How to boot EasyOS from USB stick with secure boot turned on?

Moderator: BarryK

Post Reply
superchook
Posts: 51
Joined: Mon Dec 23, 2019 9:57 pm
Location: Sydney, Australia
Has thanked: 15 times
Been thanked: 3 times

How to boot EasyOS from USB stick with secure boot turned on?

Post by superchook »

I have a USB stick with EasyOS 4.5.5 installed on it by "dding" the easy-4.5.5-amd64.img to it and it works well.
Is there an easy way to add some certificate and script etc. so that it could be used to boot a computer with secure boot turned on?

User avatar
BarryK
Posts: 2705
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: A boot loader question

Post by BarryK »

I have always turned off secure boot, and have no knowledge what is required to get a Linux to boot if it is turned on.

But others on this forum and the old-forum have experience with getting Puppy or a derivative to boot with secure boot enabled. Maybe one of the Fatdog guys?

User avatar
rcrsn51
Posts: 1390
Joined: Sun Aug 23, 2020 4:26 pm
Been thanked: 357 times

Re: A boot loader question

Post by rcrsn51 »

superchook wrote: Sat Feb 04, 2023 12:27 am

I have a USB stick with EasyOS 4.5.5 installed on it by "dding" the easy-4.5.5-amd64.img to it and it works well.
Is there an easy way to add some certificate and script etc. so that it could be used to boot a computer with secure boot turned on?

Using tools from the Bullseye Starter Kit, I made a UEFI+SecureBoot+GRUB2 multiboot USB drive that runs EasyOS with persistence.

superchook
Posts: 51
Joined: Mon Dec 23, 2019 9:57 pm
Location: Sydney, Australia
Has thanked: 15 times
Been thanked: 3 times

Re: How to boot EasyOS from USB stick with secure boot turned on?

Post by superchook »

Many thanks rcrsn51. It looks like I have a bit of reading to do but could achieve my objective using grub2. I had hoped that someone might have known how to enroll a MOK in Limine :-(
I will post again when I have something to report but I am going away for a couple of weeks so it might be a while.

User avatar
rcrsn51
Posts: 1390
Joined: Sun Aug 23, 2020 4:26 pm
Been thanked: 357 times

Re: How to boot EasyOS from USB stick with secure boot turned on?

Post by rcrsn51 »

superchook wrote: Sun Feb 05, 2023 7:07 am

I had hoped that someone might have known how to enroll a MOK in Limine

I looked at this during my Limine period and it's possible. But it was easier to use standard UEFI-GRUB2 methods.

Caramel
Posts: 476
Joined: Sun Oct 02, 2022 6:25 pm
Location: France
Has thanked: 100 times
Been thanked: 78 times

Test of usage of ventoy for secure boot

Post by Caramel »

I tested with ventoy (https://www.ventoy.net/en/index.html)

On my PC there is two modes for secure boot : standard and custom. I selected custom that allow the addition of keys.

Page https://www.ventoy.net/en/doc_secure.html, the first animation shows how to "enroll the key of ventoy" (enroll the key=add the key to the PC)
The key used by ventoy is named "ENROLL_THIS_KEY_IN_MOKMANAGER.cer"

It works for me, ventoy has been accepted by secure boot

Then i tested EasyOS with ventoy. That seems OK, but ventoy don't expand the file easy-4.5.5-amd64.img. It reads and writes directly in the disk image (i.e easy-4.5.5-amd64.img)
So the free size for save session is very limited.

@superchook,
if you just needs EasyOS "always in ram", you can try if ventoy woks with secure boot for you.

Otherwise if you want add more than few MB in saving session we need a bigger easy-4.5.5-amd64.img (BarryK knows how to do it)

Caramel
Posts: 476
Joined: Sun Oct 02, 2022 6:25 pm
Location: France
Has thanked: 100 times
Been thanked: 78 times

Re: How to boot EasyOS from USB stick with secure boot turned on?

Post by Caramel »

Caramel wrote: Mon Feb 13, 2023 4:52 pm

I tested with ventoy (https://www.ventoy.net/en/index.html)

On my PC there is two modes for secure boot : standard and custom. I selected custom that allow the addition of keys.

Page https://www.ventoy.net/en/doc_secure.html, the first animation shows how to "enroll the key of ventoy" (enroll the key=add the key to the PC)
The key used by ventoy is named "ENROLL_THIS_KEY_IN_MOKMANAGER.cer"

It works for me, ventoy has been accepted by secure boot

Then i tested EasyOS with ventoy. That seems OK, but ventoy don't expand the file easy-4.5.5-amd64.img. It reads and writes directly in the disk image (i.e easy-4.5.5-amd64.img)
So the free size for save session is very limited.

