[Solved] Security Boot Fail

Technical issues/questions of an intermediate or advanced nature.
Jack
Contributor
Contributor
Posts: 1541
Joined: 09 Aug 2013, 14:25
Distribution: Porteus 4.0rc4 My Mate 64 bit
Location: USA

Security Boot Fail

Post#16 by Jack » 11 Sep 2018, 17:14

Ed_P wrote:
11 Sep 2018, 17:01
Jack wrote:
11 Sep 2018, 16:47
You use 1 partition and I use 2 partition because I am using a 32gb USB and partition is the FAT 32 Boot and partition 2 is the rest and it is EXT 4 the working partition. I been using this for years but now the Acer can use the EFI and that what I want to do. I don't use save.dat file.
That's fine Jack, you can use 2 partitions with EFI. And the install of Porteus 4.0 on a USB drive will boot on a EFI system if the Secure Boot option is disabled. What you have on your 1st partition is not a normal install of Porteus.
I had it work once before but I don't know why it won't work now.
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.

jssouza
DEV Team
DEV Team
Posts: 645
Joined: 09 Jul 2015, 14:17
Distribution: Porteus x86 arm
Location: Liechtenstein

Security Boot Fail

Post#17 by jssouza » 11 Sep 2018, 18:04

Ed_P wrote:
11 Sep 2018, 17:09
So basically you don't boot to Ubuntu you boot to grub. Interesting.
Isn't it? I thought this might be easier, because one does not need to go into the bios, and turn off secure boot. One step lesser, hence easier.

Jack
Contributor
Contributor
Posts: 1541
Joined: 09 Aug 2013, 14:25
Distribution: Porteus 4.0rc4 My Mate 64 bit
Location: USA

Security Boot Fail

Post#18 by Jack » 11 Sep 2018, 18:20

Well I found my other USB and that one works. I am not worry about Security Boot because my other Computer's dose not have Security Boot and I had no problem with them.
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.

User avatar
Ed_P
Contributor
Contributor
Posts: 4156
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

Security Boot Fail

Post#19 by Ed_P » 11 Sep 2018, 18:27

jssouza wrote:
11 Sep 2018, 18:04
One step lesser, hence easier.
:D
Download Ubuntu
Install Ubuntu to flash drive
Delete all Ubuntu files from flash drive except for ....

Definitely quicker to turn Secure Boot off. :happy62:
Ed

jssouza
DEV Team
DEV Team
Posts: 645
Joined: 09 Jul 2015, 14:17
Distribution: Porteus x86 arm
Location: Liechtenstein

Security Boot Fail

Post#20 by jssouza » 11 Sep 2018, 19:21

Ed_P, I have this computer that has a a feature called secure boot, that I have enabled. And oh it runs Porteus with this feauture enabled.

Do you have a secure boot enabled computer Ed_P? Oh, and does it run Porteus? :)

User avatar
Ed_P
Contributor
Contributor
Posts: 4156
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

Security Boot Fail

Post#21 by Ed_P » 11 Sep 2018, 23:51

jssouza wrote:
11 Sep 2018, 19:21
Do you have a secure boot enabled computer Ed_P? Oh, and does it run Porteus? :)
I have an EFI computer and when Secure Boot is enabled and I attempt to boot the USB drive the machine runs a RAM test then tells me it can't find a system to boot. I can only boot the Porteus 4.0 USB drive with Secure Boot disabled. The USB drive has Porteus 4.0 Cinnamon installed on it, the current version. ;)

Code: Select all

Boot device: /dev/sdb1
Device format: "vfat" 
Boot DE:  jssouza-180702.xzm
 Changes will not be saved.
 To save changes create a save.dat file using Porteus Savefile Manager.
Cmdline:  quiet BOOT_IMAGE=/boot/syslinux/vmlinuz volume=23 extramod=UUID:8486-DDC5/Modules;UUID:8486-DDC5/Modsavedat noload=save.dat;cinnamon initrd=/boot/syslinux/initrd.xz
-update-

The Terminal Method described here sounds like it might be a better approach to adding the Ubuntu grub2 boot function to the USB drive: https://www.howtogeek.com/114884/how-to ... wont-boot/

This link shows a good approach also. https://www.pendrivelinux.com/install-g ... ntu-linux/
Ed

jssouza
DEV Team
DEV Team
Posts: 645
Joined: 09 Jul 2015, 14:17
Distribution: Porteus x86 arm
Location: Liechtenstein

Security Boot Fail

Post#22 by jssouza » 12 Sep 2018, 04:57

It also takes away with the whole portability idea. I mean, we say install porteus on a USB drive that you carry in your pocket, which you can boot your customized OS on any computer. That's not really true is it. You can boot it only from your computers where you have disabled secure boot. But outside (friend's place or at the workplace) it wont boot if secure boot is on. You cannot disable secure boot here.

