · 2023-12-07 08:19:08

andyp67 wrote:

dd in Linux
and use Rufus in Windows and choose the dd option if offered.

I used dd for the creation of all the installation medias

GuillaumeWA · 2023-12-07 14:37:16

GuillaumeWA wrote:

rolfie wrote:
Try the netinstall ...
Thank you, I will try to boot the netinstall

=> It doesn't boot

rolfie · 2023-12-07 18:50:37

Too bad, I thought it might work. I do disable Secure Boot on every computer I take my hands on.

fsmithred · 2023-12-07 21:55:43

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.

Thanks.

GuillaumeWA · 2023-12-08 08:00:36

fsmithred wrote:

If I make a desktop-live iso with signed grub and kernel, will you test it for me? I am unable to test secure boot.
I could have it ready in a day or two and post a link here.
Thanks.

Ok, I will test it, my guess is that you will need the shim package from debian (signed with a Microsoft's key?). I read that Ubuntu manages to boot with only the efi application signed while Fedora uses a chain of trust with everything signed from efi to loaded modules (you can see the status of secure boot on freebsd with thoose details https://wiki.freebsd.org/SecureBoot)

fsmithred · 2023-12-08 16:35:48

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso

sha256sum

4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

GuillaumeWA · 2023-12-09 18:23:37

fsmithred wrote:

I put the iso on my old website because it was easier to get there from the build host.,
http://distro.ibiblio.org/refracta/file … p-live.iso
sha256sum
4fb0a40a6f58e358e00e940e3ac6c1112ef450dffdcb509bd0df6949041b477c  devuan_daedalus_5.0-signed-test_amd64_desktop-live.iso

Hello,

I tested it and it doesn't boot, i don't know your recipe, is it an hybrid iso? because my understanding is that my computer must boot in uefi with a signed efi application (with the third party market key from microsoft)

fsmithred · 2023-12-09 20:42:05

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.

Edit:
When I get to fast internet, I'll download debian-live to compare.

GuillaumeWA · 2023-12-10 13:26:22

fsmithred wrote:

Yes, it's isohybrid. I installed grub-efi-amd64-signed and shim-signed, which pulled in a couple other things. I assume the kernel is signed because there is no kernel package linux-image-*-signed, but there is an -unsigned kernel package. I did not install the -unsigned.
Edit:
When I get to fast internet, I'll download debian-live to compare.

Ok, i'll look at it too

GuillaumeWA · 2023-12-20 18:52:00

It seems that your iso image doesn't contain the right efi application : for secure boot with Microsoft signature, i need the efi application from /usr/lib/shim/shimx64.efi.signed (package shim-signed) and a grub efi application signed with the debian signature (package grub-efi-amd64-signed), both in the ESP partition inside the /EFI/boot/ directory

nahkhiirmees · 2024-03-19 19:41:29

After some experiments it became clear to me that when secureboot is on, it verifies the signatures on removable media too. For some reason i thought that when SB is on it just refuses to boot from that kind of media.

GlennW · 2024-03-19 22:19:42

Hi, I noticed on my bios settings when secureboot is switched on another menu becomes available

where I can select forbidden devices like cdrom, usb, wake on lan (or something like that)

maybe you have that setting as well.

Generally I haven't used secureboot since I found a way to turn it off, so I'm no expert.

Torclyn · 2025-01-10 17:30:05

I can confirm that neither the Daedalus live ISO nor the netinstall seems to work on a machine with secureboot enabled. If that's of any help, I'll volunteer to test any new images - fsmithreds link above gives me a 404.

fsmithred · 2025-01-10 19:04:00

Thanks for testing. Here's a new live iso. This one has bootx64.efi and shimx64.efi.signed in efi/boot. I made this one using refractasnapshot and had to copy the shim into the iso build tree manually. If it works, I'll work it into live-sdk so it gets into the official isos.

devuan_5_signed-test_amd64-20250110_1825.iso
https://distro.ibiblio.org/refracta/files/experimental/

sha256sum:

ec458d2e023b7d6abc982c8c0f690250c562133a5b0491ced3226602d662903d  devuan_5_signed-test_amd64-20250110_1825.iso

Torclyn · 2025-01-10 20:47:20

Thanks for the quick reply!

I'm downloading right now and will hopefully get to test it over the weekend.

Torclyn · 2025-01-15 18:52:26

Hi fsmithred,
I got around to some testing at last - sorry for the delay.
Unfortunataly it doesn't seem the image works:
While booting from a USB stick (created with dd) the computer will complain it didn't find a valid signature and not boot at all. When using a Ventoy medium, we get as far as the grub menu, whereafter - no matter which entry has been selected - the following message is displayed:

error: shim_lock protocol not found.
error: you need do load the kernel first.

Tested on two different machines with the same results. Debian boots without trouble on both of them.
Please let me know if there is anything else I can do!

The officially official Devuan Forum!

#1 2023-12-04 10:07:30

Live cd unable to boot with secure boot enabled

#2 2023-12-04 21:30:29

Re: Live cd unable to boot with secure boot enabled

#3 2023-12-05 16:27:35

Re: Live cd unable to boot with secure boot enabled

#4 2023-12-05 16:34:58

Re: Live cd unable to boot with secure boot enabled

#5 2023-12-05 16:50:53

Re: Live cd unable to boot with secure boot enabled

#6 2023-12-07 08:11:16

Re: Live cd unable to boot with secure boot enabled

#7 2023-12-07 08:16:51

Re: Live cd unable to boot with secure boot enabled

#8 2023-12-07 08:18:02

Re: Live cd unable to boot with secure boot enabled

#9 2023-12-07 08:19:08

Re: Live cd unable to boot with secure boot enabled

#10 2023-12-07 14:37:16

Re: Live cd unable to boot with secure boot enabled

#11 2023-12-07 18:50:37

Re: Live cd unable to boot with secure boot enabled

#12 2023-12-07 21:55:43

Re: Live cd unable to boot with secure boot enabled

#13 2023-12-08 08:00:36

Re: Live cd unable to boot with secure boot enabled

#14 2023-12-08 16:35:48

Re: Live cd unable to boot with secure boot enabled

#15 2023-12-09 18:23:37

Re: Live cd unable to boot with secure boot enabled

#16 2023-12-09 20:42:05

Re: Live cd unable to boot with secure boot enabled

#17 2023-12-10 13:26:22

Re: Live cd unable to boot with secure boot enabled

#18 2023-12-20 18:52:00

Re: Live cd unable to boot with secure boot enabled

#19 2024-03-19 19:41:29

Re: Live cd unable to boot with secure boot enabled

#20 2024-03-19 22:19:42

Re: Live cd unable to boot with secure boot enabled

#21 2025-01-10 17:30:05

Re: Live cd unable to boot with secure boot enabled

#22 2025-01-10 19:04:00

Re: Live cd unable to boot with secure boot enabled

#23 2025-01-10 20:47:20

Re: Live cd unable to boot with secure boot enabled

#24 2025-01-15 18:52:26

Re: Live cd unable to boot with secure boot enabled

Board footer