Page 1 of 1
Can't boot....weird situation
Posted: Sat Dec 10, 2022 11:06 am
by GlockdocVegas
I bought a used HP prodesk 400 mini g2 online. Bios is locked and so far I have not been able to get the password from the reseller. Most likely he doesn't have it.
I can't enter EUFI to turn off secure boot. Somehow I managed by accident to get a live usb to boot and wiped windoes adn installed mx 21. Everything was working fine.
Today I picked up an NVME SSD and went to install it. It didn't come the screw to hold it down so I tried to jerry rig it. I also pulled the ram out to see if I could locate a cmos reset switch or jumper to reset the bios. Turns out I didn't pop the ram back in right so it wouldn't boot. Fixed that and pulled out the ssd, put it all back together and rebooted.
Now I get "no boot device found". Figured I would just pop in the live usb I installed from and use boot repair. I have done that before.
When the live usb boots secure boot shows in the bottom left and I get "antix is unsigned. You may need to boot the kernel first."
Nothing I did today should have caused any change to anything to do with booting so I am confused as to why I can no longer boot. Also confused as to how I was able to install from a live usb with secure boot turned on.
It looks like Ventoy may have a solution that will allow me to boot even with secure boot turned on. If so I should be able to run boot repair. It's bed time here in Thailand so I will chase that tomorrow. Wanted to make a quick post and get input from you guys and suggestions.
Thanks in advance!
Re: Can't boot....weird situation
Posted: Sat Dec 10, 2022 12:29 pm
by j2mcgreg
If you remove, wait a few minutes, and then replace the CMOS battery, you will have cleared the bios password and then should be able access the UEFI setup utility and then disable secure boot (you may have to recreate an administrator's password in order to gain access to that setting).
Nothing I did today should have caused any change to anything to do with booting so I am confused as to why I can no longer boot. Also confused as to how I was able to install from a live usb with secure boot turned on.
Secure Boot, when active, requires a signed key from Microsoft in order for the boot loader to be launched. However, it is Operating System agnostic, and you can install which ever one you want with the understanding that if the key is missing, it won't boot
Re: Can't boot....weird situation
Posted: Sat Dec 10, 2022 1:52 pm
by Huckleberry Finn
If you reset (or already managed to reset in your previous attempt) secure boot will (or did) turn back to enabled (by default). Probably that's why it booted first (disabled) then not.
Whatever. Till you find a way to enter Uefi settings, you need to either install a signed kernel, or try this (in both cases: on another machine and remastering):
https://wiki.debian.org/SecureBoot#Disabling.2Fre-enabling_Secure_Boot wrote:
Disabling/re-enabling Secure Boot
In case it is difficult to control Secure Boot state through the EFI setup program,
mokutil can also be used to disable or re-enable Secure Boot for operating systems loaded through shim and GRUB:
Run:
mokutil --disable-validation or mokutil --enable-validation.
Choose a password between 8 and 16 characters long. Enter the same password to confirm it.
Reboot.
When prompted, press a key to perform MOK management.
Select "Change Secure Boot state".
Enter each requested character of your chosen password to confirm the change.
Note that you have to press Return/Enter after each character.
Select "Yes".
Select "Reboot".
(Note that you need to Remaster after the changes to make them permanent on usb (after the steps: mokutil... "choose a pw... then confirm"..) ... Then do the reboot on this pc.)
Re: Can't boot....weird situation
Posted: Sat Dec 10, 2022 3:20 pm
by fehlix
Huckleberry Finn wrote: Sat Dec 10, 2022 1:52 pm
(Note that you need to Remaster after the changes to make them permanent on usb (after the steps: mokutil... "choose a pw... then confirm"..) ... Then do the reboot on this pc.)
Secure boot state changes would not need to change anything onthe LiveUSB, it's an efivar which get changed within the NVRAM during boot one time at next boot - and not bound to the LiveUSB in anyway.
Re: Can't boot....weird situation
Posted: Sat Dec 10, 2022 4:26 pm
by Huckleberry Finn
... Then first boot with a Fedora or *buntu usb (what a shame) and click Reboot after doing these (all on that pc) and do the reboot with MX usb.
Re: Can't boot....weird situation
Posted: Sat Dec 10, 2022 5:33 pm
by fehlix
Huckleberry Finn wrote: Sat Dec 10, 2022 4:26 pm
... Then first boot with a Fedora or *buntu usb (what a shame) and click Reboot after doing these (all on that pc) and do the reboot with MX usb.
Hmm ....,
The standard (non-ahs) MX-21-LiveUSB's/ISO's do boot with debians-signed kernels and include Debian signed shim and MokManager utility placed within Live-EFI,
which makes MX-21 standard LiveUSB's boot with enabled SecureBoot.
Which means in order to disable secureboot validation in "shim", one would first need to
boot withe MX-21 LiveUSB/ISO with standard debian-signed kernels in order to
disable SecureBoot state with
follwed by reboot with the same MX-21 LiveUSB/ISO, which triggers the execution of EFI-MokManager,
where one would need to enter the one-time password to change secureboot-state.
