Debian User Forums

[kkman007]

Hi

Until the latest release of Debian Buster 10.5 ( I know this is due to vulnerability fixes made to efi grub ) I was able to build a USB stick with legacy and UEFI boot ( with secure boot disabled ) which held just my initrd, vmlinuz and filesystem.squashfs and used grub to load it toram.

Now when I try to create a USB ( NOT USING ISO dd ) The boot process keeps rebooting. Just before each reboot a message is flashed up saying somthing like "cannot find boot disk". Its so fast I cannot read it.

I have tried many blogs about how to do this and am currenty using this web sites instructions.
SORRY I REMOED THE LINK BECAUSE SUGGESTED I WAS SPAMMING.

What I want is a writtable data partition to copy my three files to and use grub to boot them.

For background, I used debootstrap minbase to build a minimal buster build and used mksquashfs to build the squashfs file. With the USB I can only boot using legacy but UEFI with/without secure boot enabled just goes to a machine restarting loop.

I would prefer to keep the existing runtime I have created rather than use live-build or other setups, if possible.

Lastly since the runtime is in memory and does not use any devices I am very confused as how to go about this so any help would be great.


*** UPDATE ***

While I wait for input from more knowledgeable members I did a little more work and have more information to hopefully help answer my question.

I used my phone to record in slow motion the bootup process.
So The PC/laptop passes the manufacturers splash screen and tries to read the USB device.
Then before the reboot it displays
system bootorder not found initializing defaults

Searching online problem this is ( NORMALY ) due to corrupt UEFI grub. The normal solution is to use the BIOS to add the grub64x.efi to confirmed key collection.

In my case because I am building from scratch obviously I am not setting things up correctly.

Once I do add my key, the grub is loaded ( in secure mode ). However I get the following message displayed before I enter the grub menu.
error file /boot/ not found
error no such device /.disk/info
error no such device /.disk/mini-info
error secure boot forbids loading module from ....

So I guess I need help or a pointer as to where I can learn to create these files on the USB. My main focus is trying to figure what/how /boot/grub/efi.img should be created. Also the grub64x.efi on the Buster live iso has a different size than the one greated my grub-install which I dont understand.

Anyway sorry for the long update.

PPS. Was asked for details of grub ( I dont think this is it as it works with Debian stretch without a problem )
menuentry "Live Boot To RAM Buster from USB" {
search --no-floppy --set=root --file /area2/vmlinuz
linux /area2/vmlinuz toram=filesystem.squashfs quiet splash boot=live live-media-path=/area2/
initrd /area2/initrd.img
}
also the mksquash command whic is basic
mksquashfs chroot filesystem.squashfs

The initrd and vmlinuz files are copied from the chroot area.

Thanks in advance for any breadcrums you may have.


*** SOLVED ***

Thanks to everyone with the help you gave. After some more time working through the problem I was able to get my Live USB working with Buster 10.5

Just finished a write up of how I created a Live Debian Buster 10.5 Secure Boot USB
SORRY I REMOED THE LINK BECAUSE SUGGESTED I WAS SPAMMING.

[Head_on_a_Stick]

Just before each reboot a message is flashed up saying somthing like "cannot find boot disk". Its so fast I cannot read it.

Video the boot sequence so that you can catch the frame in which the message appears.

I have tried many blogs about how to do this and am currenty using this web sites instructions.
https://linuxconfig.org/how-to-creat...usb-with-linux

That link is broken, please fix it.

Also post your GRUB configuration, the exact mksquashfs command that you used and the full filesystem tree for the USB stick.

I only use live-build myself but I know the ISO contains an EFI image from which it is booted, does your USB stick also have such a thing?

[kkman007]

Great mind think alike. I used my phone and have updated my question.
Also thanks for letting me know about the broken like. The url got mangled. I have updated the like and tested it so it should now work.
I have also updated my question with the details you suggested. Although the config has worked from Debian Stretch. I think the problem is I do now know how the /boot /.disk folder are created for a custom build. Mine is LXDE with google chrome which is under 300MB in the squash file.
Thank you for your input

[Head_on_a_Stick]

Your linked guide suggests using an MS-DOS partition table but some UEFI implementations will not boot in UEFI mode from such a table.

I would recommend using a GUID partition table instead and create a BIOS boot partition (type ef02 in gdisk, I think it's the "bios_grub" flag in {g,}parted) to hold GRUB's core.img for non-UEFI systems.

