You are not logged in.

#1 2015-10-13 19:02:36

jtw49
Member
Registered: 2015-02-11
Posts: 4

Surface Pro 3 and Secure Boot post-install

Hello everyone,

Background info: i have successfully installed and booted into a native Arch environment on a dual-boot setup with Windows 8.1 on my Surface Pro 3 with Secure Boot disabled. I am using systemd-boot.

I currently mount dev/sda5 as ext4 for / and I have mounted the present EFI system partition installed by Windows (sda2) as /boot.

Upon cold Boot, I am presented with the systemd-boot menu to boot Arch or Windows Boot Manager as well as the option to boot to UEFI Firmware settings (all good so far).

Upon enabling Secure Boot, I receive the invalid signature message and consequentially boot into Windows.

I followed the Arch Wiki for both installing and setting up systemd-boot and have also tried following this: https://wiki.archlinux.org/index.php/Mi … ecure_Boot to copy Hashtool and bootx64 to the EFI Boot partition from the installable media.

I am still not presented with Hashtool on boot to sign the kernel and am still unable to get booting with Secure Boot.

Rather than continue running into problems, I am asking here what steps I am missing.

Thanks in advance

Offline

#2 2015-10-13 19:38:58

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 4,857
Website

Re: Surface Pro 3 and Secure Boot post-install

Firstly, will the system boot up without Secure Boot enabled?

Rather than copying the files from the ISO image, it's probably best to install the prebootloader package and copy the HashTool.efi & PreLoader.efi from /usr/lib/prebootloader

The important thing is then to make a custom NVRAM entry to boot the PreLoader first so that you can enrol your kernel image:

# efibootmgr -d /dev/sda -p 2 -c -L Preloader -l /EFI/systemd/PreLoader.efi

This should be set as first in the boot order -- check by running `efibootmgr` with no arguments.

Offline

#3 2015-10-13 19:57:29

jtw49
Member
Registered: 2015-02-11
Posts: 4

Re: Surface Pro 3 and Secure Boot post-install

Head_on_a_Stick wrote:

Firstly, will the system boot up without Secure Boot enabled?

Yes, it boots fine with Secure Boot disabled.

Head_on_a_Stick wrote:

Rather than copying the files from the ISO image, it's probably best to install the prebootloader package and copy the HashTool.efi & PreLoader.efi from /usr/lib/prebootloader

The important thing is then to make a custom NVRAM entry to boot the PreLoader first so that you can enrol your kernel image:

# efibootmgr -d /dev/sda -p 2 -c -L Preloader -l /EFI/systemd/PreLoader.efi

This should be set as first in the boot order -- check by running `efibootmgr` with no arguments.

This information is not on the surface pro 3 page or the UEFI Secure Boot page from what I could find. I'll give this a shot and if all is well, update the wiki to reflect this. Thanks!

Offline

#4 2015-10-13 21:36:31

esa
Member
Registered: 2011-12-29
Posts: 143
Website

Re: Surface Pro 3 and Secure Boot post-install

AFAIK:
A system with a non-signed-kernel cannot boot with secure boot enabled. (also AFAIK Arch has an unsigned kernel).
Furthermore, system installed with secure boot disabled, wont be bootable with secure boot enabled.

In other words:
As you were required to switch secure boot off to install <SOMETHING>, it wont work if you enable secure boot again.
That is true (AFAIK) as long the 'MBR' (bios_boot partition, efi load sequence, whatever) is changed (as it happens with a regular Arch install).

Conclusion:
Even if you are/were able to install Arch without changing the 'MBR' (whatever), and successfully boot Windows with secure boot enabled, you wont be able to boot Arch with secure boot enabled, unless you signed your kernel (at every kernel update) yourself and added those keys to the EFI.
//EDIT: In which case you should have created your own iso with signed kernels first.. //

hth

Last edited by esa (2015-10-13 21:37:24)


Author of: TUI (Text User Interface for scripts), VHS (Video Handler Script, using ffmpeg) and YASSI (Yet Another Simple Script Installer)

Offline

#5 2015-10-13 21:42:31

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 4,857
Website

Re: Surface Pro 3 and Secure Boot post-install

esa wrote:

AFAIK:
A system with a non-signed-kernel cannot boot with secure boot enabled. (also AFAIK Arch has an unsigned kernel).
Furthermore, system installed with secure boot disabled, wont be bootable with secure boot enabled.

Both untrue.

I converted my current system to Secure Boot without using the live ISO to boot it with Secure Boot enabled and my kernel image is non-signed -- I have even enrolled my Debian system's kernel image and can start that with Secure Boot enabled.

