You are not logged in.
- Topics: Active | Unanswered
#1 2016-10-22 13:24:29
- shrinathk
- Member
- Registered: 2016-10-22
- Posts: 10
Installing with UEFI Secure Boot - OS Loader signature issue
Greetings everyone !!
I bought a new Dell Inspiron 5559 (with factory installed Ubuntu) and wanted to set it up with Arch Linux. I am not a newbie and have used Arch Linux earlier, so I have some linux knowledge. But I am new to Secure Boot and I have many questions around it.
Question #1 - Is Arch Linux ISO signed or unsigned ? https://wiki.archlinux.org/index.php/Secure_Boot says "Since archlinux-2016.06.01-dual.iso, bootx64.efi (PreLoader) and HashTool.efi in archiso are not signed."
Question #2 - If it is signed, is the ISO signed or something else ? I mean, is the ipxe.efi on https://www.archlinux.org/releng/netboot/ signed ? There is PGP signature (.sig file) next to it - not sure what to do with it.
Question #3 - After some reading (https://bbs.archlinux.org/viewtopic.php?id=215566), I realized that I can configure the UEFI to boot from the efi file. So I did that and tried to boot into the netboot efi file and I got the error "Operating system loader has no signature. Incompatible with Secure Boot". Should I configure the .sig file somewhere in the UEFI ?? In the Dell UEFI I see some "expert key management" with options like PK, db, dbx etc. nothing like "sig". Also, by modifying this, am I messing too much with UEFI ?
Question #4 - If I disable secure boot and install Arch Linux, do I have to keep the secure boot always disabled as long as I use Arch Linux ?
I tried netboot by booting into the ipxe.efi and it is failing because of the error "operating system loader has no signature". I also tried "dd"ing the full 800+ MB "archlinux-2016.10.01-dual.iso" and booting and still got the same "Operating system loader has no signature. Incompatible with Secure Boot" error.
Where do I go from here ?
Thanks !!
Offline
#2 2016-10-22 20:00:57
- ukhippo
- Member
- From: Non-paged pool
- Registered: 2014-02-21
- Posts: 366
Re: Installing with UEFI Secure Boot - OS Loader signature issue
The kernel and boot loaders on the ISO are not signed. To boot from the ISO you must disable Secure Boot.
Once you have your Arch system up and running, you can follow the rest of that wiki page to try and setup Secure Boot if you really want to use it.
Offline
#3 2016-10-22 20:14:00
- Muflone
- Package Maintainer (PM)
- From: Italy
- Registered: 2013-10-08
- Posts: 107
- Website
Re: Installing with UEFI Secure Boot - OS Loader signature issue
I'm not sure if something has changed in the recent months but one year ago the ISO contained hashtool to sign the booting kernel from the ISO itself.
So it was pretty straighforward and easy to boot and install Arch Linux with Secure Boot enabled. I run it since a year and I've never disabled Secure Boot to use or install Arch Linux.
For Italian readers or Google Translator lovers I wrote a guide to install Arch Linux on a Lenovo G50-70 with Secure Boot enabled. Maybe it could help.
Offline
#4 2016-10-22 20:49:47
- ukhippo
- Member
- From: Non-paged pool
- Registered: 2014-02-21
- Posts: 366
Re: Installing with UEFI Secure Boot - OS Loader signature issue
@Muflone, see the OP's question #1: that text is taken directly from the wiki page. Since they are not signed you cannot boot the ISO with Secure Boot enabled.
Offline
#5 2016-10-23 10:56:26
- shrinathk
- Member
- Registered: 2016-10-22
- Posts: 10
Re: Installing with UEFI Secure Boot - OS Loader signature issue
Thank you for your responses !! I will give it a try by disabling Secure Boot.
Offline