[Solved] Security Boot Fail

Technical issues/questions of an intermediate or advanced nature.
User avatar
Ed_P
Contributor
Contributor
Posts: 5501
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#31 by Ed_P » 21 Nov 2018, 15:54

I agree BlueTower. :happy62:

I don't know what happened to my secure boot flash drive but I cleaned everything off it, reinstalled Porteus to it then readded the Ubuntu grub2 files and now it all works again. Whatever happened that caused the x86_64-efi and i386-pc problems and etc I have no idea.

In my testing to figure out what was happening I developed a couple of simple scripts and modified my grub.cfg file accordingly. For someone wanting to test the secure boot grub2 changes these may help.

These I put in the /EFI folder.
BIOSboot.sh

Code: Select all

#!/bin/sh

# Switch UEFI Secure Boot config to standard Porteus boot config.

USBdrv=/mnt/sdb1   # USB drive 

if [ -d $USBdrv/EFI/Porteusboot ]; then
   mv -f $USBdrv/EFI/boot         $USBdrv/EFI/UbuntuBOOT
   mv -f $USBdrv/EFI/Porteusboot  $USBdrv/EFI/boot
else
   echo "  Porteus boot config already in place."
fi
Secureboot.sh

Code: Select all

#!/bin/sh

# Switch standard Porteus boot config to UEFI Secure Boot config. 

USBdrv=/mnt/sdb1   # USB drive

if [ -d $USBdrv/EFI/UbuntuBOOT ]; then
   mv $USBdrv/EFI/boot         $USBdrv/EFI/Porteusboot
   mv $USBdrv/EFI/UbuntuBOOT   $USBdrv/EFI/boot
else
   echo "  UEFI Secure Boot config already in place."
fi

grub.cfg

Code: Select all

if loadfont /boot/grub/font.pf2 ; then
#	set gfxmode=auto
	set gfxmode=800x600,auto
	insmod efi_gop
	insmod efi_uga
	insmod gfxterm
	terminal_output gfxterm
fi

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

set timeout=60
set gfxpayload=1024x768
 
menuentry " 1. UEFI Porteus 4.0 system - for Secure Boot enabled" {
     
     set efibootmgr=/EFI/boot/grubx64.efi
     set porteus_parms="volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon"
#    Change parms to fit your needs.

     set bootdrv=$root
     search -f $efibootmgr
     if [ $? == 0 ]; then
        linux  /boot/syslinux/vmlinuz $porteus_parms
        initrd /boot/syslinux/initrd.xz
        echo " "
        echo " -> "
        echo " -> If /boot/grub/x86-64-efi errors appear, disregard."
        echo " -> Secure Boot not enabled."
        echo " -> "
        sleep -i 4
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -i 10
     fi
     set root=$bootdrv
     }

menuentry " 2. UEFI Porteus 4.0 menu - aborts if Secure Boot enabled" {

     set efibootmgr=/EFI/Porteusboot/bootx64.efi

     set bootdrv=$root
     search -f $efibootmgr 
     if [ $? == 0 ]; then
        chainloader $efibootmgr
        echo " "
        echo " -> "
        echo " -> If /boot/grub/x86-64-efi errors appear, disregard."
        echo " -> "
        sleep -i 4 
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -i 10
     fi
     set root=$bootdrv 
     }

menuentry " " { echo }

menuentry " 3. Reboot" {
     reboot
     }
menuentry " 4. Shutdown" {
     halt
     }

menuentry " " { echo }

menuentry " Notes" {
     echo
     echo "To switch the USB drive's boot mode to BIOS mode "
     echo "run the BIOSboot.sh script in the /EFI directory."
     echo 
     echo "To switch the USB drive boot mode back to EFI mode"
     echo "run the Secureboot.sh script in the /EFI directory." 
     echo 
     sleep -i 10
     }
     
This replaced the Ubuntu grub.cfg file in the /boot/grub/ folder.

The drive is now working on both EFI and non-EFI machines again. :good:

The script I use to add the grub2 files to the drive is here: [Solved] Security Boot Fail (Post by Ed_P #66853) I don't install Ubuntu I just copy 2 folders from the ISO.



-Update-

BTW My /boot/syslinux/porteus.cfg file menu changes. The GRAPHICAL change is the APPEND line to support my USB's UUID and the following one is a new option. It runs Porteus without saving changes it may make. Good for when the grandkids play games. :)

Code: Select all

LABEL GRAPHICAL
MENU LABEL Graphics mode
KERNEL /boot/syslinux/vmlinuz
INITRD /boot/syslinux/initrd.xz
APPEND changes=EXIT:UUID:8486-DDC5/changes/porteussave.dat extramod=UUID:8486-DDC5/Modules
TEXT HELP
    Run Porteus the best way we can.
    Try to autoconfigure graphics
    card and use the maximum
    allowed resolution
ENDTEXT

LABEL safe
MENU LABEL Graphics mode (Safe)
KERNEL /boot/syslinux/vmlinuz
INITRD /boot/syslinux/initrd.xz
APPEND extramod=UUID:8486-DDC5/Modules;UUID:8486-DDC5/Modsavedat
TEXT HELP
    Run Porteus the best way we can.
    Try to autoconfigure graphics
    card and use the maximum  
    allowed resolution
ENDTEXT
And I changed line 4 to be

Code: Select all

DEFAULT safe
:happy62:

-update 2-

A related change to the flash drive system. [Solved] 4.0 doesn't support wifi on netbook. 3.2.2 does.
Last edited by Ed_P on 22 Nov 2018, 15:48, edited 2 times in total.
Reason: Added my porteus.cfg changes.
Ed

User avatar
Ed_P
Contributor
Contributor
Posts: 5501
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#32 by Ed_P » 27 Nov 2018, 18:07

I've tried a revised grub.cfg file with mixed results.

Code: Select all

if loadfont /boot/grub/font.pf2 ; then
#	set gfxmode=auto
	set gfxmode=800x600,auto
	insmod efi_gop
	insmod efi_uga
	insmod gfxterm
	terminal_output gfxterm
fi

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

set timeout=60
set gfxpayload=1024x768


set efibootmgr=/EFI/Porteusboot/bootx64.efi 
set porteus_parms="volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon"
#  Change parms to fit your needs. 


insmod /boot/grub/x86_64-efi/cat
if rmmod cat; then
   linux  /boot/syslinux/vmlinuz $porteus_parms
   initrd /boot/syslinux/initrd.xz
   boot
   exit
else
   chainloader $efibootmgr
   boot
   exit
fi
In Secure Boot mode the cfg boots Porteus with the parms specified. :good: With Secure Boot disabled the cfg still boots Porteus with the parms specified. :%) The goal was with Secure Boot disabled to have the cfg boot to the Porteus menu like normal.

So not a bad situation, just not the desired situation. :no:
Ed

jssouza
DEV Team
DEV Team
Posts: 1165
Joined: 09 Jul 2015, 14:17
Distribution: Porteus x86 arm

[Solved] Security Boot Fail

Post#33 by jssouza » 28 Nov 2018, 03:40

Hi Ed_P, it looks like the decision of whether secure boot is enabled or disabled is determined by rmmod cat. What does this command do?
Is it possible that in both scenarios (secure boot enabled or disabled), control goes into the if case and hence parms get specified in both cases?

User avatar
Ed_P
Contributor
Contributor
Posts: 5501
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#34 by Ed_P » 28 Nov 2018, 04:30

rmmod removes a module from the Linux kernel. insmod inserts a module into the Linux kernel.

Part of the problem is the module's name when in Secure Boot enable mode verses Secure Boot disabled mode. With Secure Boot disabled the file's name is cat.mod. With Secure Boot enabled the module's name is cat. Thus with Secure Boot enabled the insmod and rmmod commands work. With Secure Boot disabled the insmod command returns file not found. I believe the rmmod command returns the same so why does the if statement's true commands still execute? :fool:
Ed

jssouza
DEV Team
DEV Team
Posts: 1165
Joined: 09 Jul 2015, 14:17
Distribution: Porteus x86 arm

[Solved] Security Boot Fail

Post#35 by jssouza » 28 Nov 2018, 06:02

Ed_P wrote:
28 Nov 2018, 04:30
With Secure Boot disabled the file's name is cat.mod. With Secure Boot enabled the module's name is cat.
Interesting. Maybe you could just check for the file's existence then :unknown:

Code: Select all

if [ -f  /boot/grub/x86_64-efi/cat ]; then
    # Secure boot enabled
else
   # Secure boot disabled 
fi

User avatar
Ed_P
Contributor
Contributor
Posts: 5501
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#36 by Ed_P » 28 Nov 2018, 15:32

:D Oh if only it were that easy. I tried, ie booted and rebooted, many possibilities over the past 2 days. Screw something up and the machine boots to Windows when in Secure Boot mode, get it to work in Secure Boot mode, disable it and it fails in disable mode.
Ed

meet
Black ninja
Black ninja
Posts: 88
Joined: 31 Mar 2020, 04:37
Distribution: Porteus 4.0

[Solved] Security Boot Fail

Post#37 by meet » 31 Mar 2020, 04:51

Hey guys. I am using the Porteus-KDE-v5.0rc1-x86_64 version to use it through a USB stick. I want to use this as a portable OS, and hence want it to work on all computers without having to change anything in those computers BIOS or windows files.

I went through all the discussion but couldn't understand what was finally required to be done to make this work.

Please can someone tell me step by step what is required to be done? I am not a programming background hence I do not understand any basic terminology you guys use.

User avatar
Ed_P
Contributor
Contributor
Posts: 5501
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#38 by Ed_P » 31 Mar 2020, 05:13

I have not tested the 5.0 release candidate with my suggested changes noted in the top post nor looked to see if my changes have been included in the release candidate at this point so you are looking at unfamiliar territory.

The standard approach to booting Porteus on EFI systems is to disable the system's EFI Secure Boot option via the system's boot screen. And getting to the boot screen can be a different process on different systems so I can't give you step by step instructions.

Good luck.
Ed

burdi01
Samurai
Samurai
Posts: 121
Joined: 18 Aug 2013, 12:09
Distribution: Slackware, Xubuntu
Location: The Netherlands

[Solved] Security Boot Fail

Post#39 by burdi01 » 31 Mar 2020, 09:43

Disabling Secure Boot sometimes is a hell of a thing to do. E.g. on my HP laptop this causes screaming (really!) boot failures until you find that you have to type in a "pin code".
Therefore I use the Grub2 implementation from the Ubuntu 18.04.1 ISO. This implementation itself is signed and thus will run even on a EFI Secure Boot system. This implementation then happily loads a non-signed kernel and modules.
:D

meet
Black ninja
Black ninja
Posts: 88
Joined: 31 Mar 2020, 04:37
Distribution: Porteus 4.0

[Solved] Security Boot Fail

Post#40 by meet » 31 Mar 2020, 17:49

Hey burdi01,
That is exactly what I am looking for. Disabling secure boot is definitely a solution that works, and I am able to boot after that smoothly. (Even on Version 5)
However, I could do that as this was my PC. My purpose of using this portable OS is rather to be able to login on any damn system, anywhere. Without the need to update that particular PC's OS or BIOS or settings or anything. I just want to plug in my OS, do my work, and leave without any trace on that system.

But if I am required to do this secure boot thing every time I log on a new computer, the meaning of portability is nullified.

