4

I read that there is another way than using shim and signed GRUB binaries for Secure Boot by using the Linux Foundation's PreLoader or Linux Foundation's Secure Boot System, but how do I use it?

moved from https://askubuntu.com/a/520351/40581

Community
  • 1
LiveWireBT
  • 29,617

1 Answers1

8

Comment from the author in 2024: See "Tips for TUI screenshots during early boot stages" section below if you are wondering about the ASCII art.

Setting up PreLoader

  • Find and mount your EFI system partition and backup its contents. Some files may be manufacturer specific and cannot be restored by reinstalling Windows.
    • In a working UEFI Ubuntu installation it is mounted as /boot/efi/ and at least contains a folder named EFI. From the platform perspective (your computer) this folder is \EFI\ during the boot stage. ( /media/my_efi_system_partition/EFI = \EFI\ )
  • Copy or rename which ever EFI loader you want to use to \EFI\BOOT\loader.efi. Some loaders like gummiboot need to be configured properly.
  • Copy PreLoader.efi to \EFI\BOOT\bootx64.efi and HashTool.efi to the same directory.

You can find more detailed explanations over at Rod Smith's site.

Using HashTool

If you followed the instructions carefully and have Secure Boot enabled, you should be greeted by the following screens upon next boot, which guide you through enrolling the hash of the unsigned loader that would otherwise break the chain of trust.

┌──────────────────────────────────────────────────────────────────────────────┐
│                            Failed to start loader                            │
│                                                                              │
│          It should be called loader.efi (in the current directory)           │
│                     Please enrol its hash and try again                      │
│                                                                              │
│                I will now execute HashTool for you to do this                │
│                                                                              │
│                                                                              │
│                                     ┌────┐                                   │
│                                     │ OK │                                   │
│                                     └────┘                                   │  
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Select Binary                                 │
│                                                                              │
│               The Selected Binary will have its hash Enrolled                │
│            This means it will Subsequently Boot with no prompting            │
│    Remember to make sure it is a genuine binary before Enroling its hash     │
│                                                                              │
│                                                                              │
│                            ┌─────────────────────┐                           │
│                            │     Enroll Hash     │                           │
│                            │ Reboot to UEFI Menu │                           │
│                            │    Reboot System    │                           │
│                            │        Exit         │                           │
│                            └─────────────────────┘                           │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Select Binary                                 │
│                                                                              │
│               The Selected Binary will have its hash Enrolled                │
│            This means it will Subsequently Boot with no prompting            │
│    Remember to make sure it is a genuine binary before Enroling its hash     │
│                                                                              │
│                                                                              │
│                                ┌──────────────┐                              │
│                                │     ../      │                              │
│                                │  loader.efi  │                              │
│                                │ HashTool.efi │                              │
│                                │ bootx64.efi  │                              │
│                                └──────────────┘                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                      Enroll this hash into MOK database?                     │
│                                                                              │
│                               File: \loader.efi                              │
│     Hash: 8D1B74227CB2EE6B23B829595B761BAA34D171337F70D44ABF542D5318BDBA08   │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                     ┌─────┐                                  │
│                                     │ No  │                                  │
│                                     │ Yes │                                  │
│                                     └─────┘                                  │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

Tips for TUI screenshots during early boot stages

I wrote this answer almost a decade ago and handcrafted ASCII art to explain and document parts for myself. These days I use inexpensive HDMI-to-USB capture cards on Linux to make screenshots from TUIs during early boot stages, and optimize these to just a few KB or eventually convert them automatically (some boring converter I have not found yet or some fancy AI tool).

This was supposed to be a short comment, but for anyone wondering about capturing:

# Install packages.
sudo apt install v4l-utils


List available devices.


v4l2-ctl --list-devices


Play the stream.


mpv av://v4l2:/dev/video0


Press "s" for creating screenshots


Configure the location and filename as needed.


These days I set up conventions and sub-folders


in my pictures folder to keep everything organized.
LiveWireBT
  • 29,617
  • I have exactly the same error "Failed to start loader" on a blue screen while booting Knoppix 7.6 from a USB stick (copied with Rufus). I followed exactly the same steps as you painted here with the consequence that the USB stick does not even get to that blue screen anymore afterwards. Now I get a black screen saying: "WARNING: No configuration file found." I have no idea what to do now. – Elmue Dec 12 '15 at 15:09
  • Sorry I'm not familiar with Knoppix. I found this mail from Mr. Knopper that doesn't look like they are going to support Secure Boot like Ubuntu and Fedora do by signing kernels. I just downloaded 7.6 EN DVD ISO and found hashtool.efi and even keytool.efi. loader.efi belongs to Syslinux and No configuration file found. is a hint that preloader was able to chainload Syslinux, but Syslinux wasn't able to find it's configuration file, so it's not an issue with preloader. https://wiki.archlinux.org/index.php/Syslinux#UEFI_Systems – LiveWireBT Dec 12 '15 at 15:51
  • Thanks for your answer. I already turned off secure boot in BIOS and still get the same error. – Elmue Dec 12 '15 at 16:10
  • I tried to loop mount the iso, like I usually do but it exceeds the FAT filesize limit. Trying to launch it as a new VirtualBox EFI guest results in a Guru Meditation error. – LiveWireBT Dec 12 '15 at 16:40
  • I'm not surprised. VirtualBox is a very crappy and buggy software. I used it once and I saw hundreds of "Guru errors" which happened randomly sometimes, and sometimes not. Don't worry: That is normal! After installing the operating system directly on harddisk on the same computer it worked. The best you can do with VirtualBox is uninstall it. It is not the same as installing an operating system into a real partition. – Elmue Dec 12 '15 at 21:09
  • It's not normal when all other operating systems (Arch, Ubuntu, Fedora, Windows 10) have no problems booting UEFI in VirtualBox. – LiveWireBT Dec 13 '15 at 02:07
  • I finally solved the problem. What I needed was a working Rescue USB stick. After downloading and trying lots of them in vain I finally found ubuntu-14.04.3-desktop-amd64.iso which boots perfectly on the same computer where Knoppix won't start. – Elmue Dec 14 '15 at 00:35