Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

SOLVED: Secure Boot tries to access non-existent mmx64.efi

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
Ulysses_
Posts: 16
Joined: 2020-01-23 06:28

SOLVED: Secure Boot tries to access non-existent mmx64.efi

#1 Post by Ulysses_ »

Tried to boot debian live from a USB flash drive that was made with Rufus. It produced this error:

Failed to open /EFI/BOOT/mmx64.efi - Not found

This is the MOK Manager, why is it missing? Hardware is a Gigabyte P35W v3.

Tried to copy /EFI/boot/grubx64.efi to mmx64.efi in the same directory and at boot it showed a grub menu but when you chose anything it produced this error:

Error /live/vmlinuz-4.19.0-6-amd64 has invalid signature
Error you need to load the kernel first

Tried to install shim-signed with apt in a VM booted from a debian 10 live ISO image, in order to get a mmx64.efi and copy it to the USB flash drive. It produced this error:

Verification failed (0x1A) security violation

Why is debian so hard to start with Secure Boot enabled? Debian-derived MX and AntiX work like a breeze, so it must be possible on this hardware.
Last edited by Ulysses_ on 2020-01-26 17:00, edited 1 time in total.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Secure Boot tries to access non-existent mmx64.efi and f

#2 Post by Head_on_a_Stick »

Ulysses_ wrote:Why is debian so hard to start with Secure Boot enabled?
It isn't:

Code: Select all

empty@E485:~ $ bootctl --no-p
System:
     Firmware: n/a (n/a)
  Secure Boot: enabled
   Setup Mode: user
Works OOTB for me :)

Try using "DD" [sic] mode in Rufus or just plain cp (which is recommend by the Debian documentation) to transfer the image, you must have done it wrong.

And for the record to set it up manually copy shimx64.efi to /EFI/BOOT/bootx64.efi on the EFI system partition then copy grubx64.efi and mmx64.efi to the same directory.
Ulysses_ wrote:Debian-derived MX and AntiX work like a breeze
Neither MX or antiX support Secure Boot.

FWIW my laptop will boot live ISO images from a USB stick with Secure Boot enabled without having Secure Boot support on the image itself.
deadbang

Ulysses_
Posts: 16
Joined: 2020-01-23 06:28

Re: Secure Boot tries to access non-existent mmx64.efi and f

#3 Post by Ulysses_ »

Created a bootable USB drive with plain cp (in a VM running the live debian iso):

cp debian-live-10.2.0-amd64-xfce.iso /dev/sda

It produced exactly the same error:

Failed to open /EFI/BOOT/mmx64.efi - Not found

Back to Rufus. Its "DD Image Mode" produced the same error too. Following your instructions to set it up manually in a VM booted from the live debian iso while the USB drive made by Rufus is mounted (made in "ISO Image Mode", not "DD Image Mode"):

apt-get update
apt-get install shim-signed

cd "/media/user/D-LIVE 10_2/EFI/boot"
cp /usr/lib/shim/shimx64.efi bootx64.efi
cp /usr/lib/shim/mmx64.efi .
cp /run/live/medium/EFI/boot/grubx64.efi .

It produces this error:

Secure Boot Violation
Invalid signature detected. Check Secure Boot policy in setup

Going to the EFI setup, there is nothing like "enable or disable Secure Boot", there is only this menu entry:

Delete All Secure Boot Variables

The tip for it goes like this:

Force System to Setup Mode - clear all Secure Boot variables (PK, KEK, db, dbx, and dbt). Change takes effect after reboot.

One curiosity: MX indeed does not do Secure Boot as I just saw by typing bootctl in a live MX run. So what is going on here? If I have Secure Boot enabled how does MX boot? If not, why doesn't debian boot?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Secure Boot tries to access non-existent mmx64.efi and f

#4 Post by Head_on_a_Stick »

Ulysses_ wrote:If I have Secure Boot enabled how does MX boot?
As I said my laptop boots the MX & antiX ISO images with Secure Boot enabled (but it is disabled in the running system), I think this may be a common feature.
Ulysses_ wrote:why doesn't debian boot?
Bad stick, perhaps? Did you verify the integrity of the image? Try copying the image back from the stick to a file and check the validity again to expose problems with the USB stick itself.

