[Solved] Security Boot Fail

Technical issues/questions of an intermediate or advanced nature.
User avatar
Ed_P
Contributor
Contributor
Posts: 5127
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#31 by Ed_P » 21 Nov 2018, 15:54

I agree BlueTower. :happy62:

I don't know what happened to my secure boot flash drive but I cleaned everything off it, reinstalled Porteus to it then readded the Ubuntu grub2 files and now it all works again. Whatever happened that caused the x86_64-efi and i386-pc problems and etc I have no idea.

In my testing to figure out what was happening I developed a couple of simple scripts and modified my grub.cfg file accordingly. For someone wanting to test the secure boot grub2 changes these may help.

These I put in the /EFI folder.
BIOSboot.sh

Code: Select all

#!/bin/sh

# Switch UEFI Secure Boot config to standard Porteus boot config.

USBdrv=/mnt/sdb1   # USB drive 

if [ -d $USBdrv/EFI/Porteusboot ]; then
   mv -f $USBdrv/EFI/boot         $USBdrv/EFI/UbuntuBOOT
   mv -f $USBdrv/EFI/Porteusboot  $USBdrv/EFI/boot
else
   echo "  Porteus boot config already in place."
fi
Secureboot.sh

Code: Select all

#!/bin/sh

# Switch standard Porteus boot config to UEFI Secure Boot config. 

USBdrv=/mnt/sdb1   # USB drive

if [ -d $USBdrv/EFI/UbuntuBOOT ]; then
   mv $USBdrv/EFI/boot         $USBdrv/EFI/Porteusboot
   mv $USBdrv/EFI/UbuntuBOOT   $USBdrv/EFI/boot
else
   echo "  UEFI Secure Boot config already in place."
fi

grub.cfg

Code: Select all

if loadfont /boot/grub/font.pf2 ; then
#	set gfxmode=auto
	set gfxmode=800x600,auto
	insmod efi_gop
	insmod efi_uga
	insmod gfxterm
	terminal_output gfxterm
fi

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

set timeout=60
set gfxpayload=1024x768
 
menuentry " 1. UEFI Porteus 4.0 system - for Secure Boot enabled" {
     
     set efibootmgr=/EFI/boot/grubx64.efi
     set porteus_parms="volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon"
#    Change parms to fit your needs.

     set bootdrv=$root
     search -f $efibootmgr
     if [ $? == 0 ]; then
        linux  /boot/syslinux/vmlinuz $porteus_parms
        initrd /boot/syslinux/initrd.xz
        echo " "
        echo " -> "
        echo " -> If /boot/grub/x86-64-efi errors appear, disregard."
        echo " -> Secure Boot not enabled."
        echo " -> "
        sleep -i 4
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -i 10
     fi
     set root=$bootdrv
     }

menuentry " 2. UEFI Porteus 4.0 menu - aborts if Secure Boot enabled" {

     set efibootmgr=/EFI/Porteusboot/bootx64.efi

     set bootdrv=$root
     search -f $efibootmgr 
     if [ $? == 0 ]; then
        chainloader $efibootmgr
        echo " "
        echo " -> "
        echo " -> If /boot/grub/x86-64-efi errors appear, disregard."
        echo " -> "
        sleep -i 4 
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -i 10
     fi
     set root=$bootdrv 
     }

menuentry " " { echo }

menuentry " 3. Reboot" {
     reboot
     }
menuentry " 4. Shutdown" {
     halt
     }

menuentry " " { echo }

menuentry " Notes" {
     echo
     echo "To switch the USB drive's boot mode to BIOS mode "
     echo "run the BIOSboot.sh script in the /EFI directory."
     echo 
     echo "To switch the USB drive boot mode back to EFI mode"
     echo "run the Secureboot.sh script in the /EFI directory." 
     echo 
     sleep -i 10
     }
     
This replaced the Ubuntu grub.cfg file in the /boot/grub/ folder.

The drive is now working on both EFI and non-EFI machines again. :good:

The script I use to add the grub2 files to the drive is here: [Solved] Security Boot Fail (Post by Ed_P #66853) I don't install Ubuntu I just copy 2 folders from the ISO.



