[Solved] Security Boot Fail

Post#16 by **Jack** » 11 Sep 2018, 17:14

Ed_P wrote: ↑
11 Sep 2018, 17:01

Jack wrote: ↑
11 Sep 2018, 16:47
You use 1 partition and I use 2 partition because I am using a 32gb USB and partition is the FAT 32 Boot and partition 2 is the rest and it is EXT 4 the working partition. I been using this for years but now the Acer can use the EFI and that what I want to do. I don't use save.dat file.
That's fine Jack, you can use 2 partitions with EFI. And the install of Porteus 4.0 on a USB drive will boot on a EFI system if the Secure Boot option is disabled. What you have on your 1st partition is not a normal install of Porteus.

I had it work once before but I don't know why it won't work now.

Post#17 by **jssouza** » 11 Sep 2018, 18:04

Ed_P wrote: ↑
11 Sep 2018, 17:09
So basically you don't boot to Ubuntu you boot to grub. Interesting.

Isn't it? I thought this might be easier, because one does not need to go into the bios, and turn off secure boot. One step lesser, hence easier.

Post#18 by **Jack** » 11 Sep 2018, 18:20

Well I found my other USB and that one works. I am not worry about Security Boot because my other Computer's dose not have Security Boot and I had no problem with them.

Post#19 by **Ed_P** » 11 Sep 2018, 18:27

jssouza wrote: ↑
11 Sep 2018, 18:04
One step lesser, hence easier.

Download Ubuntu
Install Ubuntu to flash drive
Delete all Ubuntu files from flash drive except for ....

Definitely quicker to turn Secure Boot off.

Post#20 by **jssouza** » 11 Sep 2018, 19:21

Ed_P, I have this computer that has a a feature called secure boot, that I have enabled. And oh it runs Porteus with this feauture enabled.

Do you have a secure boot enabled computer Ed_P? Oh, and does it run Porteus?

Post#21 by **Ed_P** » 11 Sep 2018, 23:51

jssouza wrote: ↑
11 Sep 2018, 19:21
Do you have a secure boot enabled computer Ed_P? Oh, and does it run Porteus?

I have an EFI computer and when Secure Boot is enabled and I attempt to boot the USB drive the machine runs a RAM test then tells me it can't find a system to boot. I can only boot the Porteus 4.0 USB drive with Secure Boot disabled. The USB drive has Porteus 4.0 Cinnamon installed on it, the current version.

Code: Select all

Boot device: /dev/sdb1
Device format: "vfat" 
Boot DE:  jssouza-180702.xzm
 Changes will not be saved.
 To save changes create a save.dat file using Porteus Savefile Manager.
Cmdline:  quiet BOOT_IMAGE=/boot/syslinux/vmlinuz volume=23 extramod=UUID:8486-DDC5/Modules;UUID:8486-DDC5/Modsavedat noload=save.dat;cinnamon initrd=/boot/syslinux/initrd.xz

-update-

The Terminal Method described here sounds like it might be a better approach to adding the Ubuntu grub2 boot function to the USB drive: https://www.howtogeek.com/114884/how-to ... wont-boot/

This link shows a good approach also. https://www.pendrivelinux.com/install-g ... ntu-linux/

Post#22 by **jssouza** » 12 Sep 2018, 04:57

It also takes away with the whole portability idea. I mean, we say install porteus on a USB drive that you carry in your pocket, which you can boot your customized OS on any computer. That's not really true is it. You can boot it only from your computers where you have disabled secure boot. But outside (friend's place or at the workplace) it wont boot if secure boot is on. You cannot disable secure boot here.

Post#23 by **Ed_P** » 12 Sep 2018, 15:25

jssouza wrote: ↑
12 Sep 2018, 04:57
You can boot it only from your computers where you have disabled secure boot. But outside (friend's place or at the workplace) it wont boot if secure boot is on. You cannot disable secure boot here.

Good point jssouza.