@superchook,
if you just needs EasyOS "always in ram", you can try if ventoy woks with secure boot for you.

Otherwise if you want add more than few MB in saving session we need a bigger easy-4.5.5-amd64.img (BarryK knows how to do it)

(The english version is below)

Méthode pour lancer EasyOS 4.5.5 sur clé USB avec Secure Boot activé (Pour certaines machines)
La compatibilité de cette méthode avec secure boot dépend de celle du logiciel ventoy

1 - Installer ventoy sur la clé (où sera ensuite installé EasyOS)
Si ça n'a pas déjà été fait,tester le démarrage de la clé sur le PC qu'on veut utiliser (avec secure boot activé)
Avec de la chance et aprés l'enrollement de la clé "ENROLL_THIS_KEY_IN_MOKMANAGER.cer" (voir https://www.ventoy.net/en/doc_secure.html ), grub doit apparaître sur l'écran.
NB : La clé dans la dernière phrase n'est pas la clé USB mais le fichier .cer .

Si ça n'a pas fonctionné, c'est inutile de continuer.

L'installation a créé une table de partiton MBR avec 2 partitions primaires.(Voir https://www.ventoy.net/en/doc_disk_layout.html )

2 - Reformater la première partition en ext4.
Noter l'uuid de cette partition (Avec la commande blkid /dev/sdb1 si la clé est /dev/sdb)

Quand on crée une clé EasyOS "normale", il y a aussi 2 partitions.
La première en vfat contient un dossier EFI, les fichiers limine.cfg et limine.sys
La seconde en ext4 contient un dossier easyos

3 - Se procurer ces dossiers et fichiers et les copier dans la première partition de la clé ventoy.

NB : Dans EasyOS il est possible de les récuperer facilement à partir du fichier easy-4.5.5-fr-amd64.img.
En cliquant sur ce fichier, les 2 partitions s'ouvrent dans 2 fenêtres de Rox-Filer et il suffit de copier les contenus.
Ne pas fermer les fenêtres mais cliquer à nouveau sur easy-4.5.5-fr-amd64.img pour démonter l'image disque.

4 - Éditer le fichier limine.cfg (sur la premiére partition) ainsi :
Changer les ://2/easyos/ en ://1/easyos/
Remplacer fe62c844-9085-11ed-bf10-287fcfeb4376 par l'uuid de la partition.

5 - Supprimer BOOTIA32.EFI du dossier /EFI/BOOT qui créerait un choix inutile au lancement de la clé.

La clé est prête !

English version via Google translate :

Method to launch EasyOS 4.5.5 on USB key with Secure Boot enabled (For some machines)
The compatibility of this method with secure boot depends on that of the ventoy software

1 - Install ventoy on the key (where EasyOS will then be installed)
If it has not already been done, test the boot of the key on the PC you want to use (with secure boot activated)
With luck and after enrolling the "ENROLL_THIS_KEY_IN_MOKMANAGER.cer" key (see https://www.ventoy.net/en/doc_secure.html), grub should appear on the screen.
NB: The key in the last sentence is not the USB key but the .cer file.

If it didn't work, there's no point in continuing.

The installation created an MBR partition table with 2 primary partitions. (See https://www.ventoy.net/en/doc_disk_layout.html)

2 - Reformat the first partition in ext4.
Note the uuid of this partition (With the command blkid /dev/sdb1 if the key is /dev/sdb)

When creating a "normal" EasyOS key, there are also 2 partitions.
The first in vfat contains an EFI folder, the files limine.cfg and limine.sys
The second in ext4 contains an easyos folder

3 - Obtain these folders and files and copy them to the first partition of the ventoy key.

NB: In EasyOS it is possible to recover them easily from the easy-4.5.5-fr-amd64.img file.
By clicking on this file, the 2 partitions open in 2 Rox-Filer windows and all you have to do is copy the contents.
Do not close the windows but click again on easy-4.5.5-en-amd64.img to unmount the disk image.

4 - Edit the limine.cfg file (on the first partition) as follows:
Change ://2/easyos/ to ://1/easyos/
Replace fe62c844-9085-11ed-bf10-287fcfeb4376 with the uuid of the partition.

5 - Delete BOOTIA32.EFI from the /EFI/BOOT folder which would create a useless choice when launching the key.

The key is ready!

Post Reply

Return to “EasyOS”