Secure Boot from hard drive - Dell Inspiron 15?

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
Post Reply
brvcf
Level 1
Level 1
Posts: 25
Joined: Fri Sep 08, 2017 10:44 pm

Secure Boot from hard drive - Dell Inspiron 15?

Post by brvcf » Mon Mar 26, 2018 11:51 pm

I booted a new Dell Inspiron 15-3567 from a Mint 18.3 live USB. No problems with secure boot.

I Installed Mint (replacing Windows not dual booting).

But when the install completed and the system rebooted I got "SupportAssist is running a system scan to detect any potential hardware problems." The result of the scan was "No bootable devices were found..."

If I disable secure boot the system boots to Mint.

I checked in setup, the boot sequence was first 'Ubuntu" then 'Windows Boot Manager.' Well, there is no longer any 'Windows Boot Manager" because I told Mint install to erase Windows and install Mint. so I disabled 'Windows Boot Manager" leaving only "Ubuntu."

Now it boots to SupportAssist, doesn't run a scan, just tells me "Operating System Loader signature not found in SecureBoot database ('db'). All bootable devices failed Secure Boot verification."

What gives? Mint is supposed to be compatible with secure boot AND it booted just fine from the USB.

User avatar
michael louwe
Level 8
Level 8
Posts: 2150
Joined: Sun Sep 11, 2016 11:18 pm

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by michael louwe » Tue Mar 27, 2018 3:26 am

@ brvcf, .......
brvcf wrote:.
.
AFAIK, ...

....for UEFI computers and Secure Boot, the OEMs are required by M$ to pre-register or preload the EFI-Windows Boot Manager or bootx64.efi file in the UEFI-BIOS firmware(= in the NVRAM = a flash memory chip) for all their new Win 8.x/10 computers = Win 8.x/10 and their Recovery USB/DVD can always be booted and/or installed successfully with Secure Boot enabled.
....... Other bootloaders, eg Linux Mint's grubx64.efi or shimx64.efi file, bootable GParted CD, bootable Hiren's BootCD, etc, need to be first certified or approved by the M$-associated Verisign company before they can be registered in the firmware and be booted. This certification process costs about US$100 per year. The bootloaders of Ubuntu, LM and Fedora have this certification from Verisign.
....... Tech-geeks can also register the bootloaders in the firmware of their own UEFI computers themselves, ie no need to be first certified by M$'s Verisign for their own computers with Secure Boot enabled.

M$'s Secure Boot still requires a certified bootloader to be first registered or loaded in UEFI-BIOS firmware through the Internet before the software/OS can be booted or installed successfully. This online registration or signing process can often be incomplete or interrupted or "sabotaged", eg grubx64.efi-signed not downloaded during the install process.
....... So, better to disable Secure Boot when installing LM or Ubuntu or Fedora.

Further information ... https://www.happyassassin.net/2014/01/2 ... work-then/
https://nwrickert2.wordpress.com/2013/0 ... and-linux/
https://askubuntu.com/questions/380447/ ... ew-machine
(One possible workaround to this problem is to copy GRUB from EFI/ubuntu/grubx64.efi to EFI/BOOT/bootx64.efi = create a new folder, BOOT, in the EFI folder and rename grubx64.efi to bootx64.efi. Restart.)

https://www.lifewire.com/change-the-efi ... gr-4028027
https://www.linuxbabe.com/command-line/ ... r-examples

.
P S - I think the Live Linux USB/DVD uses Windows Boot Manager or the bootx64.efi file for booting(= no problem booting with Secure Boot enabled) but uses its own bootloader file(= grubx64.efi or shimx64.efi) for the install. shimx64.efi is used when Secure Boot is enabled and grubx64.efi is used when SB is disabled.
....... The Live Linux USB/DVD can also be booted in Legacy BIOS or UEFI mode.

User avatar
administrollaattori
Level 13
Level 13
Posts: 4937
Joined: Tue Sep 03, 2013 4:51 am
Location: Finland
Contact:

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by administrollaattori » Tue Mar 27, 2018 1:23 pm

Make a fake Microsoft EFI folder, which includes.

