[SOLVED] Unsure on how to make progress with UEFI/Secure Boot install

jwhendy · 2018-04-27 00:42:15

I just got a new company leased laptop. I'm hung up on how to even get started... UEFI is new to me and the laptops look to have Secure Boot enabled by default. It's an HP Zbook 15 G4 for reference.

Steps:

- [x]: make install media. It looks to me like I should be set with the regular 'ol dd command.

- [ ]: boot install media. No go. I get the error "Boot image did not authenticate" when I escape to the boot devices during start up and choose my USB disk. From reading around about this, I see references to Secure Boot on this page, but I don't follow what it's suggesting. The first portion is marked out of date, and I don't follow the instructions in the second section. For example:

# cp /usr/share/preloader-signed/{PreLoader,HashTool}.efi esp/EFI/systemd

I don't know what "esp" is, and don't have a systemd directory in either of the partitions created by dd'ing the install USB.

If I disable Secure Boot and enable legacy, I'm prompted for a bitlocker password (which I don't have) at the next boot of Windows 10.

Should I abandon ship entirely and just pursue IT turning Secure Boot off for me? Or is there a step on working with it I'm missing in the guides?

Many thanks.

Last edited by jwhendy (2018-04-28 03:18:21)

ooo · 2018-04-27 00:59:59

Looks like the wiki section is marked out of date, because the .efi files from efitools package bundled in Arch ISO aren't signed. However, looking further down the page, it seems that you can download signed files manually, or install from AUR:

Warning: PreLoader.efi and HashTool.efi in efitools package are not signed, so their usefulness is limited. You can get a signed PreLoader.efi and HashTool.efi from preloader-signed or download them manually.

"esp" refers to EFI System Partition, that you need to create in order to boot with UEFI system.

Last edited by ooo (2018-04-27 01:00:54)

jwhendy · 2018-04-27 01:41:03

Ah, that's most helpful on the acronym. Thanks. That said, the USB install medium page says nothing about this, and the EFI System Partition page looks targeted toward setting up a computer targeted for install, not making the install medium itself/getting it to boot?

How to I go from a dd'd USB boot disk to one that has these signed .efi files? Or is there some entirely different method to prepare a USB boot drive if one applies the ESP steps? Is this more like installing arch to the USB drive and then booting from that? That's all that might make sense given the instructions I'm seeing.

ooo · 2018-04-27 02:18:40

Sorry, I missed that you didn't manage to boot the archiso yet.

I don't use secure boot myself, and couldn't find definitive answer whether archiso supports booting with it. If the information in this thread is still accurate, it may solely depend on your hardware.

If you indeed need to add signed .efi files to the boot media, you can.

Hopefully someone with more knowledge will chime in..

jwhendy · 2018-04-27 02:45:36

I found that other thread earlier as well, but got derailed at the "read section 2.1" part and actually never made it to the end! Yes, it would seem that maybe it's my hardware. The remastering... is seeming gross to me and I still don't follow how I remaster to incorporate the Secure Boot page suggestions (moving those .efi files into esp/EFI/systemd, which doesn't exist on the iso). I'm going to submit an IT ticket and see if they'll just turn it off! I can do that myself, but then I can't boot Windows without the BitLocker password. It appears that Secure Boot has to be turned on to allow BitLocker?

Our leases run 3yrs... so it's always a total surprise at what the next thing will end up being. Every iteration for ~10 years I've been able to do it, stemming way back to writing this entry! Granted, I've borked two encrypted MBRs on the first day, but they were kind enough to re-image for me

jwhendy · 2018-04-28 02:53:03

A colleague had an Ubuntu install stick, and it booted fine. This is interesting to note via Secure Boot page:

On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.

Now I'm thinking this is what the note on the wiki refers to. Arch used to do the same, but don't anymore. I'll see about replacing the appropriate files on the archiso with signed versions to see what happens. Not so sure on this route...

jwhendy · 2018-04-28 03:17:43

Found a great StackExchange post! So, my steps were as follows to get archiso to work (with the package preloader-signed installed):

$ sudo mount /dev/sdc2 /mnt/foo
$ cd /mnt/foot/EFI/boot
$ sudo cp /usr/share/preloader-signed/PreLoader.efi ./bootx64.efi
$ sudo cp /usr/share/preloader-signed/HashTool.efi ./
$ sudo umount /mnt/foo

After that, I rebooted, chose the drive, and then followed these instructions. I was going to be really sad if I couldn't get arch to work. Mark this my 4th or 5th corporate laptop for which we have a path forward. Long Live Arch!

Arch Linux

#1 2018-04-27 00:42:15

[SOLVED] Unsure on how to make progress with UEFI/Secure Boot install

#2 2018-04-27 00:59:59

Re: [SOLVED] Unsure on how to make progress with UEFI/Secure Boot install

#3 2018-04-27 01:41:03

Re: [SOLVED] Unsure on how to make progress with UEFI/Secure Boot install

#4 2018-04-27 02:18:40

Re: [SOLVED] Unsure on how to make progress with UEFI/Secure Boot install

#5 2018-04-27 02:45:36

Re: [SOLVED] Unsure on how to make progress with UEFI/Secure Boot install

#6 2018-04-28 02:53:03

Re: [SOLVED] Unsure on how to make progress with UEFI/Secure Boot install

#7 2018-04-28 03:17:43

Re: [SOLVED] Unsure on how to make progress with UEFI/Secure Boot install

Board footer