Announcement

Collapse
No announcement yet.

new laptop installing Kubuntu with win 10 and secure boot enabled

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    new laptop installing Kubuntu with win 10 and secure boot enabled

    have a few questions:

    1. bought a new Asus TUF FX505DU laptop with win 10 installed and secure boot enabled. Will Kubuntu install with secure boot enabled??

    I had tried yesterday to install on an Acer Aspire 3 with win 10 and secure boot enabled. Kept getting a 141 error from ubi-partman (please excuse if I haven't got the name exact from memory). I vaguely remember from years past that Kubuntu would not install if secure boot was enabled.

    So I am wondering if I will be able to install on the Asus now unless I disable the current secure boot assuming the secure boot is enabled on the Asus also.

    I had been planning on installing Kubuntu, then Oracle Virtual Box then installing my new copy of Win10 as a guest under Virtual Box. That, of course, depends on being able to install Kubuntu.

    Plan B is to keep the current win 10, install Oracle Virtual Box in win 10, then install Kukuntu as a guest OS in Virtual Box. Not an appealing alternative since that entails booting into win 10 then booting Kubuntu in VBox. Workable, but not appealing since I run Kubuntu 99% of the time. Win 10 only occasionally.

    2. in my attempts at installing on the Acer Aspire 3, I noticed something that I do not remember noticing before. When the disk management section came up, there was a question on the bottom about secure boot and had spaces to insert a password or passwords. Is that to enable installing when secure boot is enabled? If so, where would one get the password(s)? On the Acer, the password for secure boot was blank, so if I enabled secure boot for the install in that section of the Kubuntu install, would leaving the password(s) blank work?

    Thanks for your help.

    #2
    You can do it with secure boot enabled: https://www.pcsuggest.com/dual-boot-...d-ubuntu-uefi/

    I did something similar on my new Lenovo laptop last year. I wanted to keep the native Windows install for warranty purposes. I haven't booted to it in a year. I do not use windows on my personal computers, because who would? I do have work machines that require it.

    Not sure about the password thing - I've never seen that.

    Please Read Me

    Comment


      #3
      Originally posted by geezer View Post

      2. in my attempts at installing on the Acer Aspire 3, I noticed something that I do not remember noticing before. When the disk management section came up, there was a question on the bottom about secure boot and had spaces to insert a password or passwords. Is that to enable installing when secure boot is enabled? If so, where would one get the password(s)? On the Acer, the password for secure boot was blank, so if I enabled secure boot for the install in that section of the Kubuntu install, would leaving the password(s) blank work?
      Are you talking about something similar to this:
      Click image for larger version

Name:	600px-Disksetup-15_10.png
Views:	1
Size:	212.5 KB
ID:	644582

      If so, this is for disk encryption, which has no relation to secure boot.

      Comment


        #4
        Originally posted by claydoh View Post
        Are you talking about something similar to this:
        [ATTACH=CONFIG]8659[/ATTACH]

        If so, this is for disk encryption, which has no relation to secure boot.
        That was the page I remembered or thought I did.

        Thanks for setting me straight on that.

        geezer

        Comment


          #5
          I usually install gparted and inspect the hdd/ssd before installing. That gives me more information. Then if I need to change the partitions and I'll be keeping windows for a dual boot, I use windows to do the partitioning and resizing.

          When I tried gparted on the Acer, it couldn't access the disk. That was the first hint that something wasn't working right. Then in trying to install, I got the errors. Somehow Linux wasn't able to access the ssd, either gparted or the installation installation disk utility. I blamed the secure boot on the Acer. Don't really know.

          Booted Kubuntu Live on the Asus and gparted had no trouble accessing and reading the ssd.

          So I'm more confident that the installation will proceed OK.geezer

          Comment


            #6
            Another other thing that can be in the way is "Intel Rapid Storage" features. You will wants those turned off as Linux isn't supporting that out-of-the-box for now.

            Please Read Me

            Comment


              #7
              Ok, got to the 'secure boot section' on installing Kubuntu 19.10. I forget exactly where it is in the sequence, but there was a note above the option to install secure boot that third party drivers may/would not work without secure boot.

              So I decided that I wanted the Nvidia drivers and checked secure boot. Not sure if that was stupid or not, either way it is now causing real headaches.

              First. booting is now a headache with screens that I have to verify something. I know not what. Two options: key or hash. Tried all of the leys listed and kept getting an error msg that that that kind of key not supported. So tried the hashes listed. Not the same error msg and seeemed to do something. Progress? Nope

              nothing worked. couldn't verify or enable anything.

              So now Virtual Box doesn't work because it's kernal modules need to be signed to be loaded.

              Does anybody know of a discourse on 'secure boot for dummies' I read the pages on the Ubuntu help pages, but I couldn't find anything remotely similar to the screens and required input I am seeing. They did give me a rudimentary understanding of the reason for secure boot, but no practical information on how to sign modules or how to get past those boot screens about MOK besides just waiting out the timer.

              The password I input on the secure boot page during installation doesn't seem to used anywhere and I keep getting asked for a new password and so just reuse the one during installation.

