How to upgrade to UEFI Secure Boot

Post here if you are a new Porteus member and you're looking for some help.
BorisEnt
White ninja
White ninja
Posts: 5
Joined: 30 Dec 2012, 00:35
Distribution: Porteus
Location: Australia

How to upgrade to UEFI Secure Boot

Post#1 by BorisEnt » 18 Oct 2013, 01:20

What are the steps to upgrade Porteus 1.2 to run on a Windows 8 laptop?

The elegant Porteus that turned every PC my 320GB USB HD connected to into my domain won’t work with Windows 8 PCs.

The laptops were “upgraded” while I was on an extended furlough.

SysAdmin’s answer: convert to Fedora or Ubuntu.

No!  There has to be a better way.

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: How to upgrade to UEFI Secure Boot

Post#2 by brokenman » 18 Oct 2013, 12:13

Sysadmin needs to read up. Are you wanting to boot Porteus from a USB device. If so please search the forum for UEFI and you will find a thread (with a script) to install to USB. I can do a write up on how to get secure boot working with Porteus as I have it working here. It will require being able to boot into a working Porteus version first.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Ed_P
Contributor
Contributor
Posts: 8555
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: How to upgrade to UEFI Secure Boot

Post#3 by Ed_P » 19 Oct 2013, 03:58

brokenman wrote: It will require being able to boot into a working Porteus version first.
Doesn't that have to be a 64-bit version?
brokenman wrote:Then rerun my script. You MUST use 64bit porteus.

FLLinuxUser
White ninja
White ninja
Posts: 13
Joined: 15 Oct 2014, 16:45
Distribution: Fedora
Location: USA

Re: How to upgrade to UEFI Secure Boot

Post#4 by FLLinuxUser » 15 Oct 2014, 18:16

brokenman wrote: I can do a write up on how to get secure boot working with Porteus as I have it working here. It will require being able to boot into a working Porteus version first.
I would like to see this write up about getting Porteus working on a UEFI with secure boot on.

Thanks
If at first you don't successed lower you standards and try again

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: How to upgrade to UEFI Secure Boot

Post#5 by brokenman » 15 Oct 2014, 18:35

No problem. Will do so after the next rc1 release. It will involve some third party applications that can digitally sign the binaries that will be loaded. The downside is that you must resign the binaries every time you upgrade Porteus.
How do i become super user?
Wear your underpants on the outside and put on a cape.

FLLinuxUser
White ninja
White ninja
Posts: 13
Joined: 15 Oct 2014, 16:45
Distribution: Fedora
Location: USA

Re: How to upgrade to UEFI Secure Boot

Post#6 by FLLinuxUser » 03 Nov 2014, 16:03

@brokenman Is there a possibility to get the secure boot wirte up a little early. would like to start testing it out.

Thanks,
If at first you don't successed lower you standards and try again

FLLinuxUser
White ninja
White ninja
Posts: 13
Joined: 15 Oct 2014, 16:45
Distribution: Fedora
Location: USA

Re: How to upgrade to UEFI Secure Boot

Post#7 by FLLinuxUser » 05 Nov 2014, 15:50

Well i have figured out how to get this to work. I now know way more about UEFI and secure boot then I need too :shock: . Also I have a new item to add to the list of things that I don't like about Microsoft. :wall:

I now have a porteus USB boot stick that boots my Windows 8 laptop with no change to the UEFI firmware on the laptop. :Yahoo!:

Thanks for the great foundation of Porteus to start from made this a lot easier then i could have been.
If at first you don't successed lower you standards and try again

User avatar
Ed_P
Contributor
Contributor
Posts: 8555
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: How to upgrade to UEFI Secure Boot

Post#8 by Ed_P » 05 Nov 2014, 17:48

FLLinuxUser wrote:Well i have figured out how to get this to work.
And are you going to share how you got it to work? :unknown: :)

