You are not logged in.

#1 2016-01-16 22:53:02

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Error loading \vmlinuz-linux: Security Policy Violation

Hi community,

I decided after a couple of years on Ubuntu to try Arch Linux.

So I followed the Beginners Guide for my notebook (Acer V Nitro Intel i5-5200U UEFI) and aimed for UEFI/GPT, secure boot and Arch Linux only.
I put "systemd_bootx64.efi" in "Allowed Efi Executables" because otherwise a "Secure Boot fail" appears.
Then I get the systemd-boot bootloader and choosing anything else than "Boot to firmware" (UEFI) I get the error message:
Error loading \vmlinuz-linux: Security Policy Violation
and Arch does not start.

What information do I need to supply now so that anybody can help me?
Where did I go wrong and how is it possible to get it working again?


Signature is WIP

Offline

#2 2016-01-16 22:55:12

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Error loading \vmlinuz-linux: Security Policy Violation

You should use the prebootloader package to enrol the kernel image as a verified .efi loader.

See https://wiki.archlinux.org/index.php/Se … led_system

EDIT: Simply disable Secure Boot to get your system working until you can set things up.

Last edited by Head_on_a_Stick (2016-01-16 22:58:32)

Offline

#3 2016-01-16 23:21:40

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Re: Error loading \vmlinuz-linux: Security Policy Violation

Thank you for your reply.

So I did the the new NVRAM and everything above now I am getting:
Kernel Panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
(I used the Hashtool to enroll the loader.efi and the /vmlinuz-linux)

I think I am giving myself another 24 hours to get Secure Boot working.


Signature is WIP

Offline

#4 2016-01-16 23:29:25

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Error loading \vmlinuz-linux: Security Policy Violation

Simurgh wrote:

(I used the Hashtool to enroll the loader.efi and the /vmlinuz-linux)

There are more steps in the linked guide.

Descibe *exactly* what you have done, leave nothing out.

Last edited by Head_on_a_Stick (2016-01-16 23:29:33)

Offline

#5 2016-01-17 00:09:37

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Re: Error loading \vmlinuz-linux: Security Policy Violation

I did:

# cp /usr/lib/prebootloader/{PreLoader,HashTool}.efi $ESP/EFI/systemd
# cp $ESP/EFI/systemd/systemd-bootx64.efi $ESP/EFI/systemd/loader.efi
# efibootmgr -d /dev/sdX -p Y -c -L "PreLoader" -l /EFI/systemd/PreLoader.efi

Then I "Allowed" various loader.efi and the HashTool, then I used the HashTool in the same manner as I did it to get the live system on:
Enroll loader.efi and Save then Enroll /vmlinuz- and Save.
And as I thought you meant I should just do this paragraph and the rest of this paragraph didn't sound (exactly) like my problem I didn't do any more of it.
But I guess I have to do the entire article?

And by the way: How do I a fresh setup?

mkfs.ext4 /dev/sda3

(which is my root partition) didn't delete my configs like locale and keymap and so on, also pacstrap/pacman said "reinstalling".
So how do I a real "format"?

(Next response will take some hours)


Signature is WIP

Offline

#6 2016-01-17 00:50:29

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Error loading \vmlinuz-linux: Security Policy Violation

Simurgh wrote:

Then I "Allowed" various loader.efi and the HashTool

If you have a firmware option to "allow" .efi loaders under Secure Boot then use that to permit /vmlinuz-linux to load instead.

I've never encountered a motherboard with that feature, it sounds useful.

Last edited by Head_on_a_Stick (2016-01-17 11:33:32)

Offline

#7 2016-01-17 01:08:04

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Error loading \vmlinuz-linux: Security Policy Violation

Simurgh wrote:

I did:

# cp /usr/lib/prebootloader/{PreLoader,HashTool}.efi $ESP/EFI/systemd
# cp $ESP/EFI/systemd/systemd-bootx64.efi $ESP/EFI/systemd/loader.efi
# efibootmgr -d /dev/sdX -p Y -c -L "PreLoader" -l /EFI/systemd/PreLoader.efi

Just to make sure here: you did replace "$ESP", "X" & "Y" with the correct terms, right?

Offline

#8 2016-01-17 09:51:45

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Re: Error loading \vmlinuz-linux: Security Policy Violation

Yes I did, $ESP is /boot as described by the Beginners Guide and the rest is a and 1 as my ESP is sda1.

EDIT: I can only choose between different .efi files, sadly there is no /vmlinuz-linux entry to choose.

Last edited by Simurgh (2016-01-17 09:55:36)


Signature is WIP

Offline

#9 2016-01-17 11:35:38

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Error loading \vmlinuz-linux: Security Policy Violation

OK, lets check all the configuration then.

You can provide this output from any live ISO:

# gdisk -l /dev/sda
# efibootmgr -v

We need to check the files on the disk as well so if you could load the Arch live ISO, mount all your partitions then use `arch-chroot` and post the output of:

lsblk -f
# find /boot

You can use a pastebin client to generate a URL that can be posted here rather than typing everything out.
https://wiki.archlinux.org/index.php?ti … in_clients

Last edited by Head_on_a_Stick (2016-01-17 11:41:07)

Offline

#10 2016-01-17 12:35:44

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Re: Error loading \vmlinuz-linux: Security Policy Violation

Okay let's do this:
https://ptpb.pw/y6ot
https://ptpb.pw/F8X1

https://ptpb.pw/PPMI
https://ptpb.pw/GW61

Hopefully I did everything correct.
Thanks for the pastebin hint.