              I'll keep searching for information on secure boot, but if anybody here has installed Kubuntu enabling secure boot during installation so that third party s/w can be used. culd you please post where you got the information on what to do. Also,do I really need secure to use the Nvidia drivers and the Virtual Box modules?

              Thanks, geezer

              Comment


                #8
                re-installed without secure boot. Virtual Box still needs secure boot to work because the BIOS has secure boot enabled.

                So I need to uderstand how MOK works and know how to use it. Found tutorials on what but nothing on how. Until I can find out how to work MOK Virtual Box is ddead.

                Anybody know where there is info on how to use

                Thanks, geezer

                Comment


                  #9
                  I am confused. There is no 'secure boot' option or setting in the Kubnuntu installer, it is only set in the bios, and if detected, the OS installer will add the appropriate bits needed for it. You are seeing the error an MOK stuff as you have Secure Boot turned on in your bios

                  To remedy the Virtualbox issue there are some options:
                  Just disable secure boot in the bios. it is not a requirement

                  or , preferably, update to a newer version of Virtualbox, which supports secure boot without any faffing about. Technically, it should work out of the box with 19.10 native packages (actually, they are Debian's, not Ubuntu's), but I am not sure if Ubuntu's (Debian's, rather) builds have this baked in or not. The newest from the virtualbox folks will more likely work properly. It did for me, when dual booting with secure boot enabled in the bios on my previous system
                  https://itsfoss.com/install-virtualbox-ubuntu/ - option 3 is best.

                  or https://torstenwalter.de/virtualbox/...cure-boot.html maybe. This should work in 19.10

                  Comment


                    #10
                    Yes there most definitely is a secure boot option in the Kubuntu installation sequence. It is the last check box on the appropriate page. I have been through the installation process 3 times yesterday and today. with secure boot option checked, once without and once again with the option checked. Yes, you are right that secure boot is part of the BIOS and h/w. But the OS must support secure boot and there is a tool for Machine Owner Keys, MOK, that supports those keys. Virtual Box, when it installs, generates a key for the vbox kernal modules. That key must be inserted into the secure boor structure on the computer in order for the modules to be loaded and vbox to run. I think this process is automatic on windows machines and essentially unseen by the user. Unfortunately the Linux community hasn't progressed to that maturity yet.

                    They may and should for the simple reason that MS is the King of the Hill of OSs and dictates the conditions for playing in that game. Secure boot will be around as long as MS is around to dictate it's use.

                    Yes I can disable secure boot (I assume, haven't tried yet, only located in the BIOS structure), but instead I am trying to look at this as a learning experience and learn how to actually use MOK s/w to insert the vbox generated key into the secure boot structure so that BIOS will actually load the vbox kernal modules. Thus when the day arrives that secure boot is no longer an option, but a required part of the boot sequence. Required simply because computer venders are now supplying the computers with secure boot enabled by default and s/w is supporting it in their third party s/w. So Oracle is simply going where the wind blows and supporting secure boot and automatically generating keys when the s/w is installed. On windows machines they automatically insert their key into the secure boot structure on the machine. The Linux community, unfortunately, still buries their head and says disable secure boot, no problem. Until the Linux community coalesces around a standard for secure boot, the venders, like Oracle, simply generate the key and tell the Linux user ask your vender how to insert the key.

                    Unfortunately, the community doesn't seem to know how to do that. (K)Ubuntu wrote MOK s/w that is supposed to insert the key. Unfortunately, the people who wrote the s/w figured that for anybody using the MOK s/w, the operation would be trivial and obvious, so the s/w supplies ZERO instructions on how to use it. It gives you various options and leaves the rest up to you. Unfortunately, I have been through ALL of the keys and hashes found by the MOK s/w and all are either in a format not supported or fail.

                    So until I learn exactly how the (K)Ubuntu MOK s/w is supposed to work and exactly what input is assumed, Any third party s/w that the supplier reads the BIOS and finds secure boot enabled, such as Oracle, generates the key and leaves it up to me to utilize that key, the s/w is dead.

                    As far as updating to the latest version, the version I am trying to use is the current version found in the repository. I used to download directly from Oracle,but stopped about a year or 2 back when the repository had the latest and greatest and upgrading was then easier to do. I doubt that the version is the problem though since utilizing the generated key is not Oracle's problem because as a Linux user they have no way of knowing how your distro handles secure boot. So until the Linux community actually addresses secure boot as a community we have umpteen solutions instead of one as used by MS.

                    I looked at the infp you referenced and things break down at the step during the reboot. The MOK s/w that installs with Kubuntu 19.10 works differently I think that the Vbox installer thinks it works as that info describes, but it seems the developers changed things in going from 18.xx to 19.xx. I know they did as regards the touchpad disabling automatically when my mouse is plugged in and that seems to be upsetting a lot of folks besides me. For some reason the installer asks for a password for the secure boot installation, NEVER uses the password. Yes the installation with and without the secure boot box checked are slightly different. For me mostly in the Nvidia display drivers. Present in the check boxed install and not in the unchecked box install. So if possible I would rather go with the secure boot box checked. It's really weird for Linux in secure boot. Well maybe in 4 or 5 years they'll figure out what to do.

                    When vbox is installed it asks for a password also and MOK is supposed to ask for the password on rebooting. But the MOK in 19.10 doesn't do that.

                    So the MOK in 19.10 is work in progress and is currently broken. It may be that my best option is to install 18.xx instead of 19.xx or maybe even 19.04. Maybe they broke the MOK in going from 19.04 to 19.10 and never really did a regression test on MOK. I'll download 19.04 and try that. If it is broken there I will have to drop to 18.10. Actually that raises new questions: what happens with all of those updated kernal modules that differ from their signed ancestors. Do the old keys work If not how to handle that when upgrading.

                    Actually, refind doesn't work in 19.10 with secure boot enabled since I cannot use MOK to verify refind.

                    Ahh. A leaarning experience instead of actually working.

                    geezer
                    Last edited by geezer; Feb 13, 2020, 11:37 PM.

                    Comment


                      #11
                      Have you seen this: https://wiki.ubuntu.com/UEFI/SecureBoot
                      Using Kubuntu Linux since March 23, 2007
                      "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                      Comment


                        #12
                        I just did a 19.10 install, and there is nothing about secure boot there at all

                        Anyhoo, I did some small digging and testing, as my main PC was installed with Secure Boot enabled, though I did disable it afterward.
                        I purged virtualbox, rebooted. and re-enabled secure boot., then installed Virtualbox 6.1 using Virtualbox's repos. I set up the MOK password, and rebooted.
                        I did not get the pre-bootloader MOK utility as expected. But my PC is weird, my Acer monitor does not work (unsupported input using HDMI?) at the POST, and does not come on until the OS splash screen. I have to use my 4K TV as the boot monitor, but even then there is a blank pause right where the MOK utility is supposed to pop up. So I can see everything if I cold boot and then hit my esc key to bring up boot/bios/utility options, which slowed the boot down as I had to either hit enter to proceed booting.

                        But still no MOK

                        It seems you have to re-run the MOK setup for VB, as you only get the option once. I did not look for a way to re-enable the prompt, I just re-ran the sudo modprobe vboxdrv which brings it back up in the Desktop side.
                        After setting the password again, rebooting with the pause, it did show. Then I selected Enroll MOK then Continue then Yes, then added the password.

                        Hopefully, this is similar to what may be happening to you - a pause, or in my case, once I accidentally hit a key, which seems to skip the utility on my computer. There is also a short timeout, at least on my PC. I don't recall it on my previous laptop when I last did this. 20107ish, maybe 2018.
                        Last edited by claydoh; Feb 14, 2020, 11:02 AM.

                        Comment


                          #13
                          Latest results if you are curious.

                          Downloaded and i stalled 18.10 Same problem with MOK. I did see something new, probably because I stopped looking at what I thought was written and really read the initial MOK screen. Almost got it working. It asked for a password to enable MOK. It rejected my password(s). same problem.

                          So I installed 19.10 AGAIN. Noted where the secure boot option is on the install screens: the last screen of the "software" section, just before the "disk" section.

                          I decided to gamble this time and break the rules. It demanded a password. I left the entries blank and clicked 'continue'. It continued. Finished the installation, rebooted no problem. No MOK screens. Not too sure if that was good or bad.

                          Visited the Virtural Box web page and followed the instructions for adding Oracle to software sources for Muon. Added their key. Ran update then installed Vbox 6.1 following their instructions. It installed fine. Ran Vbox and created a new machine and pointed to the Windows 10 'iso' file and installed Windows 10 Home. There was a slight hiccup. The first time I ran the vbox manager, it coughed and spit out an error about AMD-V not enabled in BIOS or the OS was blocking. Rebooted in BIOS and enabled SVM mode. booted and ran the vbox manager again. No problem.

                          So Windows 10 is installed and running. I just need to decide how I am going to activate: use the product key that came with the win10 pre-installed or get a new key. I kept the pre-installed win10 intact for the techs at the vender since they don't officially know anything about Kubuntu and all of their diagnostic s/w runs on windows.

                          So my take on what I think happened. I was following the 'rules' and entering a password for the 'secure boot' config. That always failed in MOK. Leaving it blank made the MOK s/w go away or least interpreted the blank password to mean that anything was ok.

                          Don't know for sure. But it was the only option that made everything 'just work'.

                          geezer

                          Comment


                            #14
                            So, virtualbox worked with leaving the password blank during the install? interesting.
                            I did find the option for secure boot password in the installer, I kept missing it as I never check the new-ish 'install third party drivers' option (don't need it), and this bit is not in neon/*buntu 18.04, which is my main OS
                            So I never saw the option, and none of the screenshots I dug up on the net show it - these are normally done using Virtualbox, which does not use EFI by default.


                            When I installed Virtualbox, that is when I got the prompt for the MOK password, and to get the boot time MOK bit.
                            My problem with it was weird, and possibly unique. I don't even see a grub menu, even though I have a timeout set, unless I cause the bios to open the boot selection option first.
                            Last edited by claydoh; Feb 14, 2020, 05:08 PM.

                            Comment

                            Working...
                            X