Secure Boot Enabled

Here you can post about your various experiences with PC hardware. You can also post about hardware that is not compatible with the linux kernel or not recommended for use with Porteus.
rych
Warlord
Warlord
Posts: 622
Joined: 04 Jan 2014, 04:27
Distribution: Porteus 5.0 x64 OpenBox
Location: NZ
Contact:

Secure Boot Enabled

Post#1 by rych » 14 Dec 2021, 05:09

Currently Porteus 5.0rc3 USB boots on Legacy and UEFI systems with a disabled Secure Boot, Porteus on UEFI-ONLY: rock solid boot!

Secure Boot Enabled is a normal requirement of the Windows 11. In order to boot into porteus one has to visit BIOS twice per session: once to disable it first and then to restore so that I'm assuming Windows 11 would successfully boot afterwards. But even if once per each session it's awkward and cumbersome.

On such systems the current porteus USB may display itself in the booting menu as an UEFI entry but will fail to boot. Whereas for example Windows 10 To Go UEFI stick will boot fine because it's "signed" I guess.

It should be possible to use a Linux Signed Boot Loader https://www.rodsbooks.com/efi-bootloade ... ing_signed see previously reported successful results here [Solved] Security Boot Fail

I'll attempt the steps and report below. Alternatively if anyone already has a working recipe for Porteus 5.0rc3 please post it here.
Last edited by rych on 16 Dec 2021, 15:28, edited 2 times in total.

nanZor
Shogun
Shogun
Posts: 381
Joined: 09 Apr 2019, 03:27
Distribution: Porteus 5.01 x86-64 LXQT

Secure Boot Enabled

Post#2 by nanZor » 15 Dec 2021, 23:14

Fortunately, this is more of a people issue, rather than technical.

If a user is allowed to enter the uefi-bios, then secure-boot can be simply disabled. But, as you've mentioned, the ability to do this may be locked out by sysadmins (usually for good reasons) - and that means simply being locked / requiring a password to enter the uefi bios itself to do so.

Other things may have been disabled by the IT department itself, like bluetooth and wifi etc etc. Consider too that this locked-down machine may not be running windows at all, but another linux system that is doing your payroll with secure-boot enabled for obvious reasons. Your sysadmin may not take kindly to you booting Porteus on that, and then your paychecks stop coming. :)

This implies that using Porteus on these types of locked-down machines, which usually means temporary authorized usage, then you may want to look into the Ventoy iso multibooter with a stick created for secure-boot, and boot the Porteus iso directly with that. After you've enrolled the keys, you are good to go for your temporary sessions.

I just wanted to point this out, since this is not really a technical issue. AFAIK, NO computer out there has a baked-in mandatory secure-boot without a user-adjustable toggle. The only obstacle is if a previous owner has locked you out of the entire bios setup.

It will be interesting ot see what you come up with. In the meantime, if the need is great then Ventoy should do the job as a temporary front end.
That's a UNIX book - cool. -Garth

User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Secure Boot Enabled

Post#3 by Ed_P » 16 Dec 2021, 02:16

Ed

rych
Warlord
Warlord
Posts: 622
Joined: 04 Jan 2014, 04:27
Distribution: Porteus 5.0 x64 OpenBox
Location: NZ
Contact:

Secure Boot Enabled

Post#4 by rych » 28 Apr 2022, 12:19

We have to use a signed boot loader:
Using a signed boot loader means using a boot loader signed with Microsoft's key. There are two known signed boot loaders: PreLoader and shim. Their purpose is to chainload other EFI binaries (usually boot loaders)... PreLoader and shim use an allowlist called Machine Owner Key list, abbreviated MokList.
https://wiki.archlinux.org/title/Unifie ... oot_loader
Modern versions of Ubuntu, Fedora, openSUSE, and Red Hat Enterprise Linux all “just work” without disabling or configuring Secure Boot. They use a small “shim” boot loader signed by Microsoft, which in turn confirms the main boot loader was signed by the Linux distribution before loading it. Some other smaller Linux distributions also use shim.
Arch Linux solutions:
https://wiki.archlinux.org/title/archbo ... rom_fedora
...

Best candidate for an easy solution for Porteus: Ubuntu's shim and grub:
A shim binary signed by Microsoft and grub binary signed by Canonical are provided in the Ubuntu main archive as shim-signed or grub-efi-amd64-signed.
https://wiki.ubuntu.com/UEFI/SecureBoot

Refreshing the 2018 steps by jssouza, Ed_P, BlueTower, burdi01 for Porteus 5.0rc3...