Signature is WIP

Offline

#11 2016-01-17 12:48:59

tom.ty89
Member
Registered: 2012-11-15
Posts: 897

Re: Error loading \vmlinuz-linux: Security Policy Violation

https://ptpb.pw/F8X1 is "not found".

https://ptpb.pw/PPMI you better run it outside chroot or use blkid

Offline

#12 2016-01-17 13:17:44

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Re: Error loading \vmlinuz-linux: Security Policy Violation

 efibootmgr -v 

https://ptpb.pw/y_P_

 find /boot 

https://ptpb.pw/3xOE

Thanks


Signature is WIP

Offline

#13 2016-01-17 13:56:48

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Error loading \vmlinuz-linux: Security Policy Violation

Update the systemd-boot .efi loader and run through all the steps in the Secure Boot ArchWiki page again.

# bootctl update

https://wiki.archlinux.org/index.php/Sy … t#Updating

Offline

#14 2016-01-17 15:04:01

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Re: Error loading \vmlinuz-linux: Security Policy Violation

That didn't change it.
I did

# bootctl update

Then the copy and paste, then I chose the HashTool.efi es first .efi to boot, then I enrolled the loader.efi formerly systemd-bootx64.efi and the vmlinuz-linux, answered Yes both times, then I chose the loader.efi as first boot option and get the same Error. I always used the correct directory (the same while enrolling and booting). At first it was systemd then Boot.
What .efi am I supposed to boot from? The PreBootloader didn't show up anywhere except in the efibootmgr line. I am going to try now to enroll and boot the PreLoader.efi
From an abstract point: I need to boot an .efi file which was enrolled and saved via HashTool prior to boot, right?
Thanks for your help!

EDIT: I can choose from systemd-bootx64.efi aka loader.efi, HashTool.efi, PreLoader.efi, BOOTX64.efi to boot from (it is on the same level as USB HDD, HDD, ROM)
EDIT2: Booting from PreLoader.efi results in Kernel Panic - not syncing...
Do I need to enroll initramfs or intel-ucode maybe?

Last edited by Simurgh (2016-01-17 15:10:46)


Signature is WIP

Offline

#15 2016-01-17 17:36:26

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Error loading \vmlinuz-linux: Security Policy Violation

Simurgh wrote:

Booting from PreLoader.efi results in Kernel Panic - not syncing...

The PreLoader.efi checks if loader.efi is authorised and runs hashtool.efi if it is not, otherwise it hands over to loader.efi which should be a re-named version of the current system-boot .efi loader.

I have done this in several machines (as have others) and it's always worked before, even with OpenBSD.

You can try using the default .efi loader location instead:

# cp /usr/lib/prebootloader/PreLoader.efi /boot/EFI/Boot/BOOTX64.EFI
# cp /usr/lib/prebootloder/HashTool.efi /boot/EFI/Boot
# cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi /boot/EFI/Boot/loader.efi

You will then have to delete all the NVRAM loader entries which have .efi loader paths, in your case: 0000, 0001, 0004 & 0005

Your motherboard should then start /boot/EFI/Boot/BOOTX64.EFI (which is the re-named PreLoader.efi) automatically without any need for a custom entry.

Do I need to enroll initramfs or intel-ucode maybe?

No, they are not enrol-able anyway.

Offline

#16 2016-01-17 18:08:35

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Re: Error loading \vmlinuz-linux: Security Policy Violation

Head_on_a_Stick wrote:

I have done this in several machines (as have others) and it's always worked before, even with OpenBSD.

That sounds motivating.
I did everything as you described but it ended in Kernel Panic again:
not syncing: VFS: Unable to mount root fs on unknown block

I am starting to consider a new install without Secure Boot maybe, what do you think?


Signature is WIP

Offline

#17 2016-01-17 18:23:29

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Error loading \vmlinuz-linux: Security Policy Violation

Simurgh wrote:

I am starting to consider a new install without Secure Boot maybe, what do you think?

I was actually working under the presumption that you could already boot the system with Secure Boot disabled.

Is this not the case?

You should get the system booting normally first before attempting to enable Secure Boot.

Offline

#18 2016-01-17 18:40:52

Simurgh
Member
From: Europe
Registered: 2016-01-16
Posts: 31

Re: Error loading \vmlinuz-linux: Security Policy Violation

No I always used a live-USB and chroot.
Then I am trying to boot now without Secure Boot.

EDIT: Okay I did a fresh install without Secure Boot, I think I leave it that way for now. Maybe I come back later to this thread, so I don't mark it as Solved because the problem has not been solved. (Although it does boot now but without Secure Boot)

Last edited by Simurgh (2016-01-17 22:15:27)


Signature is WIP

Offline

Board footer

Powered by FluxBB