https://github.com/jakeday/linux-surface/blob/master/SIGNING.md has more specific instructions on kernel signing (adapted from the same tutorial linked in the accepted answer). The instructions are reproduced in full as follows:
Signing a custom kernel for Secure Boot
Instructions are for ubuntu, but should work similar for other distros, if they are using shim
and grub as bootloader. If your distro is not using shim (e.g. Linux Foundation Preloader), there
should be similar steps to complete the signing (e.g. HashTool instead of MokUtil for LF Preloader)
or you can install shim to use instead. The ubuntu package for shim is called shim-signed, but
please inform yourself on how to install it correctly, so you do not mess up your bootloader.
Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned
kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during
upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort.
Thus you have three options to solve this problem:
- You sign the kernel yourself.
- You use a signed, generic kernel of your distro.
- You disable Secure Boot.
Since option two and three are not really viable, these are the steps to sign the kernel yourself.
Instructions adapted from the Ubuntu Blog.
Before following, please backup your /boot/EFI directory, so you can restore everything. Follow
these steps on your own risk.
- Create the config to create the signing key, save as mokconfig.cnf:
# This definition stops the following lines failing if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = <YOURcountrycode>
stateOrProvinceName = <YOURstate>
localityName = <YOURcity>
0.organizationName = <YOURorganization>
commonName = Secure Boot Signing Key
emailAddress = <YOURemail>
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"
Adjust all parts with <YOUR*> to your details.
- Create the public and private key for signing the kernel:
openssl req -config ./mokconfig.cnf
-new -x509 -newkey rsa:2048
-nodes -days 36500 -outform DER
-keyout "MOK.priv"
-out "MOK.der"
- Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM):
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
- Enroll the key to your shim installation:
sudo mokutil --import MOK.der
You will be asked for a password, you will just use it to confirm your key selection in the
next step, so choose any.
- Restart your system. You will encounter a blue screen of a tool called MOKManager.
Select «Enroll MOK» and then «View key». Make sure it is your key you created in step 2.
Afterwards continue the process and you must enter the password which you provided in
step 4. Continue with booting your system.
Note: if MOKManger does not load on reboot then change the boot order. link
- Verify your key is enrolled via:
sudo mokutil --list-enrolled
- Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface):
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface --output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed
- Copy the initram of the unsigned kernel, so we also have an initram for the signed one.
sudo cp /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{,.signed}
- Update your grub-config
sudo update-grub
- Reboot your system and select the signed kernel. If booting works, you can remove the unsigned kernel:
sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,}
sudo mv /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{.signed,}
sudo update-grub
Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want
to upgrade the custom kernel, you can sign the new version easily by following above steps
again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv).
- Печать
Страницы: [1] 2 Все Вниз
Тема: Не загружается Ubuntu. Вместо неё загружается GNU GRUB [Решено] (Прочитано 3509 раз)
0 Пользователей и 1 Гость просматривают эту тему.
antgrom
Была установлена Ubuntu 16.04
Обновлений в последние месяцы не было.
Перезагрузил комп.
Вместо обычной загрузки Ubuntu загрузился GNU GRUB версия 2.02
В нем 4 пункта :
1. Ubuntu
Если выбрать этот пункт, то выходит ошибка :
ошибка: /boot/ vmlinuz-4.4.0-186-generic has invalid signature.
alloc magic is broken at 0x8af26360: 8ae69c60
Aborted/ Press any key to exit
2. Дополнительные параметры для Ubuntu
Если выбрать этот пункт, то выходит список сборок за последние (или за все) даты
Выборочно проверил — ни одна не загружается.
3. Systm setup
Загружается какое то ПО от Делл
Dell OptiPlex 5050
Насколько я понял — это вроде Биоса — Uefi
4. Восстановить Ubuntu 16.04 в первоначальное состояние
Если выбрать этот пункт, то :
ошибка: /casper/vmlinuz.efi has invalid signature.
alloc magic is broken at 0xbd06b360: bcfae6e0
Aborted/ Press any key to exit
Если нажимать any key то выходит :
No bootable device found
Press F1 key to retry boot (Снова Grub)
Press F2 key to reboot into setup (Загрузка ПО от Делл Dell OptiPlex 5050)
Press F5 key to run onboard diagnostics (Запуск какой то диагностики на 3 часа. Результаты проверки в т.ч. жесткого диска — всё в порядке)
П.С. погуглил — есть совет проверить в компе что разъёмы в жесткий диск вставляются плотно. Проверил — вынул и вставил сигнальный и разъёмы питания. Всё нормально.
Всё равно загружается Grub
Ещё нагуглил советы сделать загрузочную флешку и проверить жесткий диск на другом компе, но это пока не делал.
ТС не появлялся на Форуме более трех месяцев по состоянию на 19/03/2021 (последняя явка: 17/08/2020). Модератором раздела принято решение закрыть тему.
—zg_nico
« Последнее редактирование: 19 Марта 2021, 14:30:44 от zg_nico »
andytux
ошибка: /boot/ vmlinuz-4.4.0-186-generic has invalid signature.
Случаем не помнишь, с этой версией у тебя работало, или она только появилась?
Дополнительные параметры для Ubuntu…
…Выборочно проверил — ни одна не загружается.
Ошибка та-же, что и в предыдущем случае или другая?
antgrom
Случаем не помнишь, с этой версией у тебя работало, или она только появилась?
Я вообще не понял — откуда у меня столько версий. Я столько раз обновления не применял. Обычно применяю обновления раз в полгода.
В последние месяцы не применял обновления. И перезагружал комп несколько раз и всё было нормально.
И ещё — я попробовал загрузить предыдущие версии : 185, 184 (там по три строки — обычный generic, upstart , recovery mode). Не загружаются.
