Help installing MX Linux with Secure Boot

When you run into problems installing MX Linux XFCE
Message
Author
MultipleX
Posts: 29
Joined: Sat Sep 25, 2021 2:26 pm

Help installing MX Linux with Secure Boot

#1 Post by MultipleX »

I am new to this forum and just in the process of replacing mt tower PC. The new machine came with an SSD with Windows 10 on it which I disconnected and instead installed a brand new 500Gb SSD. The machine has SecureBoot enabled and legacy options turned off in BIOS. Windows 10 boots from and EFI partition.

First, I installed MX Linux 19.4.1 from CD. The CD booted fine and the install proceeded without incident. I kind of cheated and selected the whole disk initially to see how the installer would configure it and then cancelled the file copy process, went back into the partition tools and manually partitioned the SSD. I plan to install at least two Linux distros so the SSD has an ESP partition, an Ext4 partition and a swap partition for MX Linux and another Ext4 and swap partition for Mint. The first problem became apparent immediately after reboot upon which I got the message:

Code: Select all

Operating system loader has no signature.
Incompatible with SecureBoot.
I figured I would come back to this and proceeded to install Linux Mint. There is a part during the install process where one can select to install additional codecs which requires SecureBoot to be enabled. I enabled this option. The installation proceeded just fine and on re-boot I got a different GRUB menu installed by MInt. The first time I chose to boot into Mint I got a dialog asking me whether I wanted to run something called MOKUTIL or perform a secure key operation (upload or download keys from BIOS I think?) on SecureBoot. Not being sure what the purpose of these options was, I selected the default option and proceeded with boot. Boot completed and I got the Mint desktop. I then rebooted and from GRUB opted to go back into MX Linux. This time I got:

Code: Select all

error: /boot/vmlinuz-5.10.0-5mx-amd64 has invalid signature
error: you need to load the kernel first
Since this is a new clean installation, I figured I would just re-install MX Linux but after installation, I still got the Mint version of GRUB and the same error.

Having Googled these errors it would seem that the kernel needs to be signed for SecureBoot and there is a discussion of the process here, although this is for Ubuntu:

https://askubuntu.com/questions/1081472 ... -signature

The other option that is put forward by some is to simply disable SecureBoot. The problem with that option is that Windows 11 is around the corner and when it arrives, I will be installing that onto the SSD that contains the Windows 10 partition. It is my understanding that SecureBoot is mandatory for Windows 11. I therefore would like to avoid tuning it off and would rather proceed with the modern and safer way of doing things.

The question now is, will that procedure in the link work for MX Linux? Is there a recommended way of doing this for MX?
I am also curious why the DVD booted and had not problem with SecureBoot, but the installed system did not and instead reported the first error?

MultipleX
Posts: 29
Joined: Sat Sep 25, 2021 2:26 pm

Re: Help installing MX Linux with Secure Boot

#2 Post by MultipleX »

UPDATE: I have found that after disabling SecureBoot, the machine automatically booted into the original MX Linux themed GRUB and allowed me to boot run MX Linux. I also found that I could access the MX Linux themed GRUB by selecting MX19 from the UEFI boot menu. This did at least allow me to boot into MX and run update-grub2. I Now have access to both operating systems. Re-enabling SecureBoot and using the UEFI menu got me to the original "Incompatible with SecureBoot" error.

I did also find this thread:

viewtopic.php?t=58496

The author details how to enable SecureBoot for MX Linux. However, he does mention the incompatibility with Broadcom drivers, NDIS and VirtualBox. I don't think this Dell machine has and Broadcom hardware, but do make use of VirtualBox so that will be an issue. I will be checking out resources for VirtualBox on that matter.
Last edited by MultipleX on Sat Sep 25, 2021 3:54 pm, edited 1 time in total.

Huckleberry Finn

Re: Help installing MX Linux with Secure Boot

#3 Post by Huckleberry Finn »

We already suggest almost in every thread to turn off secure boot when there's such an option in Bios (also "Fast Boot")

There's also this one if you'd like to try: viewtopic.php?p=566375#p566375

MultipleX
Posts: 29
Joined: Sat Sep 25, 2021 2:26 pm

Re: Help installing MX Linux with Secure Boot

#4 Post by MultipleX »

Thank you. That is almost the same instruction including the purging of certain driver packagaes and VirtualBox.

With Microsoft using its clout to force the issue in its next OS release, this is going to prove interesting. Will we have to go into BIOS and enable/disable SecureBoot every time we want to switch between Linux and Windows? How long will it be before disabling SecureBoot is no longer supported in BIOS?

UPDATE: Just found these two links which seems to suggest that VirtualBox 6.0.10 (and presumably upwards) has support for UEFI secure boot:

https://www.linuxuprising.com/2019/07/v ... -boot.html

https://ubuntuhandbook.org/index.php/20 ... t-support/

Will have to give it some thought and maybe try and see what happens. At this stage I can still wipe the SSD and start again if necessary.

MultipleX
Posts: 29
Joined: Sat Sep 25, 2021 2:26 pm

Re: Help installing MX Linux with Secure Boot

#5 Post by MultipleX »

I tried that process on my new machine (both links in #2 and #3 contain the same information) but unfortunately I can't get secure boot to work.

The first command to purge dkms related packages worked fine.

The second command to install shim-signed and other grub related packages I had trouble with because version 2.02+dfsg1-20 could not be found and was reported as a missing dependency. However I was able to install the following packages individually:

shim-signed
grub-efi-amd64-signed
linux-image-amd64

Both grub-efi-adm64-bin and grub-common were reported as already being at the latest version so I had no reason to do anything else with them. I don't know how old those instructions are but at this point I assumed that I had all of the required packages installed - although some with later versions - and proceeded to the next step.

