[GTALUG] New Build Computer?

D. Hugh Redelmeier hugh at mimosa.com
Mon Jul 27 13:57:02 EDT 2020 

Secure Boot:

Microsoft requires PC hardware to be shipped with Secure Boot enabled.  I 
think that they also require that it be possible to disable it (but only 
manually, not by program).

Secure boot requires that there be a cryptographically authenticated 
unbroken chain of things that lead to loading the OS.  Authentication of 
things loaded by the UEFI amounts to being signed by a key for which the 
firmware knows the public key.

The only public key most UEFI firmware knows is controlled by
Microsoft.  Red Hat has arranged for Microsoft to sign a loader that
will then load other things: shim.efi.  Red Hat made this available to
any other Linux Distro, I think.

Some other Linux systems have adopted this.  For example, UBUNTU and SuSE.  
I don't know if your distro has.

Suggestion: disable secure boot and continue your experiments.  I know you 
said that you cannot find the setting, but it must be there somewhere in 
the firmware setup screen.

Odd: googling seems to suggest that the only way to turn off SB on Asus 
boards is to delete the PK key.  If you are going to do this, please save 
the key first in case you need to restore it.

===================================================

Anecdote:

I have a computer that every once in a while stops being able to boot.
The problem is that a power failure has left the ESP in a bad state (I 
don't know why: there should have been now writing to it immediately 
before the power failure).  My cure used to be:

- boot from a USB stick

- run fsck against the ESP.

After that, the system boots.

I eventually gave up and put the computer on a UPS.

Take-away: perhaps you need to fsck the ESP on your hard drive.

===================================================

| From: Peter King via talk <talk at gtalug.org>

| The old system booted UEFI, indeed EFI-stub.  The NVMe drive is formatted
| with an EFI "boot" partition as VFAT-32 and a regular root partition as
| ext4 -- pretty standard fare.

The EFI-stub is certainly not signed.

More information about the talk mailing list