Code: Select all

── Boot
│   ├── BCD
│   ├── BCD.LOG
│   ├── bg-BG
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── bootmgfw.efi
│   ├── bootmgr.efi
│   ├── BOOTSTAT.DAT
│   ├── boot.stl
│   ├── cs-CZ
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── da-DK
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── de-DE
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── el-GR
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── en-GB
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── en-US
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── es-ES
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── et-EE
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── fi-FI
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── Fonts
│   │   ├── chs_boot.ttf
│   │   ├── cht_boot.ttf
│   │   ├── jpn_boot.ttf
│   │   ├── kor_boot.ttf
│   │   ├── malgun_boot.ttf
│   │   ├── malgunn_boot.ttf
│   │   ├── meiryo_boot.ttf
│   │   ├── meiryon_boot.ttf
│   │   ├── msjh_boot.ttf
│   │   ├── msjhn_boot.ttf
│   │   ├── msyh_boot.ttf
│   │   ├── msyhn_boot.ttf
│   │   ├── segmono_boot.ttf
│   │   ├── segoen_slboot.ttf
│   │   ├── segoe_slboot.ttf
│   │   └── wgl4_boot.ttf
│   ├── fr-FR
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── hr-HR
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── hu-HU
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── it-IT
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── ja-JP
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── ko-KR
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── lt-LT
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── lv-LV
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── memtest.efi
│   ├── nb-NO
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── nl-NL
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── pl-PL
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── pt-BR
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── pt-PT
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── qps-ploc
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── Resources
│   │   ├── bootres.dll
│   │   ├── da-DK
│   │   │   └── bootres.dll.mui
│   │   ├── en-US
│   │   │   └── bootres.dll.mui
│   │   ├── fi-FI
│   │   │   └── bootres.dll.mui
│   │   ├── nb-NO
│   │   │   └── bootres.dll.mui
│   │   └── sv-SE
│   │       └── bootres.dll.mui
│   ├── ro-RO
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── ru-RU
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── sk-SK
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── sl-SI
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── sr-Latn-CS
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── sr-Latn-RS
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── sv-SE
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── tr-TR
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── uk-UA
│   │   ├── bootmgfw.efi.mui
│   │   └── bootmgr.efi.mui
│   ├── zh-CN
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   ├── zh-HK
│   │   ├── bootmgfw.efi.mui
│   │   ├── bootmgr.efi.mui
│   │   └── memtest.efi.mui
│   └── zh-TW
│       ├── bootmgfw.efi.mui
│       ├── bootmgr.efi.mui
│       └── memtest.efi.mui

brvcf
Level 1
Level 1
Posts: 25
Joined: Fri Sep 08, 2017 10:44 pm

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by brvcf » Tue Mar 27, 2018 10:32 pm

michael louwe wrote:
Tue Mar 27, 2018 3:26 am

M$'s Secure Boot still requires a certified bootloader to be first registered or loaded in UEFI-BIOS firmware through the Internet before the software/OS can be booted or installed successfully. This online registration or signing process can often be incomplete or interrupted or "sabotaged", eg grubx64.efi-signed not downloaded during the install process.

....... So, better to disable Secure Boot when installing LM or Ubuntu or Fedora.

P S - I think the Live Linux USB/DVD uses Windows Boot Manager or the bootx64.efi file for booting(= no problem booting with Secure Boot enabled) but uses its own bootloader file(= grubx64.efi or shimx64.efi) for the install. shimx64.efi is used when Secure Boot is enabled and grubx64.efi is used when SB is disabled.
....... The Live Linux USB/DVD can also be booted in Legacy BIOS or UEFI mode.
I thought you might be inferring that installing with secure boot on (even though Mint boots from the USB stick just fine) may prevent grubx64.efi-signed being downloaded during the install process, and this would screw up secure boot from the hd, so I tried reinstalling with secure boot off. That was even worse. On restart after installation, it resulted in a 'no bootable device' error whether secure boot was enabled or disabled.

I reinstalled again with secure boot on, and of course got the original error, and again when I disabled secure boot, then the computer booted to Mint.

Mint ought not to say it works with secure boot when it really doesn't. (By the way, out of curiosity I installed Xubuntu instead of Mint and it booted just fine with secure boot on.)

I think the concept of secure boot is good but obviously it was implemented poorly. Maybe on purpose by Microsoft.

One other thing I noted is that (only) when I install with secure boot on, Mint says 'Installing third-party drivers requires turning off Secure Boot. To do this, you need to enter a security key now, and enter it when the systems restarts." But it never asks for the password when it restarts. I have noticed this before.

brvcf
Level 1
Level 1
Posts: 25
Joined: Fri Sep 08, 2017 10:44 pm

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by brvcf » Sun Apr 01, 2018 12:07 pm

administrollaattori wrote:
Tue Mar 27, 2018 1:23 pm
Make a fake Microsoft EFI folder, which includes.

Code: Select all

── Boot
...
I have /boot/efi/EFI/ubuntu
Do I make another directory /boot/efi/EFI/Microsoft and if so where do I get all the files you listed or are they just dummy blank files?

The other thing is that I can not cd to efi.
If I don't use sudo I get

Code: Select all

 bash: cd: efi: Permission denied

If I use sudo I get

Code: Select all

sudo cd: command not found
But if I open /boot as root in Thunar then it lets me open efi and subdirectories.

One other interesting thing to note is that if I install Xubuntu instead of Mint the computer with secure boot on boots to Xubuntu just fine.
Is not shimx64.efi the same on both?
Maybe the Xubuntu installer sets shimx64.efi as the file to boot to while Mint sets grubx64.efi?

I could just disable secure boot and be done with it but I'd like to understand what is going on.

