You are not logged in.

#1 2021-02-10 04:10:23

E-can
Member
Registered: 2019-08-16
Posts: 7

How can I get my custom live disc to boot with secureboot?

For the past few months I've been working on my own custom debian live disc which includes some stuff from some of my favorite distros like BL.

My discs have always worked fine on the old thinkpads and stuff that I usually use, but recently I tried it on some slightly newer hardware. With secureboot on, my iso won't boot at all. If I turn off secureboot in the BIOS, I can at least get to the grub menu. On very rare occasions, it will actually boot, but more often I get errors and kernel panics.

I think there are probably several issues to work through here, but first things first.
Can anyone give me any hints about how to get my iso working with secureboot?
The bunsenlabs iso boots flawlessly. I've also tried Head-on-a-Stick's SharpBang and it worked as well.

The only customisation I've done to the bootloader is editing the annoying beep out of the config files for grub and isolinux and putting the edited files in config/includes.binary. Otherwise everything is just live-build's defaults. I suppose I'm going to have to make a proper config/bootloaders directory, but I don't want to just make a straight copy from a working iso or github page without understanding it. Where do these customisations come from, and what should I be looking for? I'm having trouble finding any info about it. I've read the debian live manual all the way through at least twice, but it hasn't been updated in a few years, and the relevant section for this is only about a paragraph long.

Can anyone give me a few pointers?

Offline

#2 2021-02-10 05:05:34

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 8,424
Website

Re: How can I get my custom live disc to boot with secureboot?

The debian installer that live-build sets up will use secure-boot by default - we didn't change anything for BL in that department. The only issue we had was that s-b will only be configured if the installer recognizes the distribution, ie it doesn't work for derivatives. I seem to recall one problem was the grub option --bootloader-id=bunsenlabs which came from 'dpkg-vendor --query vendor'. That resulted in a setup of /boot/efi/EFI/bunsenlabs. If it's /boot/efi/EFI/debian then s-b should go.

Bunch of links that might possibly hold helpful info:
https://bugs.launchpad.net/ubuntu/+sour … ug/1450783
https://askubuntu.com/questions/1129269 … g-myubuntu
https://salsa.debian.org/live-team/live … requests/3
https://gitlab.tails.boum.org/tails/blu … cure_boot/
https://bugs.debian.org/cgi-bin/bugrepo … bug=924053
https://bugs.debian.org/cgi-bin/bugrepo … bug=922251

We work round it by treating the system as Debian (which it is, in fact) then after grub has been set up, install bunsen-os-release (via a debian-installer preseed "late_command") which sets the "vendor". If you are setting some vendor other than Debian that might be why s-b isn't working for you.


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Online

#3 2021-02-10 07:11:40

E-can
Member
Registered: 2019-08-16
Posts: 7

Re: How can I get my custom live disc to boot with secureboot?

Thanks. I'll take a look at those links.

If it wasn't clear from my original post, I meant booting straight to a live session. I haven't actually tried installing to a hard drive from my iso.

I did notice that on the old non-uefi hardware the installer shows up on the isolinux menu, but on the newer uefi hardware the installer isn't even on the grub menu. I thought it was a bit odd, but didn't think too much of it since I didn't plan to use it outside of live sessions. I guess it could be related though. Still, since the only change I made to the default was commenting out the beep when the menu shows up, something seems off.

I'll see what I can find in the links you gave. Thanks again.

Offline

#4 2021-02-10 13:30:09

sleekmason
zoom
Registered: 2018-05-22
Posts: 649
Website

Re: How can I get my custom live disc to boot with secureboot?

From the Manual here: https://live-team.pages.debian.net/live … ry.en.html

In order to use a full theme, copy /usr/share/live/build/bootloaders into config/bootloaders and edit the files in there. If you do not want to bother modifying all supported bootloader configurations, only providing a local customized copy of one of the bootloaders, e.g. isolinux in config/bootloaders/isolinux is enough too, depending on your use case.

You shouldn't really need anything other than the syslinux and the isolinux to boot with.  Grub is installed as needed during the build.

If you want, you could follow the instructions in my "build" link below, using your stuff instead of mine. It should give you a working usb if nothing else.

There are customized entries for the installer in /config/bootloaders/isolinux/advanced.cfg which will also give you the "expert" installer options. (in my link).

Last edited by sleekmason (2021-02-10 14:52:14)

Offline

#5 2021-02-12 04:09:01

E-can
Member
Registered: 2019-08-16
Posts: 7

Re: How can I get my custom live disc to boot with secureboot?

Well, I had a little free time and I tried a little experiment.

I downloaded a pre-built iso, built an iso from a github page in my usual build environment, and built an iso in the Bunsenlabs live disk. I wanted to see if there was some kind of problem, hardware or software, in my build environment. Lilidog doesn't have a pre-built iso up anywhere and the bunsenlabs build isn't public, so I tried SharpBang. It has both. I'm happy to say that all three disks booted with no problems at all, so I can eliminate one potential source of the problem.

Surprisingly, my custom build is actually getting to the grub menu now. I don't think I  changed anything in the build that would cause that, but for whatever reason it's working now. My guess is that it was either a BIOS setting or a problem with the sd card I was using.

Anyway, as I said in the first post, I think I have several problems. As of now, I'm still only just getting to the grub menu. I still can't boot the OS. I suspect that I just need to install some non-free firmware for that though. Right now, I'm only using stuff from the main debian repository. It's probably pretty easy to fix. I'll try that this weekend, and if it works, I'll mark this as solved. Thanks for everyone's help.

Offline

#6 2021-11-02 05:11:25

E-can
Member
Registered: 2019-08-16
Posts: 7

Re: How can I get my custom live disc to boot with secureboot?

I didn't think so much time had passed since I posted this, but it looks like it's been nearly nine months. I didn't like leaving this completely unresolved, so I hope it's ok if I give a little update on this.

I never was able to figure out exactly what my problem was with this, but I think it had something to do with my building the live images in another live disk. I noticed the few times that I built the images from a proper install that wrote to the hard disk, they worked without any issues. However, whenever I built the images in a live-environment, they worked with isolinux on BIOS systems, but didn't work with GRUB on UEFI systems. I usually did it that way because the builds were small enough to fit in RAM, and I don't have an SSD, so it's faster than writing to disk. I suppose that caused something in the live-build scripts to write an incorrect grub config file.

Anyway, the problem was solved when Bullseye came out. The new version of live-build doesn't cause this problem anymore, and my builds are all working flawlessly. Thanks to everyone who offered advice.

Offline

Board footer

Powered by FluxBB