(kernel modified) KLV-AIredale beta14 now successfully booting on my secure boot enabled HP Probook 430 G8 laptop from its internal nvme SSD drive via its Zorin-installed grub2 (no usb stick required), which like an official Ubuntu grub2 requires signed kernels thereafter.
i.e. I'm using pristine KLV-Airedale beta14 but swapping in signed Zorin kernel, modules and fireware.
It is probably worth documenting how to do this since many users may first use the likes of Ubuntu or Zorin as their first attempt to try Linux in dual-boot configuration with Windows 10 or 11 and, thereafter, that Ubuntu-style grub2 will not boot KLV-Airedale with its supplied unsigned kernel. It is all a bit complicated admittedly, so hardly suitable for beginners... Steps 1 to 4 just normal zorin dual-boot install rough notes of my own so nothing themselves really to do with KLV-Airedale and better docs for that can be found online, for example at Ubuntu/Zorin websites.
The usual DISCLAIMER... such work is technical and my explanations are rough and may contain errors I don't know about. Undertake such work entirely at your own risk...
So assuming you have such a secure boot enabled machine with Win 10 or Win 11 on it, the steps I followed were as follows:
1. I turned off FastBoot in UEFI bios but left secure boot enabled. After booting into Windows, I then removed BitLocker encryption from the Windows install (necessary prior to partition shrinking I think). On my Win10 system that was done using: Start -> Settings -> System -> About -> BitLocker settings -> TURN OFF (and wait till complete). Or search for BitLocker and find Manage BitLocker in Control Panel to do the same.
2. Be careful... for safety I used Windows own Disk Management tool (WINkey -> R, then run diskmgmt.exe) to then shrink the large main Windows ntfs partition. That left unallocated disk space for my Linux installs. This was on pristine win10 machine so drive wasn't fragmented or special window's partition tool may have been required.
3. Now I rebooted with an official Zorin live installation usb (or, if wanting Ubuntu rather than Zorin, you should be able to use official Ubuntu live usb instead though I haven't tried that alternative).
From there, using Gparted, I was able to partition the now unallocated section of the nvme drive and format parts of that with ext4. I actually split the unallocated partition into two ext4 formatted partitions, which on my machine were nvme0n1p5(32GiB) and nvme0n1p6 (64GiB). I still have the bulk of my nvme SSD unallocated for future use. The sizes of these partitions are up to your own needs of course. I chose to use nvme0n1p6 for my full install of Zorin. How to do that is covered by Zorin installation process itself, not me... but I will say that during installation I selected nvme0n1p6 as mount point '/' and, as far as I hazily now remember, I chose to install grub2 to that partition too.
4. When you now reboot, the boot process will stop and ask you to register Zorin key with UEFI bios, which I agreed to. In my case that was Zorin key and that step is necessary for its grub2 to then work. After successfully registering that key the boot should continue to grub2 menu where you can choose to boot either Windows or Zorin full install (I added entry for KLV-Airedale later).
Above is all just standard how to install Zorin in dual-boot with Windows and nothing really to do with KLV-Airedale and so on. Better documentation for thus installing Ubuntu or Zorin is to be found online at their websites.
Prior to installing KLV-Airedale to the 32GiB nvme0n1p5 partition, my first forum-related 'experiment' was to try a weedogit Zorin installation (using weedogit.sh script). My guess was that since that would also use signed Zorin kernel, it should boot via that Zorin/Ubuntu grub2 (which it did).
That weedogit Zorin proved useful in getting KLV-Airedale to later work so I'll briefly document that:
5. I rebooted into Zorin (the already made full install), and from there mounted partition /dev/nvme0n1p5. I temporarily chose to mount it to /mnt/nvme0n1p5 (having created that mount point with mkdir command). Using terminal commands, then did:
Code: Select all
mkdir /mnt/nvme0n1p5/WDL_zorinlXFCE
cd /mnt/nvme0n1p5/WDL_zorinlXFCEFetched weedogit.sh script from Puppy forum
Ran that and installed weedogged Zorin into that WDL_zorinlXFCE directory
6. The grub2 configuration required to boot is that of Zorin so I then:
Edited grub 'custom' config file found at /etc/grub.d/40_custom
adding entry (the UUID being that of my nvme0n1p5 partition as discovered with blkid command):
Code: Select all
menuentry "WDL_zorinlXFCE" {
insmod ext2
search --no-floppy --fs-uuid --set 424d8f42-e835-4111-9053-dd086b3d38e8
linux /WDL_zorinlXFCE/vmlinuz w_bootfrom=UUID=424d8f42-e835-4111-9053-dd086b3d38e8=/WDL_zorinlXFCE
initrd /WDL_zorinlXFCE/initrd.gz
}7. And then, still in Zorin, ran command:
Code: Select all
update-grubwhich automatically writes the above menuentry into grub2 grub.cfg (which happens to be in /boot/grub/ though you don't need to go there...).