So Porteus would need to develop a signed grub2 system, and I suspect there is $$ involved in the signing, or develop a script to download Ubuntu and have it install Ubuntu's grub2 system then add Porteus' boot menu to it.

-update-

An interesting Secure Boot read: https://www.rodsbooks.com/efi-bootloade ... eboot.html

Post#24 by **Ed_P** » 08 Oct 2018, 05:19

Ok jssouza I am running Porteus 4.0 from a USB flash drive on a Windows 10 EFI machine with Secure Boot enabled.

Before I forget what I did to get here:

1. I used my USB flash drive with Porteus 4.0 Cinnamon installed onto it.
2. I downloaded a Ubuntu Live system ISO. ubuntu-18.04.1-desktop-amd64.iso
(my first time using Ubuntu. An impressive system. And 2GB!).
3. I renamed the flash drive's /EFI/boot/ folder to /EFI/Porteusboot/
4. I copied the Ubuntu Live system's /EFI/BOOT/ folder to the flash drive's /EFI/ folder.
5. I copied the Ubuntu Live system's /boot/grub/ folder to the flash drive's /boot/ folder.
6. I renamed the flash drive's /boot/grub/grub.cfg file grubUbuntu.cfg.
7. I added this grub.cfg file to the flash drive's /boot/grub/ folder:

Code: Select all

set timeout=60
set default=0
set gfxmode=1024x768,auto
 
menuentry " Porteus 4.0 USB - AF'" {
     
     set porteus_parms="volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon"

     set bootdrv=$root
     search -f /boot/syslinux/vmlinuz --set=root
     if [ $root == $bootdrv ]; then
        linux  /boot/syslinux/vmlinuz $porteus_parms
        initrd /boot/syslinux/initrd.xz
     else
        echo "----------------------------------------"
        echo USB drive NOT found.
        echo
        sleep -v -i 10
     fi
     set root=$bootdrv
     }

menuentry " Porteus 4.0 USB - EFI" {

     set efibootmgr=/EFI/Porteusboot/bootx64.efi

     set bootdrv=$root
     search -f $efibootmgr --set=root
     if [ $root == $bootdrv ]; then
        chainloader $efibootmgr
     else
        echo "----------------------------------------"
        echo USB drive NOT found.
        echo
        sleep -v -i 10
     fi
     set root=$bootdrv 
     }

The 1st menuitem works. The 2nd doesn't and I am still playing with it. But my Porteus 4.0 flash drive is running on a Secure Boot EFI machine.

Code: Select all

Boot device: /dev/sdb1
Device format: "vfat" 
Boot DE:  jssouza-180702.xzm
 Changes will not be saved.
 To save changes create a save.dat file using Porteus Savefile Manager.
Cmdline:  quiet BOOT_IMAGE=/boot/syslinux/vmlinuz volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon

Post#25 by **jssouza** » 08 Oct 2018, 05:51

Happy for you Ed_P

Ed_P wrote: ↑
08 Oct 2018, 05:19
The 1st menuitem works. The 2nd doesn't and I am still playing with it.

Probably because that is the EFI loader that is not signed, hence with secure boot on, you cannot boot with it.

Oh, BTW, this flash drive, should work on *any* machine, making it truely portable

Post#26 by **Ed_P** » 08 Oct 2018, 18:33

My final Ubuntu grub2 grub.cfg file.

Code: Select all


if loadfont /boot/grub/font.pf2 ; then
#	set gfxmode=auto
	set gfxmode=800x600,auto
	insmod efi_gop
	insmod efi_uga
	insmod gfxterm
	terminal_output gfxterm
fi