First steps:
-- Download Ubuntu Live system ISO, e.g., ubuntu-18.04.1-desktop-amd64.iso
Optionally just to verify that it indeed successfully boots into Secure Boot enabled system:
-- Burn an ubuntu on a USB drive (using rufus) and boot with it
-- Extract from the Ubuntu .iso (just?) the two folders below and merge-copy onto the first partition (fat32 that we used for UEFI booting) on your Porteus USB disk

Code: Select all

/EFI
/boot
! One file coflicts: /EFI/boot/bootx64.efi, do not overwrite of course. Rename it to bootx64Ubuntu.efi for now
-- your Porteus disk will still boot as before. We'll now start configuring it for the next boot which will be on Secure Boot Enabled system. We've inherited the Ubuntu's /boot/grub/grub.cfg:
set timeout=30

loadfont unicode

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

menuentry "Try or Install Ubuntu" {
set gfxpayload=keep
linux /casper/vmlinuz file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---
initrd /casper/initrd
}
menuentry "Ubuntu (safe graphics)" {
set gfxpayload=keep
linux /casper/vmlinuz nomodeset file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash ---
initrd /casper/initrd
}
menuentry "OEM install (for manufacturers)" {
set gfxpayload=keep
linux /casper/vmlinuz file=/cdrom/preseed/ubuntu.seed only-ubiquity oem-config/enable=true quiet splash ---
initrd /casper/initrd
}
grub_platform
if [ "$grub_platform" = "efi" ]; then
menuentry 'Boot from next volume' {
exit 1
}
menuentry 'UEFI Firmware Settings' {
fwsetup
}
else
menuentry 'Test memory' {
linux16 /boot/memtest86+.bin
}
fi
If we rename bootx64Ubuntu.efi->bootx64.efi, and reboot with Secure Boot On, the Grub menu above shows up, and on the first choice complains that it cannot find the /casper/vmlinuz. So we'll now add an entry to try and use the Porteus supplied (unsigned!) vmlinuz and initrd: For example, simplifying after viewtopic.php?p=59969#p59969, and copying the parameters from APPEND line from the main entry in porteus.cfg:

Code: Select all

menuentry 'Porteus' {
  set porteus_parms="changes=/porteus login=root from=LABEL:Porteus5 fsck"
  linux   /boot/syslinux/vmlinuz $porteus_parms
  initrd /boot/syslinux/initrd.xz
}
... to be continued ... Unless someone has done this already and could share all steps :)
Last edited by rych on 01 May 2022, 14:51, edited 6 times in total.

User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Secure Boot Enabled

Post#5 by Ed_P » 28 Apr 2022, 13:44

rych wrote:
28 Apr 2022, 12:19
-- Burn an ubuntu on a USB drive (using rufus)
This doesn't work for you?
Ed_P wrote:
21 Nov 2018, 15:54
I don't install Ubuntu I just copy 2 folders from the ISO.
Ed

rych
Warlord
Warlord
Posts: 622
Joined: 04 Jan 2014, 04:27
Distribution: Porteus 5.0 x64 OpenBox
Location: NZ
Contact:

Secure Boot Enabled

Post#6 by rych » 02 May 2022, 10:50

Adding to the /boot/grub/grub.cfg this option:

Code: Select all

menuentry 'Porteus' {
  set porteus_parms="changes=/porteus login=root from=LABEL:Porteus5 fsck"
  linux   /boot/syslinux/vmlinuz $porteus_parms
  initrd /boot/syslinux/initrd.xz
}
and trying to boot with it gives the error:
error: bad shim signature.
error: you need to load the kernel first.
This must be because our /boot/syslinux/vmlinuz is indeed not signed.

nanZor
Shogun
Shogun
Posts: 381
Joined: 09 Apr 2019, 03:27
Distribution: Porteus 5.01 x86-64 LXQT

Secure Boot Enabled

Post#7 by nanZor » 23 Sep 2022, 09:01

Another possibility if Secure-Boot must be used:

Use Ventoy iso multibooter as it comes default with supporting entering/registering the secure-boot keys when prompted. Use the latest (as of ver 1.79 now)

Thing is, you'll want to manually have access to the porteus config file most likely. That means creating a "ventoy.json" file to redirect the iso's config to one you put on the stick.

In my case, I merely copied the original porteus config file and renamed it to something slightly different.

Rapha_ goes into more detail than I provide:

Ventoy, Porteus et Syslinux...

I've used this trick for those times when I absolutely had to run Porteus / Tinycore etc etc on a secure-boot box where access to the config file was paramount. (without having to go to the trouble of remastering the iso every time I made a config change. I slacked it and let Ventoy do the work to get past secure boot, and I just change the ventoy.json file.
That's a UNIX book - cool. -Garth

rych
Warlord
Warlord
Posts: 622
Joined: 04 Jan 2014, 04:27
Distribution: Porteus 5.0 x64 OpenBox
Location: NZ
Contact:

Secure Boot Enabled

Post#8 by rych » 14 Jun 2023, 10:05

nanZor, sorry, this is new to me. Is Ventoy an alternative loader, like grub? How do I use it?