When installing grub-efi-amd64-signed I was prompted as described to replace /etc/grub.d/10_linux. I selected 'N' as instructed. I was also prompted to replace /etc/grub.d/30_os-prober. Since the original file has to be copied back, I selected 'N' here as well to leave the current file in place. This is a new installation so the file should be original. I was not able to find the path /usr/local/share/live-files/.... but then again, this looks like maybe a path on the live DVD? I was booted into the MX partition on the SSD. In order to do this, Secure Boot was turned off in BIOS.

The last instruction to 'pin' certain files succeeded without a problem. I re-enabled secure boot, re-booted but still got the previous errors. I also tried update-grub2 but this made no difference.

Not sure where to go from here.

Incidentally I noticed that Mint 20 no longer has VirtualBox installed by default...

MultipleX
Posts: 29
Joined: Sat Sep 25, 2021 2:26 pm

Re: Help installing MX Linux with Secure Boot

#6 Post by MultipleX »

Fehlix has just drawn my attention on another thread to a little detail that I missed in the first link back in post #2:

viewtopic.php?p=654509#p654509

I had a look at /boot/efi/ but there is no EFI/debian directory in there, only EFI/MX19, EFI/ubuntu and EFI/BOOT. Curiously EFI/MX19 has only 1 file in it called grubx64.efi while the others have a number of files in them. Not sure whether that is of any significance.

User avatar
fehlix
Developer
Posts: 10310
Joined: Wed Apr 11, 2018 5:09 pm

Re: Help installing MX Linux with Secure Boot

#7 Post by fehlix »

Mirador wrote: Sun Sep 26, 2021 1:42 pm Fehlix has just drawn my attention on another thread to a little detail that I missed in the first link back in post #2:

viewtopic.php?p=654509#p654509

I had a look at /boot/efi/ but there is no EFI/debian directory in there, only EFI/MX19, EFI/ubuntu and EFI/BOOT. Curiously EFI/MX19 has only 1 file in it called grubx64.efi while the others have a number of files in them. Not sure whether that is of any significance.
Yes, I know it's a bit confusing.. as mentioned in the MX-21 beta thread, I'm rather preparing something for MX-21 at least as a manual action to enable sb. It's probably easier in MX-21, as we made sure we have already the singed kernels in place and the LiveGRUB is identical the installed grub, where the LiveGRUB includes debians signed EFI-loader. So it would only some small actions to get the installed MX booting under SB... :snail:
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

User avatar
Pierre
Posts: 310
Joined: Thu Apr 19, 2007 9:23 am

Re: Help installing MX Linux with Secure Boot

#8 Post by Pierre »

it is an distinct possibility that future PCs may be more difficult to convert to an Linux System.

as the Microsoft Windows System becomes the New Standard, upon which New Hardware,
is built to be used excursively by that one operating system.

one thing that I've done, on an few occasions, is to still use legacy style partitioning,
and even when Installing MX-Linux in 64bit mode .. it simply makes the whole Installation that much easier.
- - especially if I'm only likely to use less than the usual Four Primary Partitions - -
Please use the check-mark icon to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

TimothySimon
Posts: 93
Joined: Fri Sep 10, 2021 2:16 am

Re: Help installing MX Linux with Secure Boot

#9 Post by TimothySimon »

fehlix wrote: Sun Sep 26, 2021 4:42 pm Yes, I know it's a bit confusing.. as mentioned in the MX-21 beta thread, I'm rather preparing something for MX-21 at least as a manual action to enable sb. It's probably easier in MX-21, as we made sure we have already the singed kernels in place and the LiveGRUB is identical the installed grub, where the LiveGRUB includes debians signed EFI-loader. So it would only some small actions to get the installed MX booting under SB... :snail:
Wow ! Congrats. :happy: This is what I really wanted. I'm ready to help if you need that.

We can't turn off "Secure Boot" (or M$ lock-in boot :frown: ) on my sister's laptop -- managed by her school, and they say they won't turn it off due to "security reasons" .

BTW it would also be extremely useful for those who want to dual-boot Win11 .

MultipleX
Posts: 29
Joined: Sat Sep 25, 2021 2:26 pm

Re: Help installing MX Linux with Secure Boot

#10 Post by MultipleX »

I am also ready to help with testing or whatever.
TimothySimon wrote: Mon Sep 27, 2021 12:35 am We can't turn off "Secure Boot" (or M$ lock-in boot :frown: ) on my sister's laptop -- managed by her school, and they say they won't turn it off due to "security reasons" .
The mokutil tool can turn off secure boot even when the BIOS does not offer the option to do so but if the issue here is that the school managed laptop has its BIOS locked with an Administrator password in accordance with their security policy then I guess you are stuck with that.

My understanding fro m research so far is that secure boot is not so much about Microsoft lock-in as preventing malware from being able to gain a foothold onto a system via the BIOS and the UEFI boot mechanism:

https://wiki.debian.org/SecureBoot

I dare say that Microsoft does, at present, have something of an advantage because their encryption key is shipped with all new hardware so that it is ready to run Windows, but it is also possible to enrol additional keys in the BIOS and some Linux distros get you to do that during the installation process. It is also possible to make and enrol ones own key in the BIOS or even to remove the Microsoft key if you felt so inclined, although I'm not sure why one would want to do that.

Coming back to my original issue, one thing that I realised when running through the instructions contained in the links from #2 and #3 is that at no point did mukutil come up and ask me to enrol the Debian key in the BIOS so it might this have been what was missing? The instructions in the link above show you how to enrol one's own generated key, but where do I get the Debian public key from?

It seems I may be better off installing MX-21 beta although it does come with a warning about not using it on production systems and the machine I intend to install it on is my main workstation.

Post Reply

Return to “Installation”