EDIT: I use sectors 34-2047 for BIOS boot partitions (no filesystem), that space should be free in a correctly-aligned disk.

[kkman007]

That was a quick reply. Thanks.

I used MSB because GPT seems to need another boot loader ( syslinux or is it isolinux ) . Also I am trying to get a USB setup which does not require me adding any keys. So I could walk up to someones PC and just bootup from the USB. Will I be able to do this without signing or hashing my build. I have not changed any debian packages, just installed them. Althogh I have included some nonfree WIFI firmware.

How do I
"I use sectors 34-2047 for BIOS boot partitions (no filesystem), that space should be free in a correctly-aligned disk."

Can you show the commands you use to build the drive

[Head_on_a_Stick]

So I could walk up to someones PC and just bootup from the USB. Will I be able to do this without signing or hashing my build.

You could only do that if Secure Boot was disabled on the machine.

Note that Debian buster's kernel & GRUB support Secure Boot OOTB.

[kkman007]

Secure Boot OOTB

Damb... I thought as long as you dont change the packages which are from debian any build based on the will work the same way.

But I guess you are correct, as no one changes the live iso's created by them. So that can boot up fine with secure mode. The installed version will then be created by adding its efi files to the machine key list during installation.

Does that make sense? So if I am trying to create a rescue usb ( like the good old days ). Do I need to send my build to be signed my Microsoft?

Please note though I still cannot boot in UEFI mode even with secure boot disabled. So I hope at least I can find a solution for that.

Thankyou, you have given me food for thought.

[Head_on_a_Stick]

The installed version will then be created by adding its efi files to the machine key list during installation.

No, Debian's kernel & bootloaders are signed with Microsoft's key (they paid the $99 blood money).

FWIW most UEFI firmware implementations will actually allow live USB sticks that do not support Secure Boot to start even if Secure Boot is enabled.

[kkman007]

Can I rant a little...

This is crazy. If the idea is to prevent unautherized software from running on a secure boot machine. All I would need to do is use the live iso to boot the device and then stick my USB into the PC and load what ever software I wanted ( if I am the bad guy ).

This seems to make Linux more restricted without any real advantage.

Maybe I am missing somthing.

[Head_on_a_Stick]

viewtopic.php?f=3&t=146977

[kkman007]

"FWIW most UEFI firmware implementations will actually allow live USB sticks that do not support Secure Boot to start even if Secure Boot is enabled."

Do you know how to do this or where I can start looking. If I can create a USB which can boot to grub in lagacy mode and UEFI ( with the new vulnerability fixes ). I could then have a separte partition for my content and change the grub menu, but for the life of me none of the tutorials I have found show this.

The idea sound good though, thankyou

[kkman007]

Thanks for the link... I will let out some steam there.

I am thinking of closing this thread, but will keep it open for a while longer in the hope of figuring out how to boot my build when secure boot is disabled as currently with 10.5 I can only boot my USB in legacy mode. Which may be the solution as either way: disabling secure boot or booting in legacy mode will require access and changes to the BIOS.

I live in hope.

Its good to be able to talk to someone and you have helped me greatly. Thank you

[kkman007]

As a final update before I close this thread.
Microsoft is getting their pound of flesh.
From what I have learned... if you want to create your own live cd/usb with full secure boot support YOU MUST have signed keys which can ONLY be done my Microsoft.
I have just started the process and it looks painful.
Thankyou all for your time and comments.
PS. As this is my first post, I dont know how to close it. If I need to do somthing specific please let me know.

[cuckooflew]

If your problem is solved, edit the subject line in your first post,add the word "solved" to. The forum administration closes any topic they feel needs to be closed, usually the topics stay open for others to be able to read, post, etc,...
It is not your own private topic, and it stays open.

PS. As this is my first post, I dont know how to close it. If I need to do somthing specific please let me know.

Actually there is something you should have done, but I don't think you did,
Forum guidelines. Please read before first post!
But, that does not mention anything about closing or not closing the topics.
As for the topic, for me it is a non issue, none of my hardware has UEFI, nor "secure boot", I don't understand why people buy PC's or Laptops that use it, if they don't want it, but guess that is another topic.

[kkman007]

Thanks for letting me know how to close this thread.

If I was doing somthing for my own machine, you would be correct. However, I am trying to build a product for use by end users with little to no IT skills so I have to provide a path for machines which do have UEFI secure boot. As I mentioned above the solution is PAY Microsoft. Not nice, but what can I do.