User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Secure Boot Enabled

Post#9 by Ed_P » 14 Jun 2023, 15:43

rych wrote:
14 Jun 2023, 10:05
Is Ventoy an alternative loader, like grub?
From a Google search:
https://www.google.com/search?client=firefox-b-1-d&q=ventoy wrote:Ventoy is an open source tool to create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI files.
The advantage being you can have a USB drive with a small UEFI FAT32 partition and the rest as an exFAT partition with multiple ISO systems. No journaling NTFS or ext drives.

I boot ISOs on my harddrive using grub2 from Grub2Win app.
Ed

nanZor
Shogun
Shogun
Posts: 381
Joined: 09 Apr 2019, 03:27
Distribution: Porteus 5.01 x86-64 LXQT

Secure Boot Enabled

Post#10 by nanZor » 10 Nov 2023, 04:21

rych wrote:
14 Jun 2023, 10:05
nanZor, sorry, this is new to me. Is Ventoy an alternative loader, like grub? How do I use it?
It is really designed to put a whole bunch of bootable iso's on a stick, like Porteus, Debian, Ubuntu, Gparted, Clonezilla etc etc because you have a large-capacity stick, and it boots the iso you choose from a menu. Has windows version, linux version, and even a stand-alone bootable version. It does not dearchive them, just boots the iso's directly.

Basically say in windows, you just drag-n-drop the iso's from your download location onto the newly-created Ventoy stick. Now reboot with the Ventoy stick and point to your iso you want to boot. Kind of a chain thing.

Problem is that most iso's are not writable, since it boots them directly, and does not dearchive them.

In Porteus case, you *could* boot via Ventoy, even make a savefile to some other location, but naturally any porteus config file editing will not be saved. So what to do?

In this case, you would have to interrupt the Porteus boot, (usually TAB or E) and manually insert your CHANGES= or FROM line into the linux kernel line on every boot where all the cheatcode-testing goes. :)

It is the old-school way guys used to boot custom Debian/Ubuntu "live" sticks where they had to manually temporarily insert "persist" into the kernel line on each and every usb boot...So this is a long way around the secure-boot needing a signed key...
That's a UNIX book - cool. -Garth

nanZor
Shogun
Shogun
Posts: 381
Joined: 09 Apr 2019, 03:27
Distribution: Porteus 5.01 x86-64 LXQT

Secure Boot Enabled

Post#11 by nanZor » 10 Nov 2023, 14:37

Pretty sure this is a practical solution for getting around say Windows 11 secure boot - needs TWO sticks.

1) Create a Ventoy multibooter stick. Drop the Porteus iso onto it, and you'll use this to boot from.
2) Copy the /porteus folder to a secondary stick. Here is where you can edit your cfg files for changes= etc just like normal.

Got the idea from the tutorial about how to boot from CD and use a usb stick for the /porteus folder back when CD was popular:

http://www.porteus.org/info/tips-and-tricks.html#9

Not tested, but looks promising!
That's a UNIX book - cool. -Garth

User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Secure Boot Enabled

Post#12 by Ed_P » 10 Nov 2023, 15:01

An easier way to deal with the Secure Boot situation: [Solved] Security Boot Fail :happy62:
Ed

nanZor
Shogun
Shogun
Posts: 381
Joined: 09 Apr 2019, 03:27
Distribution: Porteus 5.01 x86-64 LXQT

Secure Boot Enabled

Post#13 by nanZor » 10 Nov 2023, 23:51

Interesting! However Ventoy is much smaller than Ubuntu initially. :)

One neat thing about Ventoy is that if say the 64-bit config in /boot/syslinux is what one is using for their changes= etc, that is not user-writable for later changes booted this way, so there is a small json-formatted file you can manually write on the Ventoy stick to which Ventoy notices and uses that instead. But now we're getting all Ventoy-ish. Still, might be simpler than an Ubuntu install and erase. Used this to run Tinycore on a locked secure-boot but I digress..

Other idea if using the config in syslinux directory - remaster a custom iso with a symlink out of /syslinux to where you can reach it in say /porteus (mk_iso.sh) and use THAT newly created iso in Ventoy.

What a pain right? Putting the /boot/syslinux config in /porteus so you can get to it if one does it this way would alleviate all that. But now there are TWO config files in that folder which might confuse some as to which to use...

I'll have to try the two-stick method (Ventoy and a /porteus stick) and perhaps just simply live with hitting TAB and inserting a changes= manually in the linux-line at the end of the day.
That's a UNIX book - cool. -Garth

User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Secure Boot Enabled

Post#14 by Ed_P » 11 Nov 2023, 00:45

nanZor wrote:
10 Nov 2023, 23:51
However Ventoy is much smaller than Ubuntu initially.
Not smaller than the Ubuntu boot files.
Ed

Post Reply