Can you help me with how did you implement grub2 for booting on a bootable USB stick which has Porteus?
(Please consider me a total newbie about grub or linux or coding, as I am.)

burdi01
Samurai
Samurai
Posts: 121
Joined: 18 Aug 2013, 12:09
Distribution: Slackware, Xubuntu
Location: The Netherlands

[Solved] Security Boot Fail

Post#41 by burdi01 » 01 Apr 2020, 10:18

@meet:

1) Download the Ubuntu 18.04.1 ISO.
2) Prepare your target USB stick: e.g. with gparted create an msdos partition table, create a fat32 partition, flag that partition as boot,esp and mount that partition on e.g. /mnt.
3) Copy the /boot and /ESP folders from the Ubuntu ISO to /mnt.
4) Run "grub-install --target=i386-pc --boot-directory=/mnt/boot /dev/sdX".
5) Copy the porteus folder from your Porteus ISO to /mnt.
6) Google for "+porteus grub2" and/or "porteus grub2" for grub stanzas and create/edit the grub.cfg file accordingly.
7) Boot your Porteus USB stick.

The above assumes you run a "full" Linux such as Ubuntu. Alternatively you can dd the Ubuntu ISO to a USB stick or use e.g. BalenaEtcher to do so and boot that USB stick.

Note that I purposely do not "hold your hand". Report back on your progress.
:D

BTW: Please specify your location in your profile.

meet
Black ninja
Black ninja
Posts: 88
Joined: 31 Mar 2020, 04:37
Distribution: Porteus 4.0

[Solved] Security Boot Fail

Post#42 by meet » 06 Apr 2020, 17:52

burdi01 wrote:
01 Apr 2020, 10:18
@meet:

1) Download the Ubuntu 18.04.1 ISO.
2) Prepare your target USB stick: e.g. with gparted create an msdos partition table, create a fat32 partition, flag that partition as boot,esp and mount that partition on e.g. /mnt.
3) Copy the /boot and /ESP folders from the Ubuntu ISO to /mnt.
4) Run "grub-install --target=i386-pc --boot-directory=/mnt/boot /dev/sdX".
5) Copy the porteus folder from your Porteus ISO to /mnt.
6) Google for "+porteus grub2" and/or "porteus grub2" for grub stanzas and create/edit the grub.cfg file accordingly.
7) Boot your Porteus USB stick.

The above assumes you run a "full" Linux such as Ubuntu. Alternatively you can dd the Ubuntu ISO to a USB stick or use e.g. BalenaEtcher to do so and boot that USB stick.

Note that I purposely do not "hold your hand". Report back on your progress.
:D

BTW: Please specify your location in your profile.
Hey burdi.. I couldn't comprehend anything that you said. I guess I am a newbie even in the newbies category.
To be specific, I need more help with the step 2. Don't know how to create those.
Then from step 3 to 5, do I need to do all this from a booted linux system? Or works the same from Windows? (I currently run windows on my PC.)
Step 6, well is out of my cup of tea.

burdi01
Samurai
Samurai
Posts: 121
Joined: 18 Aug 2013, 12:09
Distribution: Slackware, Xubuntu
Location: The Netherlands

[Solved] Security Boot Fail

Post#43 by burdi01 » 07 Apr 2020, 09:23

Ad 1) From your other issues on these Porteus fora I derive that you are able to find, download and run ISOs. To "burn" an ISO to a USB stick I would recommend the BalenaEtcher application for Windows and Linux.
Ad 2) Gparted is a GUI application that is included with Porteus as well as Ubuntu. I assume you are able to explore the menus and invoke the pertinent entries.
Ad 3) Windows does not allow one to open partitions flagged as ESP. But luckily you are still running the Linux from 2). Opening the ISO and copying the directories can be done using GUI applications.
Ad 4) This command enables booting the stick in MBR (aka legacy) mode. It should be run from a terminal under Ubuntu. This command can be skipped or postponed to later.
Ad 5) See ad 3).
Ad 6) I found working stanzas on the Porteus fora.
Ad 7) Success!

Report back on your progress.
:D

Please specify you location in your profile (to indicate your time zone).

Post Reply