LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > antiX / MX Linux
User Name
Password
antiX / MX Linux This forum is for the discussion of antiX and MX Linux.

Notices


Reply
  Search this Thread
Old 04-21-2019, 03:59 AM   #1
jmonlive
LQ Newbie
 
Registered: Apr 2019
Posts: 1

Rep: Reputation: Disabled
Unhappy Secure boot forbids loading modes from...error still after signing my kernel and grubx64.efi with sbsign!


😂 So for last month or two I've been figuring out how to DIY make MX Linux work with Secure Boot, since distro doesn't support it natively; I've taken more heroic measures than usual because MX Linux might be the next Ubuntu, since that distro is on a significant decline in user-friendliness and quality...Open Suse Leap is okay...but more work to get multimedia codecs and Nvidia driver soft-repositories working. So after cross-reading many LONG tedious technical manuals including this snippet: https://forums.gentoo.org/viewtopic-...0-start-0.html 🤔. To further complicate things...if you read I used the read-only mount which doesn't work when doing any writes to part of 'non-violatile ram' of UEFI that has UEFI variables...and was the shallower learning curve - I spent a FULL two weeks on figuring out how to change the keystore parts of UEFI variables, which meant having to both preserve my 'factory default keys' -INCLUDING CRITICAL HARDWARE-RECOGNITION SIGNINGS BY ASUS, US OH and EVEN Microsoft keys- AND also 'appending' my own keys. To avoid bricking my UEFI firmware😱 possibly irreversibably I checked NOT once, NOT twice, but THREE times to assure that I saved a precise mult-file state of Platform Key store, Key-Exchange-Key store, database store and forbidden-database store! I vigilantly spaced out this triple-checking to make sure I actually clicked 'Save Secure Boot Keys' option like I had thought...since there would otherwise be HELL. Wait...it gets better I had to find an "aftermarket" version of efitools package, since the original distro package database didn't include this and only included efivar package - a day or two just to find that!😤 Finally I followed guide: https://wiki.gentoo.org/wiki/Sakaki%...ng_Secure_Boot. https://wiki.gentoo.org/wiki/Sakaki%..._efi-updatevar 😂. Then I had to spend a day googling about how to use these new enrolled keys and further figuring out more tedious command-line syntax of sbsign program! Also, I had to delete original PK key, to allow any key storage programming...disabling Secure Boot on ASUS-brand motherboards counterintiuvely doesn't unload keys!!!!!!😈 So, the moment came -drums rolling- to test out whether I passed to Secure Boot's satisfaction...with a dissappointing Secure Boot telling me that it detected an invalid signature...or SAW no signature -UGGGGGGH!😋-...a week or two went by and I read god-knows-how-many forum postings...guides...just to find that shim wasn't already signed by my enrolled Microsoft UEFI Certificate Authority key...even though it was originally made by Microsoft itself to allow linux users to have same Secure Boot protections from pre-boot environment malware while allowing a different-sig signed bootloader by distro -a firmware-level malware wouldn't care whether I run Linux, Windows or BOTH- https://www.standard.net/news/busine...3ef6edf73.html... so I got one package that explicitly says its signed and debian-signed distro-shipped Grub bootloader. A step forward, but then I got a 🤔cryptic error of Secure Boot forbids loading module from"...so back to googling...(this is starting to get tiresome by this point)...I try "grub --install --uefi-secure-boot" but same result came boot time...so then I tried looking up how to sign all 260 -was-it?- grub modules after I tried for a few hours😫 there to figure out if sbsign or a better signing program would allow me to mass-sign-in-a-batch! But no avail...so I was, crazy as it sounds, going to do a mind-numbing and physically exhausting task of repetitvely signing EVERY module-one-by-one!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If only that would of worked cause now I have hit a brick wall for the last few hours...IT STILL BITCHES ABOUT IT SOMEHOW WANTS SIGNING MODULES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!😪 So, I'm reaching out to the MX Linux forum...😂
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Ooooy. EFI boot mmx64.efi.efi not found bulgin Linux - Newbie 12 12-20-2018 11:03 AM
[SOLVED] failed to open \efi\boot\grubx64.efi patrickwilson82 Linux - Server 5 02-19-2018 10:44 AM
grubx64.efi arubin Slackware 4 11-03-2012 01:52 PM
Finding Module Dependencies...(Still loading...still loading..still loading..HANG!!!) Aeudian Linux - General 3 08-11-2003 03:31 PM
Finding Module Dependencies.....(still loading....Still loading....still loading) Aeudian Linux - Newbie 1 07-28-2003 02:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > antiX / MX Linux

All times are GMT -5. The time now is 12:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration