Page 1 of 1

UEFI secure boot violation

Posted: 13 Jun 2015, 11:57
by rat
I have just created a bootable USB version. I created it from a windows 8.1 system using the instructions for creating a bootable usb. The restart recognises the system, but wont boot from it. I get the following message:

Invalid signature detected. Check secure boot policy in setup.

Any ideas?

Re: UEFI secure boot violation

Posted: 13 Jun 2015, 19:06
by gernot
Sysresccd has no signature. Check your "boot" settings. try "bios emulation".

Gernot

Re: UEFI secure boot violation

Posted: 13 Jun 2015, 22:34
by rat
Ok, ta, that makes sense.
I can't find an option for 'bios emulation'.
I've turned on USB legacy support, changed the 'security device support'. I can't see any other obvious options that allows me to get around this.
I even tried disabling the default secure boot on option, but still no luck.

I have a gigabyte board 'ME FW Version' is 9.0.30.1482.

No sure where to go from here.

Re: UEFI secure boot violation

Posted: 07 Oct 2016, 08:01
by bertrandogoio1976
Hi rat,

(first, I'm sorry for my bad English)

It's an old discussion, but I answer the same :-) Ok: many UEFI based PCs have not only the secure boot and the UEFI/Legacy switch, but the fast boot too. So, If you don't disable the fast boot, no usb can boot at all.

I use to create SysRescueCD using Rufus (No matter if i Choose GPT Uefi, MBR Uefi or MBR BIOS/Uefi option) and it works for me. On Linux I just mount the ISO and copy the files to the USB.
BUT! on some PC I have to disable fast boot, not only secure boot.

The problem is that now, many PCs that comes with Windows10 (especially signature edition and in particular some Lenovo) have the secure boot locked, so you cannot boot anything that is not made to override the secure boot (Clonezilla alternative edition can do this). So I hope the developer put this feature in the next editions.

SysRescueCD is a great tool: it would be great if it could bypass the secure boot because on many motherboards the secure boot is not really locked like it happens on some signature edition, but it takes some time to unlock it (very annoying).

Cheers,

Bert

Re: UEFI secure boot violation

Posted: 27 Dec 2016, 21:16
by mmokrejs
bertrandogoio1976 wrote:Hi rat,
The problem is that now, many PCs that comes with Windows10 (especially signature edition and in particular some Lenovo) have the secure boot locked, so you cannot boot anything that is not made to override the secure boot (Clonezilla alternative edition can do this). So I hope the developer put this feature in the next editions.

SysRescueCD is a great tool: it would be great if it could bypass the secure boot because on many motherboards the secure boot is not really locked like it happens on some signature edition, but it takes some time to unlock it (very annoying).
Seems the documentation on system-rescue-cd.org could be improved to explicitly mention whether the downloadable images are UEFI-enabled or not. It seems to me they are made for PC BIOS only, hence the x86 in the filename? Admittedly, the iso image does contain:

Code: Select all

# mount -o loop systemrescuecd-x86-4.9.0.iso /mnt/loop
mount: /dev/loop0 is write-protected, mounting read-only
#

# ls -latr /mnt/loop/efi/boot/
total 734
-rw-r--r-- 1 root root 747008 Oct 29 20:31 bootx64.efi
drwxr-xr-x 1 root root   2048 Oct 29 20:31 ..
drwxr-xr-x 1 root root   2048 Oct 29 20:31 .
#
While I can boot clonezilla-live-20161121-yakkety-amd64.iso I cannot boot systemrescuecd-x86-4.9.0.iso. I conclude this is still an issue.

Re: UEFI secure boot violation

Posted: 01 Jan 2017, 13:55
by bertrandogoio1976
Hi,

as always I ask "mercy" :-) for my English...

1) first: have you tried to disable "fast boot" (not all PCs have this option)?

2) how did you burn your usb? Have you tried Rufus or Yumi beta for UEFI (both from Windows ok, but they're great tools)?

When I want to boot SysRescCD from an UEFI based machine I disable both fast boot e and secure boot and everything works fine...

Clonezilla Alternative version 64 bit boots even if secure boot is enabled (but I have to disable fast boot anyway) because of the signature: every Ubuntu based distro can boot with enabled secure boot: indeed, Clonezilla Debian based cannot override secure boot.

You can also use Easy2Boot converting the ISO to .imgPTN but it's a bit more complicated (and, anyway, this option requires Windows).