-Update-

BTW My /boot/syslinux/porteus.cfg file menu changes. The GRAPHICAL change is the APPEND line to support my USB's UUID and the following one is a new option. It runs Porteus without saving changes it may make. Good for when the grandkids play games. :)

Code: Select all

LABEL GRAPHICAL
MENU LABEL Graphics mode
KERNEL /boot/syslinux/vmlinuz
INITRD /boot/syslinux/initrd.xz
APPEND changes=EXIT:UUID:8486-DDC5/changes/porteussave.dat extramod=UUID:8486-DDC5/Modules
TEXT HELP
    Run Porteus the best way we can.
    Try to autoconfigure graphics
    card and use the maximum
    allowed resolution
ENDTEXT

LABEL safe
MENU LABEL Graphics mode (Safe)
KERNEL /boot/syslinux/vmlinuz
INITRD /boot/syslinux/initrd.xz
APPEND extramod=UUID:8486-DDC5/Modules;UUID:8486-DDC5/Modsavedat
TEXT HELP
    Run Porteus the best way we can.
    Try to autoconfigure graphics
    card and use the maximum  
    allowed resolution
ENDTEXT
And I changed line 4 to be

Code: Select all

DEFAULT safe
:happy62:

-update 2-

A related change to the flash drive system. [Solved] 4.0 doesn't support wifi on netbook. 3.2.2 does.
Last edited by Ed_P on 22 Nov 2018, 15:48, edited 2 times in total.
Reason: Added my porteus.cfg changes.
Ed

User avatar
Ed_P
Contributor
Contributor
Posts: 5127
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#32 by Ed_P » 27 Nov 2018, 18:07

I've tried a revised grub.cfg file with mixed results.

Code: Select all

if loadfont /boot/grub/font.pf2 ; then
#	set gfxmode=auto
	set gfxmode=800x600,auto
	insmod efi_gop
	insmod efi_uga
	insmod gfxterm
	terminal_output gfxterm
fi

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

set timeout=60
set gfxpayload=1024x768


set efibootmgr=/EFI/Porteusboot/bootx64.efi 
set porteus_parms="volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon"
#  Change parms to fit your needs. 


insmod /boot/grub/x86_64-efi/cat
if rmmod cat; then
   linux  /boot/syslinux/vmlinuz $porteus_parms
   initrd /boot/syslinux/initrd.xz
   boot
   exit
else
   chainloader $efibootmgr
   boot
   exit
fi
In Secure Boot mode the cfg boots Porteus with the parms specified. :good: With Secure Boot disabled the cfg still boots Porteus with the parms specified. :%) The goal was with Secure Boot disabled to have the cfg boot to the Porteus menu like normal.

So not a bad situation, just not the desired situation. :no:
Ed

jssouza
DEV Team
DEV Team
Posts: 1045
Joined: 09 Jul 2015, 14:17
Distribution: Porteus x86 arm
Location: Liechtenstein

[Solved] Security Boot Fail

Post#33 by jssouza » 28 Nov 2018, 03:40

Hi Ed_P, it looks like the decision of whether secure boot is enabled or disabled is determined by rmmod cat. What does this command do?
Is it possible that in both scenarios (secure boot enabled or disabled), control goes into the if case and hence parms get specified in both cases?

User avatar
Ed_P
Contributor
Contributor
Posts: 5127
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#34 by Ed_P » 28 Nov 2018, 04:30

rmmod removes a module from the Linux kernel. insmod inserts a module into the Linux kernel.

Part of the problem is the module's name when in Secure Boot enable mode verses Secure Boot disabled mode. With Secure Boot disabled the file's name is cat.mod. With Secure Boot enabled the module's name is cat. Thus with Secure Boot enabled the insmod and rmmod commands work. With Secure Boot disabled the insmod command returns file not found. I believe the rmmod command returns the same so why does the if statement's true commands still execute? :fool:
Ed

jssouza
DEV Team
DEV Team
Posts: 1045
Joined: 09 Jul 2015, 14:17
Distribution: Porteus x86 arm
Location: Liechtenstein

[Solved] Security Boot Fail

Post#35 by jssouza » 28 Nov 2018, 06:02

Ed_P wrote:
28 Nov 2018, 04:30
With Secure Boot disabled the file's name is cat.mod. With Secure Boot enabled the module's name is cat.
Interesting. Maybe you could just check for the file's existence then :unknown:

Code: Select all

if [ -f  /boot/grub/x86_64-efi/cat ]; then
    # Secure boot enabled
else
   # Secure boot disabled 
fi

User avatar
Ed_P
Contributor
Contributor
Posts: 5127
Joined: 06 Feb 2013, 22:12
Distribution: 4.0 Cinnamon 64-bit ISO
Location: Western NY, USA

[Solved] Security Boot Fail

Post#36 by Ed_P » 28 Nov 2018, 15:32

:D Oh if only it were that easy. I tried, ie booted and rebooted, many possibilities over the past 2 days. Screw something up and the machine boots to Windows when in Secure Boot mode, get it to work in Secure Boot mode, disable it and it fails in disable mode.
Ed

Post Reply