User avatar
Ed_P
Contributor
Contributor
Posts: 4156
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

Security Boot Fail

Post#23 by Ed_P » 12 Sep 2018, 15:25

jssouza wrote:
12 Sep 2018, 04:57
You can boot it only from your computers where you have disabled secure boot. But outside (friend's place or at the workplace) it wont boot if secure boot is on. You cannot disable secure boot here.
Good point jssouza. :happy62:

So Porteus would need to develop a signed grub2 system, and I suspect there is $$ involved in the signing, or develop a script to download Ubuntu and have it install Ubuntu's grub2 system then add Porteus' boot menu to it.

-update-

An interesting Secure Boot read: https://www.rodsbooks.com/efi-bootloade ... eboot.html
Ed

User avatar
Ed_P
Contributor
Contributor
Posts: 4156
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#24 by Ed_P » 08 Oct 2018, 05:19

Ok jssouza I am running Porteus 4.0 from a USB flash drive on a Windows 10 EFI machine with Secure Boot enabled. :celebrate3:

Before I forget what I did to get here:

1. I used my USB flash drive with Porteus 4.0 Cinnamon installed onto it.
2. I downloaded a Ubuntu Live system ISO. ubuntu-18.04.1-desktop-amd64.iso
(my first time using Ubuntu. An impressive system. And 2GB!).
3. I renamed the flash drive's /EFI/boot/ folder to /EFI/Porteusboot/
4. I copied the Ubuntu Live system's /EFI/BOOT/ folder to the flash drive's /EFI/ folder.
5. I copied the Ubuntu Live system's /boot/grub/ folder to the flash drive's /boot/ folder.
6. I renamed the flash drive's /boot/grub/grub.cfg file grubUbuntu.cfg.
7. I added this grub.cfg file to the flash drive's /boot/grub/ folder:

Code: Select all

set timeout=60
set default=0
set gfxmode=1024x768,auto
 
menuentry " Porteus 4.0 USB - AF'" {
     
     set porteus_parms="volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon"

     set bootdrv=$root
     search -f /boot/syslinux/vmlinuz --set=root
     if [ $root == $bootdrv ]; then
        linux  /boot/syslinux/vmlinuz $porteus_parms
        initrd /boot/syslinux/initrd.xz
     else
        echo "----------------------------------------"
        echo USB drive NOT found.
        echo
        sleep -v -i 10
     fi
     set root=$bootdrv
     }

menuentry " Porteus 4.0 USB - EFI" {

     set efibootmgr=/EFI/Porteusboot/bootx64.efi

     set bootdrv=$root
     search -f $efibootmgr --set=root
     if [ $root == $bootdrv ]; then
        chainloader $efibootmgr
     else
        echo "----------------------------------------"
        echo USB drive NOT found.
        echo
        sleep -v -i 10
     fi
     set root=$bootdrv 
     }
The 1st menuitem works. The 2nd doesn't and I am still playing with it. But my Porteus 4.0 flash drive is running on a Secure Boot EFI machine. :happy62:

Code: Select all

Boot device: /dev/sdb1
Device format: "vfat" 
Boot DE:  jssouza-180702.xzm
 Changes will not be saved.
 To save changes create a save.dat file using Porteus Savefile Manager.
Cmdline:  quiet BOOT_IMAGE=/boot/syslinux/vmlinuz volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon
Ed

jssouza
DEV Team
DEV Team
Posts: 645
Joined: 09 Jul 2015, 14:17
Distribution: Porteus x86 arm
Location: Liechtenstein

[Solved] Security Boot Fail

Post#25 by jssouza » 08 Oct 2018, 05:51

Happy for you Ed_P :good:
Ed_P wrote:
08 Oct 2018, 05:19
The 1st menuitem works. The 2nd doesn't and I am still playing with it.

Probably because that is the EFI loader that is not signed, hence with secure boot on, you cannot boot with it.

Oh, BTW, this flash drive, should work on *any* machine, making it truely portable :happy62:

User avatar
Ed_P
Contributor
Contributor
Posts: 4156
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#26 by Ed_P » 08 Oct 2018, 18:33

My final Ubuntu grub2 grub.cfg file.