The Preloader's function is to load the HashTool if there are no signed kernel images in the current boot path (as defined by loader.efi) and allow the hash of the (unsigned) kernel image to be added to the firmware as an authorised image.

Offline

#6 2015-10-13 21:59:15

jtw49
Member
Registered: 2015-02-11
Posts: 4

Re: Surface Pro 3 and Secure Boot post-install

I installed prebootloader, copied Hashtool and preloaded.EFI to /boot/EFI/systemd/ and moved systemd-loaderx64.efi to loader.EFI and I am still getting invalid signature .

Of course, as soon as I post this, I got it working. Booted into native Arch with Secure Boot enabled. Thank you!

I will update the arch wiki with my exact steps and link to your post.

Edit:

Last question:

Since I will need to update the kernel to include drivers for the type cover, camera, and some other hardware, I can do so, and I will just be presented with the HashTool upon boot again, upon which I will just "resign" vmlinuz-linux and loader.efi, correct?

Last edited by jtw49 (2015-10-13 22:12:52)

Offline

#7 2015-10-14 19:29:50

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 4,857
Website

Re: Surface Pro 3 and Secure Boot post-install

jtw49 wrote:

Since I will need to update the kernel to include drivers for the type cover, camera, and some other hardware, I can do so, and I will just be presented with the HashTool upon boot again, upon which I will just "resign" vmlinuz-linux and loader.efi, correct?

Yes, I have done this several times now and it seems to work just fine.

Offline

#8 2015-10-21 17:40:16

pabi
Member
Registered: 2013-12-13
Posts: 21

Re: Surface Pro 3 and Secure Boot post-install

I finaly want to get rid of the ugly red screen.
I did all the steps from the wiki which wokred fine.
But when enabling secureboot after sining loader.efi fron the hash tookl I still get an error.
It says it cant load te kernel/ramdisk because access was denied.
Any idea why that could be?

Last edited by pabi (2015-10-22 19:42:17)

Offline

#9 2015-10-21 21:58:35

jtw49
Member
Registered: 2015-02-11
Posts: 4

Re: Surface Pro 3 and Secure Boot post-install

Why would you disable secureboot after enrolling the kernel?

Ensure you have done the following ( I did all this while chroot'd in from the USB):

  • create the efi boot manager entry with efibootmgr

  • install prebootloader and copy HashTool.efi and PreLoader.efi to your specific boot/EFI/<bootloader> partition

  • disable fast startup and bit locker in windows

Offline

#10 2015-10-22 19:46:09

pabi
Member
Registered: 2013-12-13
Posts: 21

Re: Surface Pro 3 and Secure Boot post-install

That should have been enabling not disabling, I fixed it in the post.
I did all that, I was able to sign the loader with the HashTool, it can boot the loader with secureboot enabled after signing it.
The Problem is that the loader is not able to load the ramdisk and kernel (access denied).

(The arch install is ~1 year old, booting without secureboot works just fine.)

Last edited by pabi (2015-10-22 19:48:19)

Offline

#11 2015-10-22 20:23:58

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 4,857
Website

Re: Surface Pro 3 and Secure Boot post-install

pabi wrote:

I was able to sign the loader with the HashTool, it can boot the loader with secureboot enabled after signing it.
The Problem is that the loader is not able to load the ramdisk and kernel (access denied).

You need to use the Hashtool to enrol the kernel image (/boot/vmlinuz-linux) as well.

The Preloader should start the Hashtool if an unsigned image is in the boot path.

Offline

#12 2015-10-23 21:32:07

pabi
Member
Registered: 2013-12-13
Posts: 21

Re: Surface Pro 3 and Secure Boot post-install

How do I enroll the kernel/image?
In the menu of the loader I cant find a option for this, only for the loader.efi.

Offline

#13 2015-10-23 22:36:41

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 4,857
Website

Re: Surface Pro 3 and Secure Boot post-install

pabi wrote:

How do I enroll the kernel/image?

Select this option twice to get to the root of the EFI system partition (ie, /boot):

../

Then select "vmlinuz-linux" and accept the hash.

Last edited by Head_on_a_Stick (2015-10-23 22:37:23)

Offline

#14 2015-10-24 15:24:50

pabi
Member
Registered: 2013-12-13
Posts: 21

Re: Surface Pro 3 and Secure Boot post-install

Wow, I looked at it so often and just didn't see the folder up option.
Thanks allot, works fine now smile

Offline

Board footer

Powered by FluxBB