User avatar
michael louwe
Level 8
Level 8
Posts: 2150
Joined: Sun Sep 11, 2016 11:18 pm

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by michael louwe » Sun Apr 01, 2018 3:18 pm

@ brvcf, .......
brvcf wrote:.
.
For more info, please refer to ... https://www.rodsbooks.com/efi-bootloaders/index.html
https://superuser.com/questions/1239618 ... ot-manager (grub-disappears-after-changing-description-of-windows-boot-manager)

brvcf
Level 1
Level 1
Posts: 25
Joined: Fri Sep 08, 2017 10:44 pm

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by brvcf » Fri Apr 13, 2018 2:56 pm

I have spent a lot of time reading the rodsbooks and other references. They give me lots of information about keys and efi shim files and stuff like that, which I think I basically understand, However nothing really tells me how to fix the problem.

I now have encountered this problem on 2 additional newer (Windows 8) computers with EFI/Secure Boot.

On a HP, disabling secure boot allowed Mint to boot (dual boot with 8.1).

A Lenovo (erased Windows 88 and installed Mint) will not boot whether secure boot is enabled or not. The only way to get it to work is to go to setup, enable CSM/legacy mode instead of UEFI, and reinstall Mint.

Both the HP and Lenovo booted to the live DVD or flash drive just fine with secure boot on.

Clearly the problem is not specific to the original Dell I was working on, and I can not be the only one with this installation problem.

It is hard to believe that apparently the Mint team has not figured this out and either incorporated it in to the installer... Or some other experts have not figured it out and published some fairly clear work-around procedure. In fact, Mint is so good otherwise I am really surprised that such a procedure would be necessary.

Clearly, the live media has a key that is recognized as valid by secure boot. Why is it not recognized when that same content is installed on the hard drive of the very same computer that booted just fine from the media - especially when Mint is installed by erasing the drive (which as far as I can see erases everything and sets up a new EFI partition just for Mint, no Windows bootloader) and installing?

I like the idea of secure boot and I do see the possible advantages of EFI and GPT but I guess for now the simple solution is turn it all off. Maybe the next version will be more compatible?

User avatar
michael louwe
Level 8
Level 8
Posts: 2150
Joined: Sun Sep 11, 2016 11:18 pm

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by michael louwe » Sat Apr 14, 2018 3:32 am

@ brvcf, .......
brvcf wrote:.
.
There is not much that Linux can do when M$ and the OEMs have "colluded" to put up roadblocks to the installation of Linux on newly-sold OEM Win 8.x/10 UEFI computers, ...
eg the Lenovo Yoga 900-13ISK and Ideapad 720 were preinstalled with Win 10 using Intel's proprietary Intel RST driver for fake-RAID disk mode, instead of the normal AHCI disk mode;
certain OEM Win 8.x/10 computers, eg Acer, Asus and HP, have an obstructive or pro-M$ UEFI-BIOS setting for "select an UEFI file as trusted for executing"; etc.

brvcf
Level 1
Level 1
Posts: 25
Joined: Fri Sep 08, 2017 10:44 pm

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by brvcf » Sat Apr 14, 2018 12:23 pm

michael louwe wrote:
Sat Apr 14, 2018 3:32 am
... M$ and the OEMs have "colluded" to put up roadblocks to the installation of Linux...
Whether there is actual collusion or not, it seems like a pretty clear case of anti-competitive practices by a company (M$) which has about 90% share of the desktop operating system market. Maybe not a monopoly but fairly close. But from the research I have done it appears attempts to take legal action have failed even in the EU which has stricter regulations.

I guess the only solution is to disable Secure Boot, and on some PCs such as the Lenovo I just worked on, UEFI as well.
Or build your own PC using a suitable motherboard that gives you full control.

The question still remains, though. Why does Mint boot just fine from the DVD or flash drive with Secure Boot on, but the (presumably) exact same Mint using the same secure boot key when installed on the same computer's hard drive as the only OS (drive erased and Mint installed) will not boot? I assume that the Mint installer has done what it said and erased everything including the original M$-created EFI boot partition. This appears to be the case because if I go in to the startup section of the computer's setup, It only lists 'Ubuntu" not Windows.

fabien85
Level 6
Level 6
Posts: 1249
Joined: Tue Mar 11, 2014 4:30 pm

Re: Secure Boot from hard drive - Dell Inspiron 15?

Post by fabien85 » Sat Apr 14, 2018 3:54 pm

Hi,
actually Mint does not claim to be compatible with secure boot, and usually advises to turn it off.
A possible workaround is given in the User guide : https://linuxmint-installation-guide.re ... t/efi.html
i.e. do not select "Install third-party software for graphics and Wi-Fi hardware, Flash, MP3 and other media" during installation.

A second thing, if the first fails, is to check whether it's the good bootloader (shim, the one that is signed) that has been registered as a boot entry in the NVRAM.
Post here the output of

Code: Select all

sudo efibootmgr -v

Post Reply

Return to “Installation & Boot”