Ошибка та-же, что и в предыдущем случае или другая?
Вот при загрузке №179 :
Загружается linux 4.4.0-179- generic …
ошибка: /boot/vmlinuz-4.4.0-179-generic has invalid signature
Загружается начальный виртуальный диск …
alloc magic is broken at 0x2491a360: 247b63c0
Aborted. Press any key to exit
alexdenkin
В режим восстановления из граб тоже не входит?
Если грузиться в recovery mode.
antgrom
В режим восстановления из граб тоже не входит?
Если грузиться в recovery mode.
Нет, выводится ошибка в стиле :
Загружается linux 4.4.0-179- generic …
ошибка: /boot/vmlinuz-4.4.0-179-generic has invalid signature
Загружается начальный виртуальный диск …
alloc magic is broken at 0x2491a360: 247b63c0
Aborted. Press any key to exit
Причем это для разных номеров сборок recovery mode
alexdenkin
Восстановить grub пробовал?
Ну и еще вариант: если, по совету местных «умников», отдельным разделом /boot сделал: может он (раздел) переполнился?
antgrom
Восстановить grub пробовал?
Я так понимаю, что grub — это некая программа ?
Он загружается и предлагает несколько вариантов на выбор, т.е. он работает. Зачем его восстанавливать ?
И если надо — то как, плз, дай ссылку на описание этого процесса
если, по совету местных «умников», отдельным разделом /boot сделал: может он (раздел) переполнился?
Во первых я такое не делал.
А во вторых — мне не войти в файловую систему.
Консоль не открыть.
Как проверить этот /boot ?
Наверное надо делать «загрузочную флешку» …
vladimirzhuravlev
invalid signature
Слетела подпись (имхо), ОС стояла в стоке наверное подписанная и в Биос включен режим секьюрити.
Пишешь обновлений не было, откуда тогда «список сборок за последние (или за все) даты» ?
antgrom
Слетела подпись (имхо), ОС стояла в стоке наверное подписанная и в Биос включен режим секьюрити.
В Uefi в Settings/General/Uefi Boot Path Security я отключил Security (установил Never)
Не помогло.
Всё те же ошибки.
Может быть жесткий диск полетел ? (несмотря на то что я запускал диагностику на 3 часа и результаты проверки в т.ч. жесткого диска — всё в порядке )
vladimirzhuravlev
Наверное надо делать «загрузочную флешку» …
Залить туда граб как обычно советует andytux, почитай его сообщения, он часто пишет как это сделать и настроить запуск системы, у которой граб слетел.
andytux
Все, что сегодня связано с загрузкой, нужно начинать с ответа на три вопроса.
На компьютере БИОС или УЕФИ? Если УЕФИ, то в каком режиме установлены системы: ЕФИ или легаси? Если в ЕФИ, то в каком положении «secure boot»?
Немного глянул по модели ноутбука, выяснил, что УЕФИ.
grub — это некая программа ?
Он загружается и предлагает несколько вариантов на выбор, т.е. он работает.
Правильно. Груб работает и совершенно незачем его переустанавливать. Если уж руки чешутся, то , если используется ЕФИ-режим, лучше поставить второй. Благо в этом случае он устанавливается простым копированием файлов.
Наверное надо делать «загрузочную флешку»
Загрузочная флешка никогда не повредит. Она всегда должна быть. Опять-же, для ЕФИ-режима делается простым копированием файлов.
Я вообще не понял — откуда у меня столько версий
Наводит на мысль, что может банально не быть свободного места. Проверить и, если нужно, освободить.
Здесь можно посмотреть про чистку.
Settings/General/Uefi Boot Path Security
Мне кажется это не то. Хотя пожалуй не встречал двух УЕФИ, в которых были-бы одинаковаые названия. Но нам нужна «secure boot», чаще она так называется.
Сегодня как-раз экспериментировал с этой настройкой. Поймал немало глюков.
Один из них, после отключения «секуре боот» система загружалась только в консоль. Вылечилось переключением настройки туда-сюда еще пару раз.
Еще один глюк. Система загружалась как-бы нормально. Но все окавызалось в режиме «только чтение». Невозможно было ничего изменить.
Теперь самое интересное. При включенном «секуре боот» один раз поймал точно такую ошибку как у тебя:
ошибка: /boot/vmlinuz-4.4.0-179-generic has invalid signature
Загружается начальный виртуальный диск …
alloc magic is broken at 0x2491a360: 247b63c0
Только числа были другие. Поэтому предлагаю попробовать выключить «secure boot».
« Последнее редактирование: 16 Августа 2020, 15:46:15 от andytux »
antgrom
Загрузочная флешка никогда не повредит.
Сделал загрузочную флешку, вошел. Супер.
(флешку сделал с помощью UNetbootin, знаю что есть и другие программы)
Наводит на мысль, что может банально не быть свободного места.
Спасибо, сейчас проверяю свободное место на жестком диске.
Пользователь добавил сообщение 17 Августа 2020, 14:31:29:
Наводит на мысль, что может банально не быть свободного места
Вывел df -kh
/dev/loop0 размер 1.6 Gb Используется 1.6 Gb Используется% 100%
Почистил жесткий диск :
Выяснил что у меня некоторое время назад было настроено авторезервирование. Очистил папку deja-dup
Удалил некоторые большие ненужные файлы.
Для выявления больших файлов использовал baobab
Всё равно так и осталось :
/dev/loop0 размер 1.6 Gb Используется 1.6 Gb Используется% 100%
Правильно ли я понимаю что /dev/loop0 заполненный на 100% это проблема ?
Как очистить именно его ?
Или как его увеличить ?
