Secure boot and problems!! UEFI troubles!!

[anilraj]

Barry and team, thank you for your work. I saw the new release and wanted to give it a try.
-I downloaded and put it on to a usb drive. Works fine on a laptop, where secure boot is enabled and legacy usb mode is also enabled.
-Does not work on another laptop (Office laptop) where secure boot is enabled, usb boot is enabled. This is Dell latitude 5420. (It does not have legacy usb mode as I see)
-When I try to boot boot using usb disk as follows. (Again cant boot through usb using selecting boot device by doing F12 as BIOS has admin pass!! Bloody office laptop!! Too many restrctions!)
-Boot into Windows 11
-Under setting, system, recovery, advanced startup (it restarts)
- I get an option to boot using usb disk. Usb disk is listed.
- I try booting usb and get following error.

Operating system loader has no signature. Incompatible with secure boot. All bootable devices failed secure boto verification"

I get only one option after this - shutdown.

After reading a lot of posts, this is what I understand. Correct me.
1. Secure boot tries to validate limine boot loader and see that it has no signature.
2. I see log files in /EFI/Boot directory and it points to loading stopped."
3. Limine can be combined with shim to address this. How to do it, cant get this information.
4. Any other boot loader that I can use which has signature and can be verified by secure boot? (Boot loader that can be used with easy os.)
5. Seems, shim can be used-how, not getting much information on it.
6. Some limine posts talk about using shim. IT was as follows. But no details/steps how to get this done.

Limine provides a way to modify its own EFI executable to bake in the BLAKE2B checksum of the config file itself. The EFI executable gets then enrolled or otherwise verified by the Secure Boot loader through, eg., the shim project. This prevents modifications being done to the config file (and in turn the checksums contained there) from going unnoticed.

Limine can be booted with secure boot using shim. This will also allow one to enroll the BLAKE2B hash of the Limine config file into the Limine EFI executable image itself for verification purposes. For more information see the limine enroll-config program and the philosophy.

Any help will be appreciated. Stuck with this thing for over 3 days now.

Thank you all.

[Federico]

As far as I know, secure boot is a feature through which hardware manufacturers explicitely try to prohibit the use of other operating systems on their hardware.
I also have it on my laptop (Asus) but I managed to disable it.
Interesting is your first laptop: why did Easy even boot on that if secure boot was still enabled?

Anyway, if a password is required to disable it, you should find it somewhere, probably on the laptop's users manual, or you can try searching the web for that. If I remember well, on some models secure boot must be disabled from within the manufacturer's app (for example Asus --> My Asus).

My advice is to stay calm and focus on finding this password and disabling it.

[Federico]

https://www.dell.com/support/kbdoc/de-d ... -boot-faqs

there should be no password. If you are asked for a password that probably means that the laptop does not belong to you and that the BIOS has been deliberately password protected by the owner. In that case, there is nothing you can do other than asking the owner for this password.

[BarryK]

I made some notes how to turn off secure boot here:

"Prepare your computer for booting Linux"
https://easyos.org/install/prepare-your ... linux.html

[BologneChe]

https://www.dell.com/support/kbdoc/de-d ... -boot-faqs

there should be no password. If you are asked for a password that probably means that the laptop does not belong to you and that the BIOS has been deliberately password protected by the owner. In that case, there is nothing you can do other than asking the owner for this password.

If it's a laptop provided by the employer, I would be surprised if the password to unlock the Secure Boot or BIOS is provided. Security Question.

[n00b]

Have you tried this
https://forum.puppylinux.com/viewtopic. ... 625#p81625

[anilraj]

Hello friends. Thank your responses.

My intention is not to get this workign anyhow on this office provided laptop, but to understand why it does not work, while it works on another laptop with secure boot enabled.
(And I offcourse dont have bios password to chnage anything on office laptop)

n00b, I have reviewed that link before posting this query. Seems, that will work. I am yet to try it.
Ventoy certainly seems to be an option. Will fo through it one more time and see it works or not.

