Software - Support > Installing Linux Lite

LL6.0 installs but after update get X.509 error @boot; LL6.6 install screws PC

(1/2) > >>

Alan_Wilts:

--- Quote from: trinidad on February 06, 2024, 11:15:28 AM ---Couple of notes:
1) Generally Windows can still be installed in legacy mode (dosMBR tables)
--- End quote ---

I bought a used laptop and Windows had been loaded ready to set up, so it was UEFI. When investigating my problem I read that legacy fixed it for some people. But it was a mistake for me to change it without further investigation.



--- Quote from: trinidad on February 06, 2024, 11:15:28 AM ---3) I don't dual boot anymore anyway, nor do I advise others to. Virtualization is a better solution and Linux Lite runs quite nicely in hyper-v.
--- End quote ---

I've been using Virtual Box on my main Win10 PC for many years successfully. First to run some legacy 16bit Win XP software and 2nd to run LinuxLite for developing software for my Raspberry Pis. Here I  found a very useful Putty add-in called tkgpio that let's me simulate the GPIO pins and sensors as well as a small 4 line display.

On this laptop I didn't really want to wipe the Win 11 as it might be useful but I wanted to avoid running it connected to MS unless I spent a lot of time setting all the privacy settings etc. But I needed Linux to take the laptop to make full backups of my Pis from time to time.


I have recently added a SSD/PVIMe adapter to an old PC with LinuxLite installed first on the HDD and then copied the whole HDD to the SSD and then used Clover to boot into the SSD. I'm doing the same on another old Win10 PC but that is harder due to Windows Boot Manager. But both these are either LL/LL or Win10/Win10, not a mixture!


Overall, I think your comments are very sensible.

Alan_Wilts:

--- Quote from: stevef on February 06, 2024, 09:26:31 AM ---Out of interest, does the log still report these after good Linux boots
"Problem loading X.509 certificate -65"
"Error adding keys to platform keyring UEFI:db"

--- End quote ---


Here are the X.509 Log Items from a fresh boot. Yes, still get an error adding keys:
Feb 06 18:12:52 Lenovo-LL kernel: Loading compiled-in X.509 certificates
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Build time autogenerated kernel key: ec648241a1c40ddb590b5abe6c9f36ba54d989a2'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Feb 06 18:12:52 Lenovo-LL kernel: blacklist: Loading compiled-in revocation X.509 certificates
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2017): 242ade75ac4a15e50d50c84b0d45ff3eae707a03'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (ESM 2018): 365188c1d374d6b07c3c8f240f8ef722433d6a8b'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2019): c0746fd6c5da3ae827864651ad66ae47fe24b3e8'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v1): a8d54bbb3825cfb94fa13c9f8a594a195c107b8d'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v2): 4cf046892d6fd3c9a5b03f98d845f90851dc6a8c'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v3): 100437bb6de6e469b581e61cd66bce3ef4ed53af'
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9'
Feb 06 18:12:52 Lenovo-LL kernel: zswap: loaded using pool lzo/zbud
Feb 06 18:12:52 Lenovo-LL kernel: Key type .fscrypt registered
Feb 06 18:12:52 Lenovo-LL kernel: Key type fscrypt-provisioning registered
Feb 06 18:12:52 Lenovo-LL kernel: Key type encrypted registered
Feb 06 18:12:52 Lenovo-LL kernel: AppArmor: AppArmor sha1 policy hashing enabled
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loading X.509 certificate: UEFI:db
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Problem loading X.509 certificate -65
Feb 06 18:12:52 Lenovo-LL kernel: fbcon: Taking over console
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Error adding keys to platform keyring UEFI:db
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loading X.509 certificate: UEFI:db
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loaded X.509 cert 'E8S350141517ADA: d9ad0d486703a8bc46d842ed4ff82287'
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loading X.509 certificate: UEFI:db
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loading X.509 certificate: UEFI:db
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
Feb 06 18:12:52 Lenovo-LL kernel: Console: switching to colour frame buffer device 240x67
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Feb 06 18:12:52 Lenovo-LL kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'
Feb 06 18:12:52 Lenovo-LL kernel: ima: No TPM chip found, activating TPM-bypass!
Feb 06 18:12:52 Lenovo-LL kernel: Loading compiled-in module X.509 certificates
Feb 06 18:12:52 Lenovo-LL kernel: Loaded X.509 cert 'Build time autogenerated kernel key: ec648241a1c40ddb590b5abe6c9f36ba54d989a2'
Feb 06 18:12:52 Lenovo-LL kernel: ima: Allocated hash algorithm: sha1
Feb 06 18:12:52 Lenovo-LL kernel: ima: No architecture policies found
Feb 06 18:12:52 Lenovo-LL kernel: evm: Initialising EVM extended attributes:
Feb 06 18:12:52 Lenovo-LL kernel: evm: security.selinux
Feb 06 18:12:52 Lenovo-LL kernel: evm: security.SMACK64
Feb 06 18:12:52 Lenovo-LL kernel: evm: security.SMACK64EXEC
Feb 06 18:12:52 Lenovo-LL kernel: evm: security.SMACK64TRANSMUTE
Feb 06 18:12:52 Lenovo-LL kernel: evm: security.SMACK64MMAP
Feb 06 18:12:52 Lenovo-LL kernel: evm: security.apparmor
Feb 06 18:12:52 Lenovo-LL kernel: evm: security.ima
Feb 06 18:12:52 Lenovo-LL kernel: evm: security.capability
Feb 06 18:12:52 Lenovo-LL kernel: evm: HMAC attrs: 0x1
Feb 06 18:12:52 Lenovo-LL kernel: PM:   Magic number: 12:502:240
Feb 06 18:12:52 Lenovo-LL kernel: acpi_cpufreq: overriding BIOS provided _PSD data
Feb 06 18:12:52 Lenovo-LL kernel: RAS: Correctable Errors collector initialized.
Feb 06 18:12:52 Lenovo-LL kernel: Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
Feb 06 18:12:52 Lenovo-LL kernel: Unstable clock detected, switching default tracing clock to "global"
                                  If you want to keep using the local clock, then add:
                                    "trace_clock=local"
                                  on the kernel command line
Feb 06 18:12:52 Lenovo-LL kernel: Freeing unused decrypted memory: 2036K
................
Feb 06 18:12:52 Lenovo-LL kernel: cfg80211: Loading compiled-in X.509 certificates for regulatory database
Feb 06 18:12:52 Lenovo-LL kernel: cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
........................
I also looked for "failed" and "error" and found:

Feb 06 18:12:54 Lenovo-LL systemd[1]: Starting GRUB failed boot detection...........Feb 06 18:12:54 Lenovo-LL systemd[1]: secureboot-db.service: Deactivated successfully.........Feb 06 18:12:54 Lenovo-LL systemd[1]: Finished Secure Boot updates for DB and DBX.Feb 06 18:12:54 Lenovo-LL systemd[1]: Finished GRUB failed boot detection.Feb 06 18:12:54 Lenovo-LL ModemManager[846]: <info>  ModemManager (version 1.20.0) starting in system bus...
Feb 06 18:12:54 Lenovo-LL bluetoothd[711]: Failed to set mode: Blocked through rfkill (0x12).......................
Then 100's of these:
Feb 06 18:13:06 Lenovo-LL ifup[878]: W: Tried to start delayed item http://security.ubuntu.com/ubuntu jammy-security InRelease, but failed

No other failed or errors that seemed relevant

Cheers
Alan

trinidad:
Couple of notes:
1) Generally Windows can still be installed in legacy mode (dosMBR tables) however once installed you cannot switch to UEFI mode or vice versa just because the option is there in the BIOS. It's kind of you must pick one or the other and stick with it. If Windows was UEFI to begin with, then Linux should be installed for dual booting UEFI. This could be in part the cause of some of the boot problems you had.

2) Another culprit could be forgetting to shut Windows completely down before booting back into Linux. Hold down the shift key without releasing it and select shut down and don't release the shift key until Windows goes off, or use powershell to completely shut down. In your case I'd bet on a combination of these first two things I mention here.

3) I don't dual boot anymore anyway, nor do I advise others to. Virtualization is a better solution and Linux Lite runs quite nicely in hyper-v.

4) When I did dual boot and share a partition I used exFAT as it seemed quicker.

5) Anyway I hope your dual boot does what you need it to do.

best of luck
TC     

stevef:
Glad you got it sorted.


--- Quote ---Looks like formatting the NTFS partition in LL is corrupting it and upsetting Grub/boot. Could the reformatting change/damage the GUID?
--- End quote ---
If the Windows doing the formatting has worked, then perhaps Windows is doing something different.
I've not had problems getting Linux to format NTFS drives in general, but it is sound thinking to get Windows to do the MS proprietary jobs when possible.

Out of interest, does the log still report these after good Linux boots
"Problem loading X.509 certificate -65"
"Error adding keys to platform keyring UEFI:db"

Alan_Wilts:

--- Quote from: stevef on February 06, 2024, 02:59:51 AM ---The inference from posts #1 and #3 is that converting the ext4 data partition (or maybe updating kernel) triggers the system to fail to boot with a specific x509 error.

--- End quote ---

Many thanks for looking at this Steve. I came to the same conclusion overnight and have just done the following:

1. Booted to LL 6.6 Live and deleted the shared partition
2. Installed LL 6.6 with using just the / and /home partitions reformatted ext4
3. Booted OK into LL and again into Win11
4. In Win11 formatted the shared partition as NTFS.
3. Booted OK into Win11 and again into LL.
4. In LL ran Install Updates
5. Booted into LL and mounted the shared partition on start and disabled mounting the Win11 System partition
6. Booted into Windows and hid the LL system partition (D:) and remapped the shared partition for E: to D:
7. In Bios changed back to UEFI boot - secure boot is still disabled.
8. Booted to Macrium Reflect Recovery / PE and made an image copy of the whole SSD

So far with many reboots it's been OK.

After Grub selection an error still flashed for half a second (I'm sure it is the X.509) but continues without a disk check. But I think this warning is different to the boot failure. Looks like formatting the NTFS partition in LL is corrupting it and upsetting Grub/boot. Could the reformatting change/damage the GUID?

So I think I will leave it for now and enjoy LL.

Navigation

[0] Message Index

[#] Next page

Go to full version