« Последнее редактирование: 17 Августа 2020, 14:31:29 от antgrom »
alexdenkin
antgrom
Мне кажется это не то. Хотя пожалуй не встречал двух УЕФИ, в которых были-бы одинаковаые названия. Но нам нужна «secure boot», чаще она так называется.
Я ещё раз перечитал этот совет
Первый раз был невнимателен (
Есть : Settings/General/Uefi Boot Path Security и первый раз я снимал флаг там
А есть ещё : Settings/Secure Boot/Secure Boot Enable и вот здесь я сейчас установил Disabled и Ubuntu включилась после перезагрузки
Всем спасибо )))
vladimirzhuravlev
Secure Boot Enable
Вот эта самая фигня придуманная софтописателями винды и мешает всегда, не понятно почему производители железа идут у них на поводу. Им-же выгодно должно быть, что-бы на их железки можно было установить без лишних телодвижений любую ОС, а не только подписанную майкрософтом. В принципе дистрибутивы linux имеют сейчас подпись… стоковые, но при обновлениях и других действиях с системой эта подпись может слететь о чём сразу и доложила система, мол «invalid signature».
- Печать
Страницы: [1] 2 Все Вверх
- Forum
- The Ubuntu Forum Community
- Ubuntu Official Flavours Support
- Installation & Upgrades
- [SOLVED] vmlinuz has invalid signature
-
vmlinuz has invalid signature
I have two linux installed. Neither can boot the other, but I can boot each one separately. Here’s what I get:
/boot/vmlinuzxxxxx has invalid signature
you need to load kernel firstupdate-grub from either one’s grub and it builds the other, but fails on restart with the above message.
Much googling I found several answers. One of which suggests the other kernel needs to be signed. [example: sudo mokutil —import MOK.der]
I have an original hard drive that I loaded ubuntu, deepin, lubuntu without issue.Secure Boot enabled.
Code:
From ubuntu booted: BootCurrent: 0001 Timeout: 1 seconds BootOrder: 0001,0002,0000,0003 Boot0000 Windows Boot Manager Boot0001* ubuntu Boot0002* Fedora Boot0003 deepin
Strange because this hard drive never had Windows or deepin. The efi partition was freshly installed along with two ext4 partitions?!
-
Re: vmlinuz has invalid signature
Try with Secure Boot off.
What brand/model system?If not working then.
May be best to see details, use ppa version with your live installer or any working install, not older Boot-Repair ISO:
Please copy & paste link to the Boot-info summary report ( do not post report), the auto fix sometimes can create more issues.
https://help.ubuntu.com/community/Boot-Repair
-
Re: vmlinuz has invalid signature
I’d rather not have Secure Boot off. I did try with it though. Same result.
Acer TC-885-UR12
This gets stranger as times goes by. That hard drive above that contained Fedora. But it reappeared using ‘efibootmgr’ on the new hard drive?!. Acer BIOS has no mention of Fedora after the swap. [I removed the boot appearance using efibootmgr.] Not sure how it got there though.
Now with new hard drive I edited Ubuntu’s grub.cfg to a very small file so I could keep tabs on who boots what. From Acer BIOS I made Deepin 1st boot order, after which I did update-grub from Deepin.
After that and on reboot [Deepin now in control] boots all three linuxes: Deepin, Ubuntu, Lubuntu just fine. BUT it used Ubuntu’s grub.cfg file!!! The one I modified.I’m new to efi. Used mbr since conception (around 1980). I don’t particularly like boot-repair because all the fixes happen between closed doors and I just get a printout. I like to know what took place and in what order.
I will fire up live and install the ppa version to see what’s what adn how it works.
Last edited by VMC; March 4th, 2019 at 07:31 AM.
-
Re: vmlinuz has invalid signature
If you know what you want to fix, often best not to run Boot-Repair auto-fix and then use its advanced options.
But you can run the report without running repairs.With UEFI you should be using gpt.
All Acer have required UEFI updates, if an SSD firmware updates and the setting of «trust» from within UEFI.
One of several with more details on trust:
http://ubuntuforums.org/showthread.php?t=2297947
http://ubuntuforums.org/showthread.php?t=2291335
Acer Aspire ES1-512-C39M Details on supervisor password and settings to enable trust on ubuntu entries Also R14 model same fix
http://ubuntuforums.org/showthread.p…4#post13203044
http://acer—uk.custhelp.com/app/ans…le-secure-boot
http://acer.custhelp.com/app/answers/detail/a_id/29349/
http://ubuntuforums.org/showthread.php?t=2290594
-
Re: vmlinuz has invalid signature
Code:
Model: ATA ST1000DM010-2EP1 (scsi)Disk /dev/sda: 1000GB Sector size (logical/physical): 512B/4096B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags 1 1049kB 106MB 105MB fat32 EFI system partition boot, esp 2 106MB 123MB 16.8MB Microsoft reserved partition msftres 3 123MB 108GB 108GB ntfs Basic data partition msftdata 4 108GB 527GB 419GB ntfs Basic data partition msftdata 6 527GB 632GB 105GB ext4 ubuntu 7 632GB 737GB 105GB ext4 linux 8 737GB 842GB 105GB ext4 EXT4 9 842GB 998GB 156GB ext4 5 998GB 1000GB 2131MB linux-swap(v1)Strange now both Deepin and Ubuntu boot each other, and dropping to grub prompt it complains when I do ‘ls’ that hd0, gpt6 [which is ubuntu partition] is not allowed because of Secure Boot. At least I know now its ubuntu in charge. There’s someother issues I have. Like what’s inside efi partition, can zero it out and I re-create it, etc. Also both deepin, ubuntu have efi folders at /boot that refer to efi special nomenclature:
ubuntu /boot/efi/deepin:Code:
search.fs_uuid cd9fbc32-1ab6-43bb-b3d6-16d22742bdcf root hd0,gpt7 set prefix=($root)'/boot/grub' configfile $prefix/grub.cfg
I originally thought the errors where in there.
