You are not logged in.

#1 2019-09-20 08:58:44

stickybits
Member
Registered: 2019-09-20
Posts: 2

[SOLVED] Arch Bootable USB not passing Dell's secure boot verification

Hi all,

I'm trying to dual boot windows and arch on a new Dell XPS 15.

I've downloaded the arch iso, verified it with gpg, dd'd it to my flash drive, but when I tried to boot from it, I got kicked back to windows.
Disabling the windows boot entry in bios led me to the real problem, which is that my bios isn't accepting the arch image. I get the following message:

Operating System Loader failed signature verification. WARNING: the file may have been tampered with! All bootable devices failed Secure Boot validation.

Through some experimentation I found I can get it working by changing the secure boot mode from 'Deployed Mode' to 'Audit Mode', with the following information regarding the setting underneath:
Changes to the Secure Boot operation mode modifies the behavior of Secure Boot to allow evaluation or enforcement of UEFI driver signatures. Deployed Mode should be selected for normal operation of Secure Boot.
Deployed Mode - Checks the integrity of UEFI drivers and bootloaders before allowing execution. Use this mode for full Secure Boot protections.
Audit Mode - Performs a signature check but does not block execution of all UEFI drivers and bootloaders. Use this mode when making modifications to Secure Boot Keys.

My questions are:
- Is setting Audit Mode here the correct (and secure) way to get arch to boot?
- Am I making modifications to secure boot keys by installing arch?
- Why didn't I run into this issue when I installed arch as the only operating system?

Thanks for your time!

Last edited by stickybits (2019-09-23 22:15:05)

Offline

#2 2019-09-20 09:20:38

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,410

Re: [SOLVED] Arch Bootable USB not passing Dell's secure boot verification

If you actually want to properly utilize secure boot you will want to read https://wiki.archlinux.org/index.php/Secure_Boot

Regarding the question:
- No clue, never heard of this distinction but it's probably there to let you boot off of live disks/USBs to add your own keys later
- Just by its lonesome without doing what's mentioned in the link? No, but you will likely be unable to boot the installed Arch
- Either secure boot was disabled, or the fact that no Microsoft keys were present made it simply accept whatever.

Online

#3 2019-09-20 14:11:09

Swiggles
Member
Registered: 2014-08-02
Posts: 266

Re: [SOLVED] Arch Bootable USB not passing Dell's secure boot verification

stickybits wrote:

My questions are:
- Is setting Audit Mode here the correct (and secure) way to get arch to boot?

Correct maybe, but I'd say no. Secure in enforcing any secure boot security? Nope.

stickybits wrote:

- Am I making modifications to secure boot keys by installing arch?

No, you have to enroll any changed keys in your firmware config. This is impossible outside of UEFI setup mode unless the firmware is broken.

stickybits wrote:

- Why didn't I run into this issue when I installed arch as the only operating system?

You most likely did disable secure boot then.

What you have to do is to create a key to sign your own kernel, create an efi bootable kernel image (use a shim or create your own with objcopy), sign it (automate it with hooks!), add a bootloader entry and enroll the signatures in your UEFI firmware. For dual booting read the link V1del posted carefully the procedure is described there.

Offline

#4 2019-09-23 22:13:39

stickybits
Member
Registered: 2019-09-20
Posts: 2

Re: [SOLVED] Arch Bootable USB not passing Dell's secure boot verification

Thanks for the responses. I did some more reading up on secure boot.

My assumption was that the installation media and bootloaders would already be signed and work out of the box.

I've just disabled secure boot, as it seems more trouble than it's worth.

Cheers.

Offline

Board footer

Powered by FluxBB