After reading through a lot of posts, I am kind of convinced that, this is only a matter of making os loader (lime) trutable by MS!
Certainly, there seems to be two options-shim and preloader to make loader trustable (signature can eb verified) to make this work.
There are not many documents with detailed steps though on this topic.

Will keep folks posted. Thank you,

[anilraj]

Hello team. Made some progress.
Ventoy has solution. Put ventoy on a disk and copy image file to disk. There are some problems/disadvantages though.

-Save file/persistence is issue on small size disks.
-Somehow, tray has disappeared.
-Not able to boot it into RAM.

This makes me think, there is certainly a way to get this to work even without Ventoy. Need to study this further.
Good part, the laptop runs much better with EasyOS than Windows. With Windows, its hot all the time. With EasyOS, much better.

Regards,

[n00b]

Did you reformat the first partition as ext4 (for example #mke2fs -t ext4 -O ^has_journal /dev/sdb1 if the flash drive is sdb) and then copied the easyos folder and the bootx64.efi and limine.cfg files from the easy.img to the first partition as follows:

2 - Reformat the first partition in ext4.
Note the uuid of this partition (With the command blkid /dev/sdb1 if the key is /dev/sdb)

When creating a "normal" EasyOS key, there are also 2 partitions.
The first in vfat contains an EFI folder, the files limine.cfg and limine.sys
The second in ext4 contains an easyos folder

3 - Obtain these folders and files and copy them to the first partition of the ventoy key.

NB: In EasyOS it is possible to recover them easily from the easy-4.5.5-fr-amd64.img file.
By clicking on this file, the 2 partitions open in 2 Rox-Filer windows and all you have to do is copy the contents.
Do not close the windows but click again on easy-4.5.5-en-amd64.img to unmount the disk image.

4 - Edit the limine.cfg file (on the first partition) as follows:
Change ://2/easyos/ to ://1/easyos/
Replace fe62c844-9085-11ed-bf10-287fcfeb4376 with the uuid of the partition.

[anilraj]

Hello n00b. Thank you for the reply. I sorted that out.
What I was doing was copying limine files (sys and config) and easyos directores, but not EFI folder.
After I copied limine file (sys and config), EFI directory and easyos directory, It booted fine.
I also kept image file along with these two directories and files. Now I get two options to boot-from image file and from EFI directory.

When I boot using EFI directory, all is okay except one problem. I do a save session after doing required cofiguration and I try to set boot into ram (permanent), it goes no where. Screen becomes dark and stays there.
I waited almost for 20 minutes. Not sure, whats happening. Except this issue, all is fine!

I am sure, there is way to just sign limine loder and completely get rid of use of Ventoy. Will explore more on this.

Thank you friends!

[anilraj]

Hello team. This thing (based on Ventoy) is workign well except few issues.

-I try to shutdown or reboto system using start button - does not work.
Goes nowhere
-I use /sbin/shutdown, it clsoes X and stops there. IT does not power off the system.

How do I troubleshoot this further? I dont see a command to trace systems call-Was thinking to use it before I execute /sbin/poweroff.
Any suggestions?

Thank you all.

[BarryK]

There are a few posts to my blog about Ventoy, for example:

https://bkhome.org/news/202303/easyos-4 ... ither.html

[Caramel]

Hello team. This thing (based on Ventoy) is workign well except few issues.

-I try to shutdown or reboto system using start button - does not work.
Goes nowhere
-I use /sbin/shutdown, it clsoes X and stops there. IT does not power off the system.

How do I troubleshoot this further? I dont see a command to trace systems call-Was thinking to use it before I execute /sbin/poweroff.
Any suggestions?

Thank you all.

I don't think that it's related to Ventoy. Ventoy redirect to the OS just like grub do and do nothing else

When you have installed Easy on the first partition of the ventoy key usb, have you change the UUID in limine.cfg?