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 12:42 am
by GlockdocVegas
OK, I can boot with the standard mx21 live usb (thanks for that tip) and can see mx21ahs is still there along with all my files.
When I run mokutil --disable-validation and enter my password 2 times i get " failed to request new MokSB state ". When I reboot I still can't boot.
Did I miss steps?
I ran boot repair but that didn't do the trick( I assume due to secure boot. Still don't know how I was able to boot and install mx21AHS ).
Thanks!
*****turns out "sudo" was needed for that command to work. Probably obvious to you guys, but .....****
Now I have verified secure boot is disabled in shim, but still couldn't boot my system. Still missing steps?
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 2:32 am
by GlockdocVegas
**LATEST UPDATE**
Well, I was able to boot back into my mx21ahs live usb. Played with boot repair then couldn't boot into it. Went back to my non ahs live usb and booted up. Played around with boot repair trying to find a combo that would let me boot. Last try was esp on a partition labeled mx linux I think and now secure boot says "selected image did not authenticate " and I cant get past that screen.
Yep, I know I should have waited and should be screwing around with boot repair since I really didn't know what I was doing. Maybe I will learn something!! LOL
****
I am currently booted into mx21 non ahs live usb and not doing anything else without guidance.
I can got my sysinfo before my last oops if that helps you guys help me.
Code: Select all
System: Kernel: 5.18.0-4mx-amd64 [5.18.16-1~mx21+1] x86_64 bits: 64 compiler: gcc v: 10.2.1
parameters: BOOT_IMAGE=/antiX/vmlinuz quiet splasht nosplash
Desktop: Xfce 4.16.0 tk: Gtk 3.24.24 info: xfce4-panel wm: xfwm 4.16.1 vt: 7
dm: LightDM 1.26.0 Distro: MX-21.2.1_ahs_x64 Wildflower September 18 2022
base: Debian GNU/Linux 11 (bullseye)
Machine: Type: Desktop System: HP product: HP ProDesk 400 G2 MINI v: N/A serial: <filter>
Chassis: type: 15 serial: <filter>
Mobo: HP model: 806A v: KBC Version 05.26 serial: <filter> UEFI: HP v: N23 Ver. 02.06
date: 04/28/2016
CPU: Info: Quad Core model: Intel Core i5-6500T bits: 64 type: MCP arch: Skylake-S family: 6
model-id: 5E (94) stepping: 3 microcode: 76 cache: L2: 6 MiB
flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 bogomips: 19999
Speed: 800 MHz min/max: 800/3100 MHz Core speeds (MHz): 1: 800 2: 800 3: 800 4: 800
Vulnerabilities: Type: itlb_multihit status: KVM: VMX unsupported
Type: l1tf mitigation: PTE Inversion
Type: mds status: Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
Type: meltdown mitigation: PTI
Type: mmio_stale_data
status: Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
Type: retbleed status: Vulnerable
Type: spec_store_bypass status: Vulnerable
Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
Type: spectre_v2
mitigation: Retpolines, STIBP: disabled, RSB filling, PBRSB-eIBRS: Not affected
Type: srbds status: Vulnerable: No microcode
Type: tsx_async_abort
status: Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
Graphics: Device-1: Intel HD Graphics 530 vendor: Hewlett-Packard driver: i915 v: kernel
bus-ID: 00:02.0 chip-ID: 8086:1912 class-ID: 0300
Display: x11 server: X.Org 1.20.14 compositor: xfwm4 v: 4.16.1 driver:
loaded: modesetting unloaded: fbdev,vesa display-ID: :0.0 screens: 1
Screen-1: 0 s-res: 1680x1050 s-dpi: 96 s-size: 444x277mm (17.5x10.9")
s-diag: 523mm (20.6")
Monitor-1: DP-2 res: 1680x1050 hz: 60 dpi: 140 size: 304x228mm (12.0x9.0")
diag: 380mm (15")
OpenGL: renderer: Mesa Intel HD Graphics 530 (SKL GT2) v: 4.6 Mesa 22.0.5
direct render: Yes
Audio: Device-1: Intel 100 Series/C230 Series Family HD Audio vendor: Hewlett-Packard
driver: snd_hda_intel v: kernel bus-ID: 00:1f.3 chip-ID: 8086:a170 class-ID: 0403
Sound Server-1: ALSA v: k5.18.0-4mx-amd64 running: yes
Sound Server-2: PulseAudio v: 14.2 running: yes
Network: Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
vendor: Hewlett-Packard driver: r8169 v: kernel port: 3000 bus-ID: 01:00.0
chip-ID: 10ec:8168 class-ID: 0200
IF: eth0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Drives: Local Storage: total: 580.32 GiB used: 2.04 GiB (0.4%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/sda maj-min: 8:0 vendor: Toshiba model: MQ02ABF050H size: 465.76 GiB
block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s type: HDD rpm: 5400
serial: <filter> rev: 2C scheme: MBR
ID-2: /dev/sdb maj-min: 8:16 type: USB vendor: SanDisk model: Ultra Fit
size: 114.56 GiB block-size: physical: 512 B logical: 512 B type: N/A serial: <filter>
rev: 1.00 scheme: MBR
SMART Message: Unknown USB bridge. Flash drive/