At any rate, it now works but I’m less informed. It started working after I booted deepin from Acer bios, and did a update-grub. That’s the confusing part. If sda belongs to ubuntu, why would deepin update matter.
I don’t have an ssd as of yet. Your efi-tips is a big help, and that friendly assassin has good info. thanks. repair-boot soon.
-
Re: vmlinuz has invalid signature
Each install puts boot files into the ESP — efi system partition (FAT32) in separate folders.
But Ubuntu and all its flavors and some based on Ubuntu only use /EFI/ubuntu. So I have multiple installs of Ubuntu and each overwrites the default /EFI/ubuntu folder. I have to reset it back to my main working install every time I do a test install. The configfile is just to start grub in the install in the partition referred to in the /EFI/ubuntu/grub.cfg (the 3 lines you posted). Some distributions embed the configfile and put more of the boot files normally in Ubuntu’s /boot folder and have those boot files in the ESP.
Which grub is in charge will depend on which you use or set as default in UEFI. UEFI’s ESP is somewhat like having multiple MBRs all one one drive. So you can choose from UEFI what system to boot.
I do not think it is Secure Boot that prevents you seeing your Ubuntu partition from Deepin. Do not know Deeping, but issue is often ownership (same user name or id as 1000) or permissions.
-
Re: vmlinuz has invalid signature
Boot-Repair-URL
From boot-repair text. This looks okay.
Code:
sda1: __________________________________________________________________________ File system: vfat Boot sector type: Windows 8/2012: FAT32 Boot sector info: No errors found in the Boot Parameter Block. Operating System: Boot files: /EFI/ubuntu/grub.cfg /EFI/Boot/bootx64.efi /EFI/Boot/bootx64.efi-1551554222.bak /EFI/Boot/fbx64.efi /EFI/Boot/grubx64.efi /EFI/Boot/mmx64.efi /EFI/deepin/fbx64.efi /EFI/deepin/grubx64.efi /EFI/deepin/mmx64.efi /EFI/deepin/shimx64.efi /EFI/ubuntu/grubx64.efi /EFI/ubuntu/mmx64.efi /EFI/ubuntu/shimx64.efi /EFI/Microsoft/Boot/bootmgfw.efi /EFI/Microsoft/Boot/bootmgr.efi /EFI/Microsoft/Boot/memtest.efi /EFI/OEM/Boot/bootmgfw.efi /EFI/OEM/Boot/bootmgr.efi /EFI/OEM/Boot/memtest.efisda2 is a ntfs spare fs. Unsure what the complaint is.:
Code:
Mounting failed: mount: /mnt/BootInfo/sda2: unknown filesystem type ''.
I recall reading about you using ‘configfile’ on your grub.cfg.
-
Re: vmlinuz has invalid signature
Microsoft requires the System Reserved partition. It is potentially for serial numbers or other data that it used to put into the sectors after the MBR. But gpt does not have those sectors. Grub does the same for BIOS boot as with MBR, it had core.img in the sectors after the MBR, but with gpt and BIOS boot has to have a bios_grub partition.
Since both System Reserved & bios_grub are unformatted partition or whatever Boot-Repair is using throws an error, but partition has valid gpt GUID, so it should not as being unformatted is a requirement.
-
Re: vmlinuz has invalid signature
Interesting that ‘boot-repair’ puts its info on each partition @ /boot/efi.
Also I don’t see any errors, but what about these messages.
=================== Default settings of Boot RepairThe default repair of the Boot-Repair utility would reinstall the grub-efi-amd64-signed of sda6, using the following options: sda1/boot/efi,
Additional repair would be performed: unhide-bootmenu-10s fix-windows-boot use-standard-efi-file=================== Advice in case of suggested repair
Please disable SecureBoot in the BIOS. Then try again.Do you want to continue?=================== Final advice in case of suggested repair
Please do not forget to make your BIOS boot on sda1/efi/…/grub*.efi file!Or is it just assuming, that if you use ‘boot-repair’ somethings wrong. How do I make BIOS boot on sda1/efi , on the last message?
-
Re: vmlinuz has invalid signature
Does this message preferred:
grub-install —efi-directory=/boot/efi
over this:
sudo grub-install —recheck —root-directory=/ /dev/sdaThe latter what I have used on efi installed oss’s
Bookmarks
Bookmarks
Posting Permissions
Forum rules
Before you post please read how to get help. Topics in this forum are automatically closed 6 months after creation.
-
parupos
- Level 1
- Posts: 4
- Joined: Thu Oct 01, 2020 8:42 pm
Boot vmlinuz invalid signature — Secure Boot
My dual-boot system (Windows 10/ Linux Mint 20) lost boot from grub2 but was able to boot Windows fine, maybe the problem come out after running Update Manager which updated kernel 5.4.0-48 and mentioned secureboot-db and others. I have to recover linux mint 20 grub/boot, however when pick Linux boot fails with this message:
«error: /boot/vmlinuz-5.4.0-48-generic has invalid signature»
«error: you need to load the kernel first»
The last thing I remember before the above error was run update manager. No changes was made in BIOS. However a Windows 10 Update was done. I really don’t know the cause, so I appreciate any help.