FLLinuxUser
White ninja
White ninja
Posts: 13
Joined: 15 Oct 2014, 16:45
Distribution: Fedora
Location: USA

Re: How to upgrade to UEFI Secure Boot

Post#9 by FLLinuxUser » 05 Nov 2014, 20:41

Sure, this is how I solved it (a more detailed version of this can be found at http://www.rodsbooks.com/refind/secureboot.html#shim just don't run the efibootmgr step)

You will need the following
1. Porteus-3.1 (I used the LXQt iso just cause)
2. rEFInd boot loader binary zip file from http://www.rodsbooks.com/refind/getting.html (make sure to download the binary zip file you only need a file from it)
3. the shim boot loader (http://www.codon.org.uk/~mjg59/shim-signed/ I downloaded the file shim-signed-0.2.tgz)
4. openssl
5. sbsign (this is a tool that I found easiest to use on my Ubuntu desktop since you can get it from the package manager)
6. A computer of VM that has can boot UEFI
7. A USB stick (I am using one that is 2GB in size)
8. gdisk util (so you can make a GPT partition on the USB drive)

First you will need to use gdisk to create a GPT boot table to the USB stick.
The create a parition that spans the whole USB stick.
format this partition to FAT32.

Copy the contents of the porteus ISO to the USB stick
Rename the file /EFI/BOOT/bootx64.efi to /EFI/BOOT/grubx86.efi
Copy the file shim.efi and mokmanager.efi from the shim tgz file to the /EFI/BOOT folder on the USB stick
Rename the shim.efi file to bootx64.efi
Copy the file refind.cer from the refind zip file to the /EFI/BOOT folder on the USB stick

Create a key to sign the linux kernel
So the following two lines will create the key we are going to use to sign the kernel
openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key -out refind_local.crt -nodes -days 3650 -subj "/CN=Porteus/"
openssl x509 -in refind_local.crt -out refind_local.cer -outform DER

Now sign the kernel
sbsign --key refind_local.key --cert refind_local.crt --output vmlinuz-signed vmlinuz

Now copy the file refind_local.cer to the /EFI/BOOT folder on the USB stick and copy the file vmlinuz-signed to the /boot/syslinux folder on the USB stick
Make sure to go into the refind.conf file and point the boot option to the vmlinuz-signed kernel

Boot you UEFI system with the USB stick and you should see a boot screen that has the option Enroll key from disk select this
Navigate to the /EFI/BOOT folder on the USB stick that you booted the computer with
First select the refind.cer file and answer 0 and yes to register the file with shim
The select the refind_local.cer file and answer 0 and yes to register the file with shim

Now you should be able to reboot the machine and shim will kick off the rEFInd boot loader which you should then be able to kick of the Linux boot.

Seems to be working for me.

This seems to not require me to registry the key i signed the Linux kernel with the UEFI firmware on the computer. Which is what I wanted since I didn't want to have to registry it on all the computers I support.

Hope this helps, if this doesn't make sense also let me know.
If at first you don't successed lower you standards and try again

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: How to upgrade to UEFI Secure Boot

Post#10 by brokenman » 05 Nov 2014, 23:04

Congrats. These are the exact steps I took. Keep in mind if you update the kernel you will need to resign it. You may also need to sign other kernel binaries such as GPU drivers but I haven't confirmed this since I can't use them.
How do i become super user?
Wear your underpants on the outside and put on a cape.

FLLinuxUser
White ninja
White ninja
Posts: 13
Joined: 15 Oct 2014, 16:45
Distribution: Fedora
Location: USA

Re: How to upgrade to UEFI Secure Boot

Post#11 by FLLinuxUser » 13 Nov 2014, 19:51

A quick note if you want the USB stick to be viewable by Windows, Mac, and Linux you need to make set your partition type to Microsft Basic Data (0700). This way you can still use the USB stick in any computer when you are not booting from it. Also this makes the above steps work to boot a Mac computer as well.
If at first you don't successed lower you standards and try again

Post Reply