Secure boot option

Forum Forums Official Releases antiX-21/22 “Grup Yorum” Secure boot option

  • This topic has 3 replies, 3 voices, and was last updated Mar 29-10:09 pm by calciumsodium.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #70240
    Member
    pylades

      Hi folks, I’ve just installed AntiX21 on my 3.0 UBS using as usual rufus-3.17p or LinuxLive USB Creator 2.9.4.
      In opposite to 19.4 I cannot boot it on my company laptop due to Secure boot message on the inital screen. I cannot turn off secure boot as it is a locked company laptop. Version 19.4 boots perfectly in toram mode with persistence on. Is it an intended change or you are working on it? Best Regards Pylades

      #70262
      Member
      fehlix

        Hi folks, I’ve just installed AntiX21 on my 3.0 UBS using as usual rufus-3.17p or LinuxLive USB Creator 2.9.4.
        In opposite to 19.4 I cannot boot it on my company laptop due to Secure boot message on the inital screen. I cannot turn off secure boot as it is a locked company laptop. Version 19.4 boots perfectly in toram mode with persistence on. Is it an intended change or you are working on it? Best Regards Pylades

        antiX-21 Live/USB is using Debian’s signed efi-GRUB and efi-shim. efi-shim is signed by Microsoft and controls secure boot handling, it passes the secure-boot state enabled in UEFI-firmware to efi-GRUB and locksdown any load of un-signed kernels and modules.
        In order to boot with antiX21 with having SecuBoot enabled within UEFI: two options.

        * Option 1: Install Debian’s signed kernel followed by live-kernel updater, to make Debian’s kernel available at LiveBoot.

        * Option 2: “Tell” shim to disable secureboot-validation to allow load of unsigned kernels and modules, this would keep SecureBoot enabled in UEFI.

        For option 2, you would somehow first need to boot with a LiveUSB which has already a signed kernel, e.g. with MX21. When booted you can turn off validation in shim this way:
        sudo apt update
        sudo apt install mokutil
        sudo mokutil --disable-validation
        enter 2 times a simple “input password” (like “12345678”), which is needed by MokManager.
        Now reboot.
        Mokmanager asks for the input password, now use arrow-keys to select “change secure boot validation/state”
        You can now boot with antiX12 and unsigned kernels.

        At least that’s the way, I manged to boot antiX with having SecureBoot enabled.

        • This reply was modified 2 years, 6 months ago by fehlix.
        • This reply was modified 2 years, 6 months ago by fehlix.
        #70821
        Member
        pylades

          Hi Fehlix
          I tried option 2 – installed on USB the MX-21, was booting/working OK, however I prefere antix…
          I managed to enter like you posted above, however the 3rd command was refused by I cant remember what and then I used other USB with antix-21 with no success. I did it 3 times and lost the faith.
          Currently I’m using antix 19.4 again on my locked company laptop, I’m OK.
          I need to go for the option 1. I need some hint how to install the proper kernel on my bootable USB to get the antix 21 finally. Regards Pylades

          #80125
          Member
          calciumsodium

            @fehlix had mentioned the mokutil tip.

            I wanted to report about my experience with dual boot Windows 11 and antiX21. I can dual boot these two OS on an HP g1 650 laptop WITHOUT having to use the mokutil tip with secure boot. In the bios for this laptop there is an option for UEFI with CSM (compatibility support module). If you turn on this option, then you can dual boot with antiX21 and windows 11 with secure boot. You don’t have to do anything else. If you use UEFI without CSM, then you can’t dual boot. In this case, you can still boot into antiX21. You just have to manually choose antiX21 using F9 during boot.

            I also have a dell inspiron laptop. In this system, set to secure boot with uefi, it automatically dual boots windows 11 and antiX21. I did not have to do anything else. This bios accepts both windows 11 and antiX21 automatically.

            This is just my experience.

          Viewing 4 posts - 1 through 4 (of 4 total)
          • You must be logged in to reply to this topic.