Secure Boot Enabled

Post#1 by **rych** » 14 Dec 2021, 05:09

Currently Porteus 5.0rc3 USB boots on Legacy and UEFI systems with a disabled Secure Boot, Porteus on UEFI-ONLY: rock solid boot!

Secure Boot Enabled is a normal requirement of the Windows 11. In order to boot into porteus one has to visit BIOS twice per session: once to disable it first and then to restore so that I'm assuming Windows 11 would successfully boot afterwards. But even if once per each session it's awkward and cumbersome.

On such systems the current porteus USB may display itself in the booting menu as an UEFI entry but will fail to boot. Whereas for example Windows 10 To Go UEFI stick will boot fine because it's "signed" I guess.

It should be possible to use a Linux Signed Boot Loader https://www.rodsbooks.com/efi-bootloade ... ing_signed see previously reported successful results here [Solved] Security Boot Fail

I'll attempt the steps and report below. Alternatively if anyone already has a working recipe for Porteus 5.0rc3 please post it here.

Post#2 by **nanZor** » 15 Dec 2021, 23:14

Fortunately, this is more of a people issue, rather than technical.

If a user is allowed to enter the uefi-bios, then secure-boot can be simply disabled. But, as you've mentioned, the ability to do this may be locked out by sysadmins (usually for good reasons) - and that means simply being locked / requiring a password to enter the uefi bios itself to do so.

Other things may have been disabled by the IT department itself, like bluetooth and wifi etc etc. Consider too that this locked-down machine may not be running windows at all, but another linux system that is doing your payroll with secure-boot enabled for obvious reasons. Your sysadmin may not take kindly to you booting Porteus on that, and then your paychecks stop coming.

This implies that using Porteus on these types of locked-down machines, which usually means temporary authorized usage, then you may want to look into the Ventoy iso multibooter with a stick created for secure-boot, and boot the Porteus iso directly with that. After you've enrolled the keys, you are good to go for your temporary sessions.

I just wanted to point this out, since this is not really a technical issue. AFAIK, NO computer out there has a baked-in mandatory secure-boot without a user-adjustable toggle. The only obstacle is if a previous owner has locked you out of the entire bios setup.

It will be interesting ot see what you come up with. In the meantime, if the need is great then Ventoy should do the job as a temporary front end.

Post#3 by **Ed_P** » 16 Dec 2021, 02:16

This link may help. [Solved] Security Boot Fail (Post by Ed_P #67428)

Post#4 by **rych** » 28 Apr 2022, 12:19

We have to use a signed boot loader:

Using a signed boot loader means using a boot loader signed with Microsoft's key. There are two known signed boot loaders: PreLoader and shim. Their purpose is to chainload other EFI binaries (usually boot loaders)... PreLoader and shim use an allowlist called Machine Owner Key list, abbreviated MokList.

https://wiki.archlinux.org/title/Unifie ... oot_loader

Modern versions of Ubuntu, Fedora, openSUSE, and Red Hat Enterprise Linux all “just work” without disabling or configuring Secure Boot. They use a small “shim” boot loader signed by Microsoft, which in turn confirms the main boot loader was signed by the Linux distribution before loading it. Some other smaller Linux distributions also use shim.

Arch Linux solutions:
https://wiki.archlinux.org/title/archbo ... rom_fedora
...

Best candidate for an easy solution for Porteus: Ubuntu's shim and grub:

A shim binary signed by Microsoft and grub binary signed by Canonical are provided in the Ubuntu main archive as shim-signed or grub-efi-amd64-signed.

https://wiki.ubuntu.com/UEFI/SecureBoot

Refreshing the 2018 steps by jssouza, Ed_P, BlueTower, burdi01 for Porteus 5.0rc3...

First steps:
-- Download Ubuntu Live system ISO, e.g., ubuntu-18.04.1-desktop-amd64.iso

Optionally just to verify that it indeed successfully boots into Secure Boot enabled system:
-- Burn an ubuntu on a USB drive (using rufus) and boot with it

-- Extract from the Ubuntu .iso (just?) the two folders below and merge-copy onto the first partition (fat32 that we used for UEFI booting) on your Porteus USB disk

Code: Select all

/EFI
/boot

! One file coflicts: /EFI/boot/bootx64.efi, do not overwrite of course. Rename it to bootx64Ubuntu.efi for now
-- your Porteus disk will still boot as before. We'll now start configuring it for the next boot which will be on Secure Boot Enabled system. We've inherited the Ubuntu's /boot/grub/grub.cfg:

set timeout=30

loadfont unicode

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

menuentry "Try or Install Ubuntu" {
set gfxpayload=keep
linux /casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---
initrd /casper/initrd
}
menuentry "Ubuntu (safe graphics)" {
set gfxpayload=keep
linux /casper/vmlinuz nomodeset file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---
initrd /casper/initrd
}
menuentry "OEM install (for manufacturers)" {
set gfxpayload=keep
linux /casper/vmlinuz file=/cdrom/preseed/ubuntu.seed only-ubiquity oem-config/enable=true quiet splash ---
initrd /casper/initrd
}
grub_platform
if [ "$grub_platform" = "efi" ]; then
menuentry 'Boot from next volume' {
exit 1
}
menuentry 'UEFI Firmware Settings' {
fwsetup
}
else
menuentry 'Test memory' {
linux16 /boot/memtest86+.bin
}
fi

If we rename bootx64Ubuntu.efi->bootx64.efi, and reboot with Secure Boot On, the Grub menu above shows up, and on the first choice complains that it cannot find the /casper/vmlinuz. So we'll now add an entry to try and use the Porteus supplied (unsigned!) vmlinuz and initrd: For example, simplifying after viewtopic.php?p=59969#p59969, and copying the parameters from APPEND line from the main entry in porteus.cfg:

Code: Select all

menuentry 'Porteus' {
  set porteus_parms="changes=/porteus login=root from=LABEL:Porteus5 fsck"
  linux   /boot/syslinux/vmlinuz $porteus_parms
  initrd /boot/syslinux/initrd.xz
}

... to be continued ... Unless someone has done this already and could share all steps

Post#5 by **Ed_P** » 28 Apr 2022, 13:44

rych wrote: ↑
28 Apr 2022, 12:19
-- Burn an ubuntu on a USB drive (using rufus)

This doesn't work for you?

Ed_P wrote: ↑
21 Nov 2018, 15:54
I don't install Ubuntu I just copy 2 folders from the ISO.

Post#6 by **rych** » 02 May 2022, 10:50

Adding to the /boot/grub/grub.cfg this option:

Code: Select all

menuentry 'Porteus' {
  set porteus_parms="changes=/porteus login=root from=LABEL:Porteus5 fsck"
  linux   /boot/syslinux/vmlinuz $porteus_parms
  initrd /boot/syslinux/initrd.xz
}

and trying to boot with it gives the error:

error: bad shim signature.
error: you need to load the kernel first.

This must be because our /boot/syslinux/vmlinuz is indeed not signed.