Rebooted into WDL_zorinlXFCE successfully!!! (That works because also uses signed kernel required by Zorin/Ubuntu grub2)
I now did similar for my KLV-Airedale frugal install, but this requires kernel swap as described later:
8. Booted back into full install Zorin, then, after mounting my 32GiB nvme0n1p5 partition again:
Code: Select all
mkdir /mnt/nvme0n1p5/klv
cd /mnt/nvme0n1p5/klvFetched KLV-Airedale iso from rockedge's site
Extracted all the iso contacts to klv directory
9. The grub2 configuration required to boot is that of Zorin so I then:
Edited grub 'custom' config file /etc/grub.d/40_custom
adding entry (the UUID being that of my nvme0n1p5 partition as discovered with blkid command):
Code: Select all
menuentry "WDL_klv" {
insmod ext2
search --no-floppy --fs-uuid --set 424d8f42-e835-4111-9053-dd086b3d38e8
linux /klv/vmlinuz w_bootfrom=UUID=424d8f42-e835-4111-9053-dd086b3d38e8=/klv
initrd /klv/initrd.gz
}10. And then, still in Zorin, ran command:
Code: Select all
update-grubwhich automatically writes the above menuentry into grub2 /boot/grub/grub.cfg
However, if you try to reboot into klv at this stage it will fail with error message about no signed Linux kernel found. My way out of that situation was to swap a copy of the signed Zorin kernel, modules and firmware into KLV-Airedale klv directory.
11. Inside klv directory, removed 00modules sfs, 01firmware sfs, vmlinuz and initrd.gz
12. From /mnt/nvme0n1p5/WDL_zorinlXFCE directory, copied vmlinuz (signed Zorin kernel), and initrd.gz into klv directory.
NOTE, the 'trick' here is that that initrd.gz from WDL_zorinlXFCE install already contains embedded Zorin modules.
13. Need to supply firmware and modules, for the klv main rootfilesystem, to match this signed Zorin kernel:
Code: Select all
mkdir /mnt/nvme0n1p5/klv/01firmware (uncompressed directory for holding Zorin firmware)
mkdir /mnt/nvme0n1p5/klv/02modules (uncompressed directory for holding Zorin modules; note well, do not use 00 in this dir name, use 02 or greater)
cp -a /usr/lib/firmware /mnt/nvme0n1p5/klv/01firmware
cp -a /usr/lib/modules/* /mnt/nvme0n1p5/klv/02modulesOptional would to compress 01firmware and 02modules into sfs files, but since booting with WeeDog initrd that isn't necessary since WDL can use either sfs files or uncompressed directories in its layer system.
After that lucky step 13 you should now be able to successfully reboot into that kernel modified KLV-Airedale!
Whilst the above may seem complicated, once you've downloaded the official Zorin installation live iso, the whole process doesn't take long at all; weedogit WDL_zorinlXFCE uses same Zorin install iso in its creation, so weedogit.sh doesn't need to download it again. And once WDL_zorinlXFCE is installed it is an almost trivial matter to swap Zorin kernel, modules and firmware with kernel supplied by KLV-Airedale. With that set up complete I can now install any later KLV-Airedale and make same swap in 5 minutes...
If you want to boot traditional Puppy Linux, unfortunately you can't with that Zorin/Ubuntu grub2 since Puppy uses aufs kernel patch in unsigned kernel/modules situation. Way round that is to WeeDog the Puppy to use WDL initrd overlayfs (instead of Puppy's own initrd) and swap kernel/modules/firmware to signed kernel as per above...
NOTE: I did have the hope that:
set check_signatures=no
at grub2 boot, might be usable to stop the signature checking, but thus far I have not managed to get that to have any effect. It is described here: https://www.gnu.org/software/grub/manua ... signatures
Maybe someone else will have more success with that?
Possibly the following contains some other solution, but too much involved and too little time to try: https://askubuntu.com/questions/1313033 ... bootloader
https://ruderich.org/simon/notes/secure ... and-initrd