Workaround for now: in BIOS disable Secure Boot, previously my Linux and Windows were booting normally with Secure Boot enabled.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
-
parupos
- Level 1
- Posts: 4
- Joined: Thu Oct 01, 2020 8:42 pm
Re: Boot vmlinuz invalid signature — Secure Boot
Post
by parupos » Sun Oct 11, 2020 7:38 pm
The guide was followed up to step 5, Enrolled MOK, and asked for password, then booted the system,
however verifying if was enrolled,
sudo mokutil —list-enrolled
Got the output:
MokListRT is empty
Any idea or something to check?
-
Lord Boltar
- Level 5
- Posts: 803
- Joined: Mon Jan 09, 2017 7:24 pm
- Location: Sunny Florida
Re: Boot vmlinuz invalid signature — Secure Boot
Post
by Lord Boltar » Tue Oct 13, 2020 2:28 pm
IF your problem has been solved, please edit your original post and add [SOLVED] to the beginning of the Subject Line. It helps other members
The only way for evil to prosper is for good men to do nothing
-
parupos
- Level 1
- Posts: 4
- Joined: Thu Oct 01, 2020 8:42 pm
Re: Boot vmlinuz invalid signature — Secure Boot
Post
by parupos » Thu Oct 29, 2020 10:54 am
After many attempts to load the keys, let me tell that I got until the blue shim screen and could see the Key with my info previously created following the instructions, tye password created, then reboot, but for any reason was not enrolled, as I post previously, despite that I tried to sign the kernel but when booting said Invalid Key.
Finally, I re-install linux mint 20 again with Secure Boot enabled in BIOS and worked!. Now booting fine with Secure Boot.
-
Larry78723
- Level 14
- Posts: 5481
- Joined: Wed Jan 09, 2019 7:01 pm
- Location: Jasper County, SC, USA
Re: Boot vmlinuz invalid signature — Secure Boot
Post
by Larry78723 » Thu Oct 29, 2020 11:04 am
In all likelyhood, the next time you get an unsigned kernel you’ll have the same problem again. Turn secure boot off and leave it off.
If you have found the solution to your initial post, please open your original post, click on the pencil, and add (Solved) to the Subject, it helps other users looking for help, and keeps the forum clean.
-
#1
Fresh install on Debian Buster, following this install guide, adapted to Buster.
On reboot, I get this:
Loading Linux 5.0.21-3-pve …
error: /boot/vmlinuz-5.0.21-3-pve has invalid signature.
Loading initial ramdisk …
error: you need to load the kernel first.
and will not boot using that kernel. However it will boot using 4.19.0-6 from Debian
Any pointers?
Thank you!!
-
- May 2, 2018
-
- 7,761
-
- 1,281
-
- 169
-
#2
hmm — seems the error-message is Secure Boot related (maybe the simplest workaround would be to disable secureboot in BIOS)
Maybe the documentation on Secure Boot from the debian-wiki can help if you want to use Secure boot — https://wiki.debian.org/SecureBoot
Which boot-loader are you using on that system?
I hope this helps!
-
#3
hmm — seems the error-message is Secure Boot related (maybe the simplest workaround would be to disable secureboot in BIOS)
Maybe the documentation on Secure Boot from the debian-wiki can help if you want to use Secure boot — https://wiki.debian.org/SecureBoot
Which boot-loader are you using on that system?
I hope this helps!
You rock! I had missed that, it was about Secure Boot indeed.
-
- May 2, 2018
-
- 7,761
-
- 1,281
-
- 169
-
#4
Glad it solved the problem!
Please mark the thread as ‘SOLVED’ — it helps others in a similar situation
Thanks!
Как правильно задавать вопросы
Правильно сформулированный вопрос и его грамотное оформление способствует высокой вероятности получения достаточно содержательного и по существу ответа. Общая рекомендация по составлению тем: 1. Для начала воспользуйтесь поиском форума. 2. Укажите версию ОС вместе с разрядностью. Пример: LM 19.3 x64, LM Sarah x32 3. DE. Если вопрос касается двух, то через запятую. (xfce, KDE, cinnamon, mate) 4. Какое железо. (достаточно вывод inxi -Fxz в спойлере (как пользоваться спойлером смотрим здесь)) или же дать ссылку на hw-probe 5. Суть. Желательно с выводом консоли, логами. 6. Скрин. Просьба указывать 2, 3 и 4 независимо от того, имеет ли это отношение к вопросу или нет. Так же не забываем об общих правилах Как пример вот
-
pegasuZ
- Сообщения: 13
- Зарегистрирован: 11 июл 2022, 02:30
- Благодарил (а): 1 раз
- Контактная информация:
error /boot/vmlinuz… has invalid signature
15 окт 2022, 19:58
Доброго времени суток.