EDIT: if you've cleared the Secure Boot variable from your motherboard then Microsoft's key may have been deleted. Can you restore the factory defaults?
deadbang

Ulysses_
Posts: 16
Joined: 2020-01-23 06:28

Re: Secure Boot tries to access non-existent mmx64.efi and f

#5 Post by Ulysses_ »

Never messed with that menu entry. Never done anything at all in the EFI setup. Would rather leave it like that, this is probably factory condition. So does it look like I am protected against malware messing with the EFI with Secure Boot in Windows or not? Will try again the plain cp method and then back to an iso to see if the USB flash drive is broken.

Ulysses_
Posts: 16
Joined: 2020-01-23 06:28

Re: Secure Boot tries to access non-existent mmx64.efi and f

#6 Post by Ulysses_ »

Tried plain cp with the netinst image:

cp debian-10.2.0-amd64-netinst.iso /dev/sdb
cp /dev/sdb temp.iso
diff temp.iso debian-10.2.0-amd64-netinst.iso
Binary files temp.iso and debian-10.2.0-amd64-netinst.iso differ

Tried plain cp with another USB flash drive. Same diff output. Same boot error.

Tried writing the iso to a CD-RW with Windows, with Verify on, and attempting to boot from the internal CD-RW drive by pressing F12 and Enter on the CD-RW entry: it just flashed the display once. Pressed Enter again on the CD-RW entry and it loaded Windows.

Tried writing the CD-RW with xfburn. Same behaviour.

Tried booting a VM configured with Secure Boot. Both USB drives and the physical CD-RW worked and it was confirmed with bootctl that Secure Boot was on.

Tried booting LUbuntu instead, in the physical machine, from a USB drive made with Rufus. Worked and confirmed.

But there is a difference between LUbuntu and MX at boot. Lubuntu shows for a few seconds a display that says "MOK Manager". Should something be copied from LUbuntu to Debian?

Tried just copying mmx64.efi. Haleluija! It boots. Done the same with the live debian iso: it boots and bootctl confirms Secure Boot is on.

Why didn't Debian copy that magical file, mmx64.efi, to its iso images and give me all this pain? :cry:

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Secure Boot tries to access non-existent mmx64.efi and f

#7 Post by Head_on_a_Stick »

You are experiencing a problem that I cannot reproduce. Did you check bugs.debian.org to see if anybody else is so afflicted?

Anyway, I'm out. Good luck.
deadbang

dpotter
Posts: 6
Joined: 2021-09-14 10:20

Re: SOLVED: Secure Boot tries to access non-existent mmx64.efi

#8 Post by dpotter »

I am having exactly the same problem as mentioned in the topic. In my case I am trying to install Debian 11 using the debian-live-11.0.0-amd64-xfce iso file. I have secure boot disabled, yet I keep getting the message "Failed to open /EFI/BOOT/mmx64.efi - Not found" It then says that "something has gone seriously wrong" and my pc is then powered off.

I would like to try the solution outlined above, namely putting a copy of the file mmx64.efi on the iso in the appropriate place. I am not sure how to do this, as the iso file is not writable. I have mounted the iso file to inspect its contents, and I can clearly see that this file is missing. Any help would be much appreciated.

There must be something wrong in what I am doing, as I have never encountered this problem before with other distributions that I have installed in the past.

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: SOLVED: Secure Boot tries to access non-existent mmx64.efi

#9 Post by sunrat »

@dpotter kindly start a new thread for your issue. It appears to be not the same issue and is not the same version of Debian nor related to secure boot.
This thread is 18 months old and marked SOLVED already.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

Post Reply