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

set timeout=60
set gfxpayload=1024x768
 
menuentry " 1. Porteus 4.0 - UEFI Secure Boot" {
     
     set porteus_parms="volume=33 reboot=cold extramod=/Modules;/Modsavedat noload=save.dat;cinnamon"

     set bootdrv=$root
     search -f /boot/syslinux/vmlinuz 
     if [ $? == 0 ]; then
        linux  /boot/syslinux/vmlinuz $porteus_parms
        initrd /boot/syslinux/initrd.xz
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -v -i 10
     fi
     set root=$bootdrv
     }

menuentry " 2. Porteus 4.0 menu - UEFI system" {

     set efibootmgr=/EFI/Porteusboot/bootx64.efi

     set bootdrv=$root
     search -f $efibootmgr 
     if [ $? == 0 ]; then
        chainloader $efibootmgr 
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -v -i 10
     fi
     set root=$bootdrv 
     }

menuentry " 3. Porteus 4.0 menu - BIOS system" {

     set bootmgr=/boot/syslinux/chain.c32

     set bootdrv=$root
     search -f $bootmgr 
     if [ $? == 0 ]; then
        chainloader +1
     else
        echo "----------------------------------------"
        echo Porteus drive NOT found.
        echo
        sleep -v -i 10
     fi 
     set root=$bootdrv
     }

menuentry " " { echo }

menuentry " 4. Reboot" {
     reboot
     }

Post#27 by **brokenman** » 09 Oct 2018, 13:13

Ed_P wrote: ↑
08 Oct 2018, 05:19
But my Porteus 4.0 flash drive is running on a Secure Boot EFI machine.

How secure is that really? The idea with secure boot is to NOT have any unsigned binary load. If the vmlinuz of Porteus was not signed then it really shouldn't load. I was running Porteus with secure boot for ages but I got sick of having to sign the files each time I upgrade, which is very often.

Post#28 by **Ed_P** » 09 Oct 2018, 14:12

You're missing the point brokenman.

jssouza wrote: ↑
12 Sep 2018, 04:57
But outside (friend's place or at the workplace) it wont boot if secure boot is on. You cannot disable secure boot here.

And this Ubuntu grub2 approach is easier than signing all the files.

-update-

And to make this even easier...

UGrub2.sh

Code: Select all

#!/bin/bash

# Add Ubuntu grub2 Secure Boot support to Porteus USB system.

UbuntuISO=/mnt/sda6/ISOs/ubuntu-18.04.1-desktop-amd64.iso    # Change to fit your system
USBdrv=/mnt/sdb1                                             # Change to fit your system

if [ `whoami` != "root" ]; then
   echo -e "Enter root's password"
   su -c "sh $0 $1";    exit
fi

if [ ! -f $USBdrv/USB_INSTALLATION.txt ]; then
   echo "Porteus USB drive not found."
   read
   exit
fi

if [ ! -f $UbuntuISO ]; then
   echo "Ubuntu ISO not found."
   read
   exit
fi

mloop $UbuntuISO 
#read

echo "Copying the Ubantu boot files to the $USBdrv drive"
mv $USBdrv/EFI/boot              $USBdrv/EFI/Porteusboot           # Backup Porteus EFI
mkdir                            $USBdrv/EFI/BOOT
mkdir                            $USBdrv/boot/grub
cp -ar --no-preserve=ownership   /mnt/loop/EFI/BOOT/*      $USBdrv/EFI/BOOT/
cp -ar --no-preserve=ownership   /mnt/loop/boot/grub/*     $USBdrv/boot/grub/
mv $USBdrv/boot/grub/grub.cfg    $USBdrv/boot/grub/Ubuntugrub.cfg  # Backup Ubuntu grub.cfg

echo " "
echo "Now add the posted grub.cfg file to the $USBdrv/boot/grub/ folder."
echo "Customize the new grub.cfg's porteus_parms in the Secure Boot menu."
echo " "
read
ls  $USBdrv/EFI/BOOT
ls  $USBdrv/boot
ls  $USBdrv/boot/grub
echo " "
cat $USBdrv/boot/grub/grub.cfg
uloop 
read

You must modify the USBdrv and UbuntuISO parms to fit your situation.

For Ubuntu ISO: https://duckduckgo.com/?q=ubuntu-18.04. ... fcm&ia=web

Update

My current grub.cfg file found here: [Solved] Security Boot Fail

Post#29 by **Ed_P** » 13 Nov 2018, 04:23

ERROR!! When I try booting the Porteus USB drive with the Ubuntu Grub2 on it in a x86_64 non-UEFI machine it fails to boot.

Initially it failed because it couldn't find a .mod file in the i386-pc folder! Since the machine is x86_64 that was a little strange. But my Grub2Win system has a i386-pc folder so I copied it to the USB drive. Now when the Porteus USB drive boots on the non-UEFI machine, and on a x486 machine, it boots to a GNU GRUB version 2.02 terminal screen stating Minimal BASH-line editing is supported and a grub> prompt. Why it's not finding the grub.cfg it finds when booting on my UEFI machine I have NO IDEA.

Post#30 by **BlueTower** » 21 Nov 2018, 10:45

I can confirm that Porteus 4.0 can work with Secure Boot. It takes some time to set up but it is worth it.

My HW: HP EliteBook 840 G5 with password protected Boot menu in BIOS (so I cannot turn off Secure Boot)

Steps:
1) I downloaded ubuntu-18.04.1-live-server-amd64.iso from ubuntu.
2) I installed ubuntu-18.04.1-live-server-amd64.iso on a USB stick using rufus (as recommended at ubuntu). Be aware that this wipes the USB stick.
3) I restarted the laptop and booted from USB stick. After pressing F9 for many many times and really long time, GRUB window showed up. I did not go farrer then this as GRUB window showing up indicates that any Secure Boot checks were passed.
4) I removed everything from the USB stick EXCEPT:

Code: Select all

	\boot
	\EFI
	\isolinux
	\ldlinux.sys
	\syslinux.cfg

5) I downloaded Porteus-KDE-v4.0-x86_64.iso
6) I extracted vmlinux and initrd.xz from Porteus-KDE-v4.0-x86_64.iso and renamed them to Porteus-KDE-v4.0-x86_64-vmlinuz and Porteus-KDE-v4.0-x86_64-initrd.xz
7) I created \porteus in the USB stick and copied Porteus-KDE-v4.0-x86_64-vmlinuz, Porteus-KDE-v4.0-x86_64-initrd.xz, and Porteus-KDE-v4.0-x86_64.iso into \porteus
8) I updated \boot\grub\grub.cfg on the USB stick to:
----------

Code: Select all

if loadfont /boot/grub/font.pf2 ; then
	set gfxmode=auto
	insmod efi_gop
	insmod efi_uga
	insmod gfxterm
	terminal_output gfxterm
fi

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

set timeout=5
menuentry "Porteus-KDE-v4.0-x86_64" {
	set gfxpayload=keep
	linux	/porteus/Porteus-KDE-v4.0-x86_64-vmlinuz   copy2ram from=/porteus/Porteus-KDE-v4.0-x86_64.iso noauto nomount  ---
	initrd	/porteus/Porteus-KDE-v4.0-x86_64-initrd.xz
}

----------
9) I updated \syslinux.cfg on the USB stick to:
----------

Code: Select all

PROMPT 0
TIMEOUT 90
DEFAULT /isolinux/vesamenu.c32

LABEL Porteus-KDE-v4.0-x86_64-vmlinuz
MENU LABEL Porteus-KDE-v4.0-x86_64-vmlinuz
KERNEL /porteus/Porteus-KDE-v4.0-x86_64-vmlinuz
APPEND initrd=/porteus/Porteus-KDE-v4.0-x86_64-initrd.xz copy2ram from=/porteus/Porteus-KDE-v4.0-x86_64.iso noauto nomount

----------
10) I restarted the laptop and booted from USB stick. After pressing F9 for many many times and really long time, GRUB window showed up showing "Porteus-KDE-v4.0-x86_64-vmlinuz" which boots correctly.

Note that I use completely clean Porteus 4.0 after each boot and no changes are saved. If you need something else, you need to update \syslinux.cfg and \boot\grub\grub.cfg on the USB stick accordingly.