Grub sign certificate

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
maxvankessel
Level 1
Level 1
Posts: 4
Joined: Mon Jun 13, 2022 2:13 am

Grub sign certificate

Post by maxvankessel »

I got a new laptop from work, which is a DELL.
It comes pre-installed with Windows11 and automatically has secure boot enabled.
You might understand that I can't remove Windows because it's for work.

So I wanted to install LM20.3 as dual boot with Windows11.
A live-disk (USB) doesn't start. The certificate doesn't have a match in the database, is what the BIOS said.
But a Ubuntu 22.04 live disk does start.

The difference I could find is that the certificate used to sign the binaries are from Canonical but have a different year.

LM20.3:

Code: Select all

sbverify --list grubx64.efi
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2017)
   issuer:  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority

Ubuntu 22.04

Code: Select all

sbverify --list grubx64.efi
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2021 v1)
   issuer:  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
Totally uncertain if this is the problem, I can't verify which certificates are in the secure boot database.
I can only add new certificates, but I haven't searched for the Canonical certificate.

DELL Inspiron 16 5620.
Live Disk Linux Mint Cinnamon 20.3 and Linux Mint Cinnamon 20.3 Edge

Max
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
kato181
Level 9
Level 9
Posts: 2564
Joined: Fri Mar 24, 2017 12:33 am
Location: Frederickton NSW

Re: Grub sign certificate

Post by kato181 »

Ensure you have selected USB as the first boot option in your bios. Being a work computer I would check with your company to see if you are allowed to install LM on it.
User avatar
zcot
Level 9
Level 9
Posts: 2798
Joined: Wed Oct 19, 2016 6:08 pm

Re: Grub sign certificate

Post by zcot »

Copy the 22.04 shim onto the Mint one instead.
maxvankessel
Level 1
Level 1
Posts: 4
Joined: Mon Jun 13, 2022 2:13 am

Re: Grub sign certificate

Post by maxvankessel »

zcot wrote: Fri Jun 17, 2022 11:39 am Copy the 22.04 shim onto the Mint one instead.
The USB drive is read only, directly at mount. Do I need to mount it manual to override this setting?
pbear
Level 16
Level 16
Posts: 6569
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Grub sign certificate

Post by pbear »

I'd love to know how many dastardly plots secure boot has foiled. Indeed, I'd like to know whether it has foiled any.

Have you asked your IT dept whether they have any suggestions?

Be aware (if you aren't already), LM21 should be released in a month or so and will be based on Ubuntu 22.04.
maxvankessel
Level 1
Level 1
Posts: 4
Joined: Mon Jun 13, 2022 2:13 am

Re: Grub sign certificate

Post by maxvankessel »

We have an external guy, but if it's other than Windows he starts to cry in the corner of the room.
Be aware (if you aren't already), LM21 should be released in a month or so and will be based on Ubuntu 22.04.
I was aware, but I've also read Q3 2022 or start of Q4, probably read it on some shady website. Is their already a date leaked?
User avatar
AndyMH
Level 21
Level 21
Posts: 13582
Joined: Fri Mar 04, 2016 5:23 pm
Location: Wiltshire

Re: Grub sign certificate

Post by AndyMH »

Can you turn off secure boot in bios or is it locked?
Thinkcentre M720Q - LM21.3 cinnamon, 4 x T430 - LM21.3 cinnamon, Homebrew desktop i5-8400+GTX1080 Cinnamon 19.0
Reddog1
Level 7
Level 7
Posts: 1891
Joined: Wed Jun 01, 2011 2:12 pm

Re: Grub sign certificate

Post by Reddog1 »

You might encounter less resistance from your IT dept. if you install VirtualBox on your W11 and run Mint as a virtual machine. Doing so will not alter your original partitioning or boot loader in any way and will avoid what could be some sticky driver issues by running the VB virtual drivers instead of the actual hardware drivers. You will take a performance hit running as a vm, but with a modern machine it won't be very noticeable. And finally, W11 updates won't ever mess with the virtual machine boot loader, which can be a real pain, depending on the bios/uefi. The downside is that you will have to boot W11 in order to open VirtualBox and boot your virtual machine, but other than that Mint can be used as if it is a native install and the vm grub won't encounter the host system uefi, at all.

There are quite a few 'how to install VB' instructions out there. Read several if you decide to go that route. (I'm typing this in a vm, but with a Mint host).

https://techschumz.com/download-and-ins ... ows-11-pc/
maxvankessel
Level 1
Level 1
Posts: 4
Joined: Mon Jun 13, 2022 2:13 am

Re: Grub sign certificate

Post by maxvankessel »

AndyMH wrote: Fri Jun 24, 2022 8:10 am Can you turn off secure boot in bios or is it locked?
Not really, I still need some parts of windows for my work, and I don't want to remove it completely to reinstall it later in an emulator.

I tried to alter the ISO image of LM and swap the GRUB-EFI bootloader files with the one from the newest Ubuntu, but not with a lot of success.
Boot device doesn't get recognized in the BIOS, but it might be the isolinux part on my side.

I'll wait patiently for LM21, and hope that it'll be released soon.
W11 updates breaks the drivers every odd day, this makes it quiet hard to work with.
User avatar
AndyMH
Level 21
Level 21
Posts: 13582
Joined: Fri Mar 04, 2016 5:23 pm
Location: Wiltshire

Re: Grub sign certificate

Post by AndyMH »

Disabling secure boot does not stop win booting.
Thinkcentre M720Q - LM21.3 cinnamon, 4 x T430 - LM21.3 cinnamon, Homebrew desktop i5-8400+GTX1080 Cinnamon 19.0
Locked

Return to “Installation & Boot”