Home
Calendar
Search
Memberlist
Can the ISOs be booted with Secure Boot enabled?
If not can something be done to add that to future ISOs?
Thanks.
If not can something be done to add that to future ISOs?
Thanks.
2 posters
Secure Boot
PureIsle- Posts : 7
Join date : 2024-05-13
Location : Ireland
Upgreyed- Admin
- Posts : 87
Join date : 2024-05-12
Location : The Sunshine State FL USA
The best I can offer you at the moment. 
I added sbctl to the repo, so you can try this out and see if it works for you? Install it and go down the page to:
Creating and enrolling keys in the link.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
I added sbctl to the repo, so you can try this out and see if it works for you? Install it and go down the page to:
Creating and enrolling keys in the link.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
PureIsle- Posts : 7
Join date : 2024-05-13
Location : Ireland
I went through that a couple of years ago and I would not like to revisit the process.
I more had in mind something built into the ISOs like other distros based on Deb. have.
I thought it might be possible to implement.
If not then OK.
Now and again I meet hardware that is so locked that SB cannot be disabled .... ex-corporate laptops for instance ... so it would be useful to have a familiar distro that would install.
Thanks for looking at it.
I more had in mind something built into the ISOs like other distros based on Deb. have.
I thought it might be possible to implement.
If not then OK.
Now and again I meet hardware that is so locked that SB cannot be disabled .... ex-corporate laptops for instance ... so it would be useful to have a familiar distro that would install.
Thanks for looking at it.
Upgreyed- Admin
- Posts : 87
Join date : 2024-05-12
Location : The Sunshine State FL USA
I will look further into it as I don't have a need for it but I assume others do. Will see what I can do with it?
Did any other Debian based distro unlock the laptop you have?
Did any other Debian based distro unlock the laptop you have?
PureIsle- Posts : 7
Join date : 2024-05-13
Location : Ireland
Yes, but I cannot name them unfortunately.
The last I used on it was Mint but unsure if that was Ubuntu or Debian based.
Sorry I cannot be more specific.
As I understand and hopefully remember from my previous tests, it is possible to approve the bootloader with a key and then allow all after that to load without having to have the likes of the kernel approved.
Apologies but my recollection is not good on this.
The last I used on it was Mint but unsure if that was Ubuntu or Debian based.
Sorry I cannot be more specific.
As I understand and hopefully remember from my previous tests, it is possible to approve the bootloader with a key and then allow all after that to load without having to have the likes of the kernel approved.
Apologies but my recollection is not good on this.
Upgreyed- Admin
- Posts : 87
Join date : 2024-05-12
Location : The Sunshine State FL USA
It would help if I knew were to start as I have never approached any of this. I am totally blind to how it is implemented.PureIsle wrote:Yes, but I cannot name them unfortunately.
The last I used on it was Mint but unsure if that was Ubuntu or Debian based.
Sorry I cannot be more specific.
As I understand and hopefully remember from my previous tests, it is possible to approve the bootloader with a key and then allow all after that to load without having to have the likes of the kernel approved.
Apologies but my recollection is not good on this.
PureIsle- Posts : 7
Join date : 2024-05-13
Location : Ireland
All I can suggest is using an available signed bootloader
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader
and other than that maybe go through the motions of installing a distro with Secure Boot enabled, as a test. You should be able to see what files have been included for SB.
I seem to recall using Pre-loader when I was trying it.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader
and other than that maybe go through the motions of installing a distro with Secure Boot enabled, as a test. You should be able to see what files have been included for SB.
I seem to recall using Pre-loader when I was trying it.
PureIsle- Posts : 7
Join date : 2024-05-13
Location : Ireland
I found some notes I made at the time regarding creating a LiveUSB of PCLOS that would boot with SB enabled. I will try to make some sense of them and add here.
****
I created a LiveUSB using MyLiveUSB which essentially emulates a USB HDD.
When creating it I installed PCLOS KDE to it.
I then copied most of the EFI files from the sd-usb to the LiveUSB stick.
Made a couple of edits to the Grub cfg and booted in the
Dell Optiplex 7010 with secure boot enabled.
I did not have to enroll anything, I just used the Grub version from the sb-usb and copied in the PCLOS theme and adjusted the path in the grub.cfg to take account of that.
It boots using the PCLOS splash screen.
I later added a second PCLOS version (MATE this time) to the LiveUSB [used MyLiveUSB] and the only adjustment required was to copy the MATE boot stanza from where it is written by the utility to the new location of grub.cfg.
sd-usb:- Minimal version of
https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk
Note at the time:-
The sb-usb uses signed Kapersky files as well as one from Fedora.
The item that most allowed this to work was a problem with the Kaspersky files ...... hehehehe lack of security there hehehe
That sig was revoked by MS last year so this sb-usb should not work on a Win 10 machine which has been updated (Kaspersky sig added to dbx in firmware).
That is how I read it anyway.
****
I created a LiveUSB using MyLiveUSB which essentially emulates a USB HDD.
When creating it I installed PCLOS KDE to it.
I then copied most of the EFI files from the sd-usb to the LiveUSB stick.
Made a couple of edits to the Grub cfg and booted in the
Dell Optiplex 7010 with secure boot enabled.
I did not have to enroll anything, I just used the Grub version from the sb-usb and copied in the PCLOS theme and adjusted the path in the grub.cfg to take account of that.
It boots using the PCLOS splash screen.
I later added a second PCLOS version (MATE this time) to the LiveUSB [used MyLiveUSB] and the only adjustment required was to copy the MATE boot stanza from where it is written by the utility to the new location of grub.cfg.
sd-usb:- Minimal version of
https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk
Note at the time:-
The sb-usb uses signed Kapersky files as well as one from Fedora.
The item that most allowed this to work was a problem with the Kaspersky files ...... hehehehe lack of security there hehehe
That sig was revoked by MS last year so this sb-usb should not work on a Win 10 machine which has been updated (Kaspersky sig added to dbx in firmware).
That is how I read it anyway.
|
|
|