Столкнулся с ошибкой grub:
Код: Выделить всё
error: /boot/vmlinuz-5.4.0-126-generic has invalid signature
Ранее сталкивался с другой ошибкой граба, но решалось командами ls и ещё какой то
Помогите прошу…
-
rogoznik
- Сообщения: 9443
- Зарегистрирован: 27 июн 2017, 13:36
- Решено: 119
- Откуда: Нижний Тагил
- Благодарил (а): 715 раз
- Поблагодарили: 1815 раз
- Контактная информация:
error /boot/vmlinuz… has invalid signature
#2
15 окт 2022, 20:21
pegasuZ, secure boot выключи
-
pegasuZ
- Сообщения: 13
- Зарегистрирован: 11 июл 2022, 02:30
- Благодарил (а): 1 раз
- Контактная информация:
error /boot/vmlinuz… has invalid signature
#3
15 окт 2022, 20:37
rogoznik писал(а): ↑
15 окт 2022, 20:21
pegasuZ,secure bootвыключи
а где от отключается, в биосе он недоступен, и показывается что включен, если поможет мой ноут: asus gl552vw
Биос: aptio setup utility 2.17.1249
-
pegasuZ
- Сообщения: 13
- Зарегистрирован: 11 июл 2022, 02:30
- Благодарил (а): 1 раз
- Контактная информация:
error /boot/vmlinuz… has invalid signature
#4
15 окт 2022, 20:40
rogoznik писал(а): ↑
15 окт 2022, 20:21
pegasuZ,secure bootвыключи
всё, я разобрался, система загружается, спасибо большое 
Содержание
- Linux Mint Forums
- Boot vmlinuz invalid signature — Secure Boot
- Boot vmlinuz invalid signature — Secure Boot
- Re: Boot vmlinuz invalid signature — Secure Boot
- Re: Boot vmlinuz invalid signature — Secure Boot
- Re: Boot vmlinuz invalid signature — Secure Boot
- Re: Boot vmlinuz invalid signature — Secure Boot
- Re: Boot vmlinuz invalid signature — Secure Boot
- Invalid signature for kernel #908
- Comments
- Footer
- Thread: vmlinuz has invalid signature
- vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- CentOS
- Secure Boot issue: /vmlinuz has invalid signature
- Secure Boot issue: /vmlinuz has invalid signature
- Thread: vmlinuz has invalid signature
- vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
- Re: vmlinuz has invalid signature
Linux Mint Forums
Welcome to the Linux Mint forums!
Boot vmlinuz invalid signature — Secure Boot
Boot vmlinuz invalid signature — Secure Boot
Post by parupos » Fri Oct 02, 2020 11:38 am
My dual-boot system (Windows 10/ Linux Mint 20) lost boot from grub2 but was able to boot Windows fine, maybe the problem come out after running Update Manager which updated kernel 5.4.0-48 and mentioned secureboot-db and others. I have to recover linux mint 20 grub/boot, however when pick Linux boot fails with this message:
«error: /boot/vmlinuz-5.4.0-48-generic has invalid signature»
«error: you need to load the kernel first»
The last thing I remember before the above error was run update manager. No changes was made in BIOS. However a Windows 10 Update was done. I really don’t know the cause, so I appreciate any help.
Workaround for now: in BIOS disable Secure Boot, previously my Linux and Windows were booting normally with Secure Boot enabled.
Re: Boot vmlinuz invalid signature — Secure Boot
Post by Lord Boltar » Mon Oct 05, 2020 4:22 pm
Most likely your new kernel is not signed for secure boot — have a look here
IF your problem has been solved, please edit your original post and add [SOLVED] to the beginning of the Subject Line. It helps other members
The only way for evil to prosper is for good men to do nothing
Re: Boot vmlinuz invalid signature — Secure Boot
Post by parupos » Sun Oct 11, 2020 7:38 pm
The guide was followed up to step 5, Enrolled MOK, and asked for password, then booted the system,
however verifying if was enrolled,
sudo mokutil —list-enrolled
Got the output:
MokListRT is empty
Any idea or something to check?
Re: Boot vmlinuz invalid signature — Secure Boot
Post by Lord Boltar » Tue Oct 13, 2020 2:28 pm
Might want to have a look here
IF your problem has been solved, please edit your original post and add [SOLVED] to the beginning of the Subject Line. It helps other members
The only way for evil to prosper is for good men to do nothing
Re: Boot vmlinuz invalid signature — Secure Boot
Post by parupos » Thu Oct 29, 2020 10:54 am
Re: Boot vmlinuz invalid signature — Secure Boot
Post by Larry78723 » Thu Oct 29, 2020 11:04 am
Источник
Invalid signature for kernel #908
I am trying to dual boot Pop OS with Windows 10 and I have secure boot enabled. When I try to boot from a live USB i get the following error when I press «Try or Install Pop OS»
error: /casper_pop-os_19.10_amd_intel_debug_191/vmlinuz.efi has invalid signature
error: you need to load the kernel first
What am I doing wrong?
The text was updated successfully, but these errors were encountered:
I have the same issue
But i didn’t have to do the changes in grub.cfg it was already like that
and when booting and selecting any of the options i get the same error as @Vignesh-Nswamy
@bb4L Apparently secure boot should be turned off before booting Pop OS. Consequence of Secure Boot is that, it does not allow any bootloader not signed by Microsoft to run.
@Vignesh-Nswamy this means you got it running?
will try it out soon thanks for the hint!
I don’t wanna turn off secure boot. So I didn’t try. But there’s a way to sign the kernel so the boot loader can run without secure boot being turned off. Haven’t tried yet. Try with the LTS version. @bb4L
i tried with the LTS iso, same outcome.
how could you manually sign the kernel?
Secure Boot is recommended to be turn off. Actually, secure boot was developed for Window. In order to stay away problem and trouble, just close it.
Secure boot is not supported
will try it out soon thanks for the hint!
© 2023 GitHub, Inc.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Источник
Thread: vmlinuz has invalid signature
Thread Tools
Display
vmlinuz has invalid signature
I have two linux installed. Neither can boot the other, but I can boot each one separately. Here’s what I get:
/boot/vmlinuzxxxxx has invalid signature
you need to load kernel first
update-grub from either one’s grub and it builds the other, but fails on restart with the above message.
Much googling I found several answers. One of which suggests the other kernel needs to be signed. [example: sudo mokutil —import MOK.der]
I have an original hard drive that I loaded ubuntu, deepin, lubuntu without issue.
Secure Boot enabled.
Strange because this hard drive never had Windows or deepin. The efi partition was freshly installed along with two ext4 partitions?!
Re: vmlinuz has invalid signature
Try with Secure Boot off.
What brand/model system?
If not working then.
May be best to see details, use ppa version with your live installer or any working install, not older Boot-Repair ISO:
Please copy & paste link to the Boot-info summary report ( do not post report), the auto fix sometimes can create more issues.
https://help.ubuntu.com/community/Boot-Repair
Re: vmlinuz has invalid signature
I’d rather not have Secure Boot off. I did try with it though. Same result.
This gets stranger as times goes by. That hard drive above that contained Fedora. But it reappeared using ‘efibootmgr’ on the new hard drive. Acer BIOS has no mention of Fedora after the swap. [I removed the boot appearance using efibootmgr.] Not sure how it got there though.
Now with new hard drive I edited Ubuntu’s grub.cfg to a very small file so I could keep tabs on who boots what. From Acer BIOS I made Deepin 1st boot order, after which I did update-grub from Deepin.
After that and on reboot [Deepin now in control] boots all three linuxes: Deepin, Ubuntu, Lubuntu just fine. BUT it used Ubuntu’s grub.cfg file. The one I modified.
I’m new to efi. Used mbr since conception (around 1980). I don’t particularly like boot-repair because all the fixes happen between closed doors and I just get a printout. I like to know what took place and in what order.
I will fire up live and install the ppa version to see what’s what adn how it works.
Last edited by VMC; March 4th, 2019 at 07:31 AM .
Re: vmlinuz has invalid signature
If you know what you want to fix, often best not to run Boot-Repair auto-fix and then use its advanced options.
But you can run the report without running repairs.
With UEFI you should be using gpt.
All Acer have required UEFI updates, if an SSD firmware updates and the setting of «trust» from within UEFI.
Re: vmlinuz has invalid signature
I originally thought the errors where in there.
At any rate, it now works but I’m less informed. It started working after I booted deepin from Acer bios, and did a update-grub. That’s the confusing part. If sda belongs to ubuntu, why would deepin update matter.
I don’t have an ssd as of yet. Your efi-tips is a big help, and that friendly assassin has good info. thanks. repair-boot soon.
Re: vmlinuz has invalid signature
Each install puts boot files into the ESP — efi system partition (FAT32) in separate folders.
But Ubuntu and all its flavors and some based on Ubuntu only use /EFI/ubuntu. So I have multiple installs of Ubuntu and each overwrites the default /EFI/ubuntu folder. I have to reset it back to my main working install every time I do a test install. The configfile is just to start grub in the install in the partition referred to in the /EFI/ubuntu/grub.cfg (the 3 lines you posted). Some distributions embed the configfile and put more of the boot files normally in Ubuntu’s /boot folder and have those boot files in the ESP.
Which grub is in charge will depend on which you use or set as default in UEFI. UEFI’s ESP is somewhat like having multiple MBRs all one one drive. So you can choose from UEFI what system to boot.
I do not think it is Secure Boot that prevents you seeing your Ubuntu partition from Deepin. Do not know Deeping, but issue is often ownership (same user name or id as 1000) or permissions.
Источник
CentOS
The Community ENTerprise Operating System
Secure Boot issue: /vmlinuz has invalid signature
Secure Boot issue: /vmlinuz has invalid signature
Post by cuchumino » 2014/12/06 04:22:30
Hello All! New to the CentOS community and
I installed CentOS on my laptop a couple of hours ago. Am very happy so far with the distro, but I ran into one thing.
I noticed that the freshly installed CentOS with the 3.10 kernel, my logitech wireless mouse was not working.
I read on some threads in here, that installing kernel-ml from elrepo repository would fix the problem albeit through a newer kernel.
So I did just that. I also did as mentioned on the elrepo.org homepage, some steps to follow since I do have secure boot. The link for secure boot is here : http://elrepo.org/tiki/SecureBootKey
I did exactly as shown, and rebooted. Enrolled the MOK, and restarted.
Grub screen loads on boot. When I try to get into CentOS with the new kernel with secure boot running, I get the following message after hitting enter.
I turned off Secure Boot, and I am able to load using kernel 3.17. And yes. my wireless mouse does work with 3.17.
I know I am doing something wrong with the MOK, at that step.
During boot, I’ve stopped and UEFI booted through all the .efi files available in both EFI/Microsoft EFI/centos and EFI/boot. All have the same outcome through grub, except for the Microsoft one, where it boots into windows.
I am not sure if there is another .efi file somewhere that would allow loading the 3.17 kernel, that I should put in one of the EFI folders and run during UEFI boot.
I’m not sure how to collect logs at boot time, if that would be useful at all, although I don’t think it would be at the time.
I hope I’m making sense. Thanks!
EDIT: I didn’t make clear that I am currently booting into the system with Secure Boot off, but I’d like to have it on.
Источник
Thread: vmlinuz has invalid signature
Thread Tools
Display
vmlinuz has invalid signature
I have two linux installed. Neither can boot the other, but I can boot each one separately. Here’s what I get:
/boot/vmlinuzxxxxx has invalid signature
you need to load kernel first
update-grub from either one’s grub and it builds the other, but fails on restart with the above message.
Much googling I found several answers. One of which suggests the other kernel needs to be signed. [example: sudo mokutil —import MOK.der]
I have an original hard drive that I loaded ubuntu, deepin, lubuntu without issue.
Secure Boot enabled.
Strange because this hard drive never had Windows or deepin. The efi partition was freshly installed along with two ext4 partitions?!
Re: vmlinuz has invalid signature
Try with Secure Boot off.
What brand/model system?
If not working then.
May be best to see details, use ppa version with your live installer or any working install, not older Boot-Repair ISO:
Please copy & paste link to the Boot-info summary report ( do not post report), the auto fix sometimes can create more issues.
https://help.ubuntu.com/community/Boot-Repair
Re: vmlinuz has invalid signature
I’d rather not have Secure Boot off. I did try with it though. Same result.