Code: Select all


if loadfont /boot/grub/font.pf2 ; then
#	set gfxmode=auto
	set gfxmode=800x600,auto
	insmod efi_gop
	insmod efi_uga
	insmod gfxterm
	terminal_output gfxterm
fi

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

set timeout=60
set gfxpayload=1024x768
 
menuentry " 1. Porteus 4.0 - UEFI Secure Boot" {
     
     set porteus_parms="volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon"

     set bootdrv=$root
     search -f /boot/syslinux/vmlinuz 
     if [ $? == 0 ]; then
        linux  /boot/syslinux/vmlinuz $porteus_parms
        initrd /boot/syslinux/initrd.xz
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -v -i 10
     fi
     set root=$bootdrv
     }

menuentry " 2. Porteus 4.0 menu - UEFI system" {

     set efibootmgr=/EFI/Porteusboot/bootx64.efi

     set bootdrv=$root
     search -f $efibootmgr 
     if [ $? == 0 ]; then
        chainloader $efibootmgr 
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -v -i 10
     fi
     set root=$bootdrv 
     }

menuentry " 3. Porteus 4.0 menu - BIOS system" {

     set bootmgr=/boot/syslinux/chain.c32

     set bootdrv=$root
     search -f $bootmgr 
     if [ $? == 0 ]; then
        chainloader +1
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -v -i 10
     fi 
     set root=$bootdrv
     }

menuentry " " { echo }

menuentry " 4. Reboot" {
     reboot
     }
Last edited by Ed_P on 10 Oct 2018, 23:02, edited 2 times in total.
Ed

User avatar
brokenman
Site Admin
Site Admin
Posts: 5940
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil
Contact:

[Solved] Security Boot Fail

Post#27 by brokenman » 09 Oct 2018, 13:13

Ed_P wrote:
08 Oct 2018, 05:19
But my Porteus 4.0 flash drive is running on a Secure Boot EFI machine.
How secure is that really? The idea with secure boot is to NOT have any unsigned binary load. If the vmlinuz of Porteus was not signed then it really shouldn't load. I was running Porteus with secure boot for ages but I got sick of having to sign the files each time I upgrade, which is very often.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Ed_P
Contributor
Contributor
Posts: 4156
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#28 by Ed_P » 09 Oct 2018, 14:12

You're missing the point brokenman.
jssouza wrote:
12 Sep 2018, 04:57
But outside (friend's place or at the workplace) it wont boot if secure boot is on. You cannot disable secure boot here.
And this Ubuntu grub2 approach is easier than signing all the files. ;)


-update-

And to make this even easier...

UGrub2.sh

Code: Select all

#!/bin/bash

# Add Ubuntu grub2 Secure Boot support to Porteus USB system.

UbuntuISO=/mnt/sda6/ISOs/ubuntu-18.04.1-desktop-amd64.iso    # Change to fit your system
USBdrv=/mnt/sdb1                                             # Change to fit your system

if [ `whoami` != "root" ]; then
   echo -e "Enter root's password"
   su -c "sh $0 $1"
   exit
fi

if [ ! -f $USBdrv/USB_INSTALLATION.txt ]; then
   echo "Porteus USB drive not found."
   read
   exit
fi

if [ ! -f $UbuntuISO ]; then
   echo "Ubuntu ISO not found."
   read
   exit
fi

mloop $UbuntuISO 
#read

mv $USBdrv/EFI/boot              $USBdrv/EFI/Porteusboot           # Backup Porteus EFI
mkdir                            $USBdrv/EFI/BOOT
mkdir                            $USBdrv/boot/grub
cp -ar /mnt/loop/EFI/BOOT/*      $USBdrv/EFI/BOOT/
cp -ar /mnt/loop/boot/grub/*     $USBdrv/boot/grub/
mv $USBdrv/boot/grub/grub.cfg    $USBdrv/boot/grub/Ubuntugrub.cfg  # Backup Ubuntu grub.cfg

echo " "
echo "Now add the posted grub.cfg file to the $USBdrv/boot/grub/ folder."
echo "Customize the new grub.cfg's porteus_parms in the Secure Boot menu."
echo " "
read
ls  $USBdrv/EFI/BOOT
ls  $USBdrv/boot
ls  $USBdrv/boot/grub
cat $USBdrv/boot/grub/grub.cfg
uloop 
You must modify the USBdrv and UbuntuISO parms to fit your situation. :happy62:

For Ubuntu ISO: https://duckduckgo.com/?q=ubuntu-18.04. ... fcm&ia=web
Last edited by Ed_P on 09 Oct 2018, 16:31, edited 1 time in total.
Ed

Post Reply