Q4OS Forum

Q4User

Member

Registered: 2020-06-05

Posts: 28

Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

Hi.

Installed latest stable "q4os-4.6-x64.r1" with "Secure Boot" enabled on my Asus VivoBook L203MA, Intel(R) Celeron(R) N4000 CPU @ 1.10GHz/1.10 GHz, 4,00 GB Memory.

Install went smooth with no problem at all. However, when I rebooted after completed installation, I ended up with following failure:
- Red Screen
- "Secure Boot Violation"
- "Invalid signature detected. Check Secure Boot Policy in Setup"

Will it be required to disable Secure Boot?

q4osteam

Q4OS Team

Registered: 2015-12-06

Posts: 4,232

Website

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

No, secure boot system should work out of the box. It would be helpful, if you succeed in booting to provide the "reportq4" debug info, see https://www.q4os.org/forum/viewtopic.php?id=3502

Did anyone else notice issues with secure boot enabled systems ?

EDIT: You can also provide another debugging info. Please boot the Q4OS live media, post here output of the following commands:
$ q4hw-info --secure-boot
$ bootctl status

Last edited by q4osteam (2021-09-30 15:21)

Q4User

Member

Registered: 2020-06-05

Posts: 28

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

EDIT: You can also provide another debugging info. Please boot the Q4OS live media, post here output of the following commands:
$ q4hw-info --secure-boot
$ bootctl status

-----

adminq@debian:~$ q4hw-info --secure-boot
SecureBoot_No

adminq@debian:~$ bootctl status
Couldn't find EFI system partition. It is recommended to mount it to /boot or /efi.
Alternatively, use --esp-path= to specify path to mount point.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled
   Setup Mode: user
Boot into FW: not supported

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Boot loader sets ESP partition information
          ESP: n/a
         File: └─n/a

Random Seed:
Passed to OS: no
System Token: not set

Boot Loaders Listed in EFI Variables:
        Title: Q4OS
           ID: 0x0002
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/8a72b375-728e-ac41-b8eb-d33dbd45e86c
         File: └─/EFI/Q4OS/grubx64.efi

adminq@debian:~$

q4osteam

Q4OS Team

Registered: 2015-12-06

Posts: 4,232

Website

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

Would you run a few more commands please ?
$ sudo apt install mokutil

and post back of:
$ mokutil --sb-state
$ sudo mokutil --sb-state
$ sudo bootctl status

Q4User

Member

Registered: 2020-06-05

Posts: 28

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

adminq@debian:~$ sudo apt install mokutil
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package mokutil
adminq@debian:~$ mokutil --sb-state
bash: mokutil: command not found
adminq@debian:~$ sudo mokutil --sb-state
sudo: mokutil: command not found
adminq@debian:~$ sudo bootctl status
Couldn't find EFI system partition. It is recommended to mount it to /boot or /efi.
Alternatively, use --esp-path= to specify path to mount point.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled
   Setup Mode: user
Boot into FW: not supported

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Boot loader sets ESP partition information
          ESP: n/a
         File: └─n/a

Random Seed:
Passed to OS: no
System Token: not set

Boot Loaders Listed in EFI Variables:
        Title: Q4OS
           ID: 0x0002
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/8a72b375-728e-ac41-b8eb-d33dbd45e86c
         File: └─/EFI/Q4OS/grubx64.efi

adminq@debian:~$

q4osteam

Q4OS Team

Registered: 2015-12-06

Posts: 4,232

Website

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

In addtition we need to update package database, the updated commands:
$ sudo apt update
$ sudo apt install mokutil

Please report back the following:
$ mokutil --sb-state
$ sudo mokutil --sb-state

Thanks for reporting.

Q4User

Member

Registered: 2020-06-05

Posts: 28

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

adminq@debian:~$ sudo apt update
Get:1 http://ftp.debian.org/debian bullseye InRelease [113 kB]
Get:2 http://dl.google.com/linux/chrome/deb stable InRelease [1,811 B]         
Get:3 http://ftp.debian.org/debian bullseye-updates InRelease [39.4 kB]         
Get:4 https://q4os.org/q4repo q4os-4-0-cn InRelease [4,605 B]
Get:8 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages [1,092 B]
Get:5 https://q4os.org/qtderepo bullseye InRelease [11.7 kB]
Get:9 http://ftp.debian.org/debian bullseye/main amd64 Packages [8,178 kB]
Get:6 https://q4os.org/qextrepo bullseye-vboxadds-cn InRelease [3,218 B]
Get:7 https://q4os.org/qextrepo bullseye-chrome-cn InRelease [1,844 B]
Get:10 https://q4os.org/q4repo q4os-4-0-cn/main amd64 Packages [7,796 B]
Get:11 https://q4os.org/qtderepo bullseye/basic amd64 Packages [6,191 B]
Get:12 http://ftp.debian.org/debian bullseye/main Translation-en [6,241 kB]
Get:13 https://q4os.org/qextrepo bullseye-vboxadds-cn/main amd64 Packages [1,869 B]
Get:14 https://q4os.org/qextrepo bullseye-chrome-cn/main amd64 Packages [403 B]
Get:15 http://ftp.debian.org/debian bullseye/contrib amd64 Packages [50.4 kB]   
Get:16 http://ftp.debian.org/debian bullseye/contrib Translation-en [46.9 kB]
Get:17 http://ftp.debian.org/debian bullseye/non-free amd64 Packages [93.8 kB]
Get:18 http://ftp.debian.org/debian bullseye/non-free Translation-en [91.5 kB]
Get:19 http://ftp.debian.org/debian bullseye-updates/main amd64 Packages [2,300 B]
Get:20 http://ftp.debian.org/debian bullseye-updates/main Translation-en [2,108 B]
Fetched 14.9 MB in 5s (2,837 kB/s)                           
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
adminq@debian:~$ sudo apt install mokutil
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  mokutil
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 22.9 kB of archives.
After this operation, 72.7 kB of additional disk space will be used.
Get:1 http://ftp.debian.org/debian bullseye/main amd64 mokutil amd64 0.3.0+1538710437.fb6250f-1+b1 [22.9 kB]
Fetched 22.9 kB in 0s (57.7 kB/s) 
Selecting previously unselected package mokutil.
(Reading database ... 165508 files and directories currently installed.)
Preparing to unpack .../mokutil_0.3.0+1538710437.fb6250f-1+b1_amd64.deb ...
Unpacking mokutil (0.3.0+1538710437.fb6250f-1+b1) ...
Setting up mokutil (0.3.0+1538710437.fb6250f-1+b1) ...
Processing triggers for man-db (2.9.4-2) ...
adminq@debian:~$ mokutil --sb-state
This system doesn't support Secure Boot
adminq@debian:~$ sudo mokutil --sb-state
This system doesn't support Secure Boot
adminq@debian:~$

q4osteam

Q4OS Team

Registered: 2015-12-06

Posts: 4,232

Website

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

Q4OS is installed in non secure boot mode, as the Linux tools don't detect active secure boot. The only possibility for this particular hardware is to switch the secure boot off in order to run Q4OS. We will provide an option for such situation for users to be able to force installation in secure boot mode. Nonetheless, it will be available later.

Once you boot Q4OS in non secure boot mode, you can install "mokutil shim-unsigned shim-helpers-amd64-signed shim-signed-common shim-signed grub-efi-amd64-signed" packages:
$ sudo apt install mokutil shim-unsigned shim-helpers-amd64-signed shim-signed-common shim-signed grub-efi-amd64-signed
run:
$ sudo grub-install
$ sudo update-grub
reboot and switch secure boot back on. Now, Q4OS should boot even with secure boot on.

Q4User

Member

Registered: 2020-06-05

Posts: 28

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

Thanks, I will try this.

However, there is one thing I don't understand: The latest stable 3.15 installed with SecureBoot (SB) enabled, and the same did the testing version 4.5 after we had discussed a similar SB issue here at the Forum. Why is it now required for the stable 4.6 to install with SB disabled, then install the MOK packages, and finally enable SB again?

q4osteam

Q4OS Team

Registered: 2015-12-06

Posts: 4,232

Website

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

... there is one thing I don't understand: The latest stable 3.15 installed with SecureBoot (SB) enabled, and the same did the testing version 4.5 ...

That looks like Debian native tools were able to detect SB before, but the current versions are not.

... after we had discussed a similar SB issue here at the Forum. Why is it now required for the stable 4.6 to install with SB disabled, then install the MOK packages, and finally enable SB again?

The issues you mentioned, most likely https://www.q4os.org/forum/viewtopic.php?id=3540 , was not connected to this one. The previous fix only resolved booting live media in SB mode. We didn't modify the Q4OS installation logic in anyway. The current issue seems to be triggered by a Debian update.

Anyway, we will change the Q4OS Calamares installer in the upcoming release to force installation in secure boot mode for all UEFI systems, with an option for non secure boot mode install. Thanks for reporting.

Last edited by q4osteam (2021-10-07 11:40)

Q4User

Member

Registered: 2020-06-05

Posts: 28

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

Thanks your reply.

q4osteam

Q4OS Team

Registered: 2015-12-06

Posts: 4,232

Website

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

The OP issue should have been fixed within the new release Q4OS Gemini 4.7, confirmation and feedback would be appreciated.

Q4User

Member

Registered: 2020-06-05

Posts: 28

Re: Secure Boot Violation when reboot after install stable q4os-4.6-x64.r1

My old Asus VivoBook "died", and have been replaced by a Lenovo IdePad 3, Intel Pentium Gold 7505 @ 2.00GHz 4096 MB.
Installed Q4OS Gemini 4.7 with SecureBoot enabled without any problem.
Have however one issue: My Audio Card is not detected?