This gets stranger as times goes by. That hard drive above that contained Fedora. But it reappeared using ‘efibootmgr’ on the new hard drive. Acer BIOS has no mention of Fedora after the swap. [I removed the boot appearance using efibootmgr.] Not sure how it got there though.
Now with new hard drive I edited Ubuntu’s grub.cfg to a very small file so I could keep tabs on who boots what. From Acer BIOS I made Deepin 1st boot order, after which I did update-grub from Deepin.
After that and on reboot [Deepin now in control] boots all three linuxes: Deepin, Ubuntu, Lubuntu just fine. BUT it used Ubuntu’s grub.cfg file. The one I modified.
I’m new to efi. Used mbr since conception (around 1980). I don’t particularly like boot-repair because all the fixes happen between closed doors and I just get a printout. I like to know what took place and in what order.
I will fire up live and install the ppa version to see what’s what adn how it works.
Last edited by VMC; March 4th, 2019 at 07:31 AM .
Re: vmlinuz has invalid signature
If you know what you want to fix, often best not to run Boot-Repair auto-fix and then use its advanced options.
But you can run the report without running repairs.
With UEFI you should be using gpt.
All Acer have required UEFI updates, if an SSD firmware updates and the setting of «trust» from within UEFI.
Re: vmlinuz has invalid signature
I originally thought the errors where in there.
At any rate, it now works but I’m less informed. It started working after I booted deepin from Acer bios, and did a update-grub. That’s the confusing part. If sda belongs to ubuntu, why would deepin update matter.
I don’t have an ssd as of yet. Your efi-tips is a big help, and that friendly assassin has good info. thanks. repair-boot soon.
Re: vmlinuz has invalid signature
Each install puts boot files into the ESP — efi system partition (FAT32) in separate folders.
But Ubuntu and all its flavors and some based on Ubuntu only use /EFI/ubuntu. So I have multiple installs of Ubuntu and each overwrites the default /EFI/ubuntu folder. I have to reset it back to my main working install every time I do a test install. The configfile is just to start grub in the install in the partition referred to in the /EFI/ubuntu/grub.cfg (the 3 lines you posted). Some distributions embed the configfile and put more of the boot files normally in Ubuntu’s /boot folder and have those boot files in the ESP.
Which grub is in charge will depend on which you use or set as default in UEFI. UEFI’s ESP is somewhat like having multiple MBRs all one one drive. So you can choose from UEFI what system to boot.
I do not think it is Secure Boot that prevents you seeing your Ubuntu partition from Deepin. Do not know Deeping, but issue is often ownership (same user name or id as 1000) or permissions.
Источник
A display brightness related issue made me try out the new Linux Kernel 5.8 the day it was released. I installed it successfully (my previous post covers that) but upon restart the system wasn’t letting me boot into Ubuntu.
It was failing to boot up with the following error:
error: vmlinuz-5.8.0-050800-generic has invalid signature
error: you need to load the kernel first
HP ENVY x360 came installed with Windows 10 so Ubuntu was available via Grub as a Dual Boot option.
NOTE: At some point(s), Windows asked me to enter the recovery key to let me boot into Windows. Bitlocker asks you to enter this key when it detects unauthorised access/change to the system. The recovery key screen gave me the link where I could get the recovery key but you will need another system/phone to do that.
I restarted and chose the previous version of kernel and logged into Ubuntu, albeit with a dim desktop, the issue I was trying to fix with the new version.
You can obviously disable secure boot and it will let you login with the unsigned kernel but it just doesn’t feel right. So you have 2 options:
- Use a generic signed kernel image (which wasn’t avaialable for 5.8 in my case)
- Self sign the kernel (which I did)
There are a few scripts available online that make it just a bit easy but I found the Ubuntu Secure Boot page along with an askubuntu stackexchange answer which helped me with the setup.
Before we go any further, just remember that you are giving it a try at your own risk 🙂
- Create a config file for openssl to create a signing key. Use your details where you see <your_something> text.
# This definition stops the following lines choking if HOME isn't defined.HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no[ req_distinguished_name ]
countryName = <your_country_code>
stateOrProvinceName = <your_state>
localityName = <your_town>
0.organizationName = <your_org>
commonName = Secure Boot Signing
emailAddress = <your_emaill>[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2
nsComment = "OpenSSL Generated Certificate"
- Now we are going to create private and public keys for signing the kernel. The key is valid for 100 years.
openssl req -config ./openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der"
- Enrol / Import key to your shim installation. You will be asked to set a password which you will use on reboot.
sudo mokutil --import MOK.der
- Time to convert the DER key to PEM format as the tool used later for signing uses PEM key
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
- Now we restart the system. A blue screen will welcome you to MOK Manager tool. Select Enrol Key and then View the key. You should see the details of the key you just created. Continue the process and enter the password where prompted. Reboot the system when presented with that choice.
- Did the enrollment work? Check with:
sudo mokutil --list-enrolled
- The step where you do what you intended to do all this while – Sign the kernel.
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-5.8.0-050800-generic --output /boot/vmlinuz-5.8.0-050800-generic.signed
- Create a copy of initrd.img file and add signed to the filename.
sudo cp /boot/initrd.img-5.8.0-050800-generic{,.signed}
- Update Grub
sudo update-grub
- Reboot. If all works and it let’s you boot, you can remove the unsigned kernel files.
sudo mv /boot/vmlinuz-5.8.0-050800-generic{.signed,}
sudo mv /boot/initrd.img-5.8.0-050800-generic{.signed,}
- Final Grub update
sudo update-grub
You now have the newest kernel with all the new features, signed and working with Secure Boot still enabled.