SOLVED: Secure Boot tries to access non-existent mmx64.efi

Help with issues regarding installation of Debian

SOLVED: Secure Boot tries to access non-existent mmx64.efi

Postby Ulysses_ » 2020-01-23 06:45

Tried to boot debian live from a USB flash drive that was made with Rufus. It produced this error:

Failed to open /EFI/BOOT/mmx64.efi - Not found

This is the MOK Manager, why is it missing? Hardware is a Gigabyte P35W v3.

Tried to copy /EFI/boot/grubx64.efi to mmx64.efi in the same directory and at boot it showed a grub menu but when you chose anything it produced this error:

Error /live/vmlinuz-4.19.0-6-amd64 has invalid signature
Error you need to load the kernel first

Tried to install shim-signed with apt in a VM booted from a debian 10 live ISO image, in order to get a mmx64.efi and copy it to the USB flash drive. It produced this error:

Verification failed (0x1A) security violation

Why is debian so hard to start with Secure Boot enabled? Debian-derived MX and AntiX work like a breeze, so it must be possible on this hardware.
Last edited by Ulysses_ on 2020-01-26 17:00, edited 1 time in total.
Ulysses_
 
Posts: 16
Joined: 2020-01-23 06:28

Re: Secure Boot tries to access non-existent mmx64.efi and f

Postby Head_on_a_Stick » 2020-01-23 09:17

Ulysses_ wrote:Why is debian so hard to start with Secure Boot enabled?

It isn't:
Code: Select all
empty@E485:~ $ bootctl --no-p
System:
     Firmware: n/a (n/a)
  Secure Boot: enabled
   Setup Mode: user

Works OOTB for me :)

Try using "DD" [sic] mode in Rufus or just plain cp (which is recommend by the Debian documentation) to transfer the image, you must have done it wrong.

And for the record to set it up manually copy shimx64.efi to /EFI/BOOT/bootx64.efi on the EFI system partition then copy grubx64.efi and mmx64.efi to the same directory.

Ulysses_ wrote:Debian-derived MX and AntiX work like a breeze

Neither MX or antiX support Secure Boot.

FWIW my laptop will boot live ISO images from a USB stick with Secure Boot enabled without having Secure Boot support on the image itself.
User avatar
Head_on_a_Stick
 
Posts: 11204
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Secure Boot tries to access non-existent mmx64.efi and f

Postby Ulysses_ » 2020-01-24 19:30

Created a bootable USB drive with plain cp (in a VM running the live debian iso):

cp debian-live-10.2.0-amd64-xfce.iso /dev/sda

It produced exactly the same error:

Failed to open /EFI/BOOT/mmx64.efi - Not found

Back to Rufus. Its "DD Image Mode" produced the same error too. Following your instructions to set it up manually in a VM booted from the live debian iso while the USB drive made by Rufus is mounted (made in "ISO Image Mode", not "DD Image Mode"):

apt-get update
apt-get install shim-signed

cd "/media/user/D-LIVE 10_2/EFI/boot"
cp /usr/lib/shim/shimx64.efi bootx64.efi
cp /usr/lib/shim/mmx64.efi .
cp /run/live/medium/EFI/boot/grubx64.efi .

It produces this error:

Secure Boot Violation
Invalid signature detected. Check Secure Boot policy in setup

Going to the EFI setup, there is nothing like "enable or disable Secure Boot", there is only this menu entry:

Delete All Secure Boot Variables

The tip for it goes like this:

Force System to Setup Mode - clear all Secure Boot variables (PK, KEK, db, dbx, and dbt). Change takes effect after reboot.

One curiosity: MX indeed does not do Secure Boot as I just saw by typing bootctl in a live MX run. So what is going on here? If I have Secure Boot enabled how does MX boot? If not, why doesn't debian boot?
Ulysses_
 
Posts: 16
Joined: 2020-01-23 06:28

Re: Secure Boot tries to access non-existent mmx64.efi and f

Postby Head_on_a_Stick » 2020-01-24 19:40

Ulysses_ wrote:If I have Secure Boot enabled how does MX boot?

As I said my laptop boots the MX & antiX ISO images with Secure Boot enabled (but it is disabled in the running system), I think this may be a common feature.

Ulysses_ wrote:why doesn't debian boot?

Bad stick, perhaps? Did you verify the integrity of the image? Try copying the image back from the stick to a file and check the validity again to expose problems with the USB stick itself.

EDIT: if you've cleared the Secure Boot variable from your motherboard then Microsoft's key may have been deleted. Can you restore the factory defaults?
User avatar
Head_on_a_Stick
 
Posts: 11204
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Secure Boot tries to access non-existent mmx64.efi and f

Postby Ulysses_ » 2020-01-24 20:42

Never messed with that menu entry. Never done anything at all in the EFI setup. Would rather leave it like that, this is probably factory condition. So does it look like I am protected against malware messing with the EFI with Secure Boot in Windows or not? Will try again the plain cp method and then back to an iso to see if the USB flash drive is broken.
Ulysses_
 
Posts: 16
Joined: 2020-01-23 06:28

Re: Secure Boot tries to access non-existent mmx64.efi and f

Postby Ulysses_ » 2020-01-26 06:43

Tried plain cp with the netinst image:

cp debian-10.2.0-amd64-netinst.iso /dev/sdb
cp /dev/sdb temp.iso
diff temp.iso debian-10.2.0-amd64-netinst.iso
Binary files temp.iso and debian-10.2.0-amd64-netinst.iso differ

Tried plain cp with another USB flash drive. Same diff output. Same boot error.

Tried writing the iso to a CD-RW with Windows, with Verify on, and attempting to boot from the internal CD-RW drive by pressing F12 and Enter on the CD-RW entry: it just flashed the display once. Pressed Enter again on the CD-RW entry and it loaded Windows.

Tried writing the CD-RW with xfburn. Same behaviour.

Tried booting a VM configured with Secure Boot. Both USB drives and the physical CD-RW worked and it was confirmed with bootctl that Secure Boot was on.

Tried booting LUbuntu instead, in the physical machine, from a USB drive made with Rufus. Worked and confirmed.

But there is a difference between LUbuntu and MX at boot. Lubuntu shows for a few seconds a display that says "MOK Manager". Should something be copied from LUbuntu to Debian?

Tried just copying mmx64.efi. Haleluija! It boots. Done the same with the live debian iso: it boots and bootctl confirms Secure Boot is on.

Why didn't Debian copy that magical file, mmx64.efi, to its iso images and give me all this pain? :cry:
Ulysses_
 
Posts: 16
Joined: 2020-01-23 06:28

Re: Secure Boot tries to access non-existent mmx64.efi and f

Postby Head_on_a_Stick » 2020-01-26 11:44

You are experiencing a problem that I cannot reproduce. Did you check bugs.debian.org to see if anybody else is so afflicted?

Anyway, I'm out. Good luck.
User avatar
Head_on_a_Stick
 
Posts: 11204
Joined: 2014-06-01 17:46
Location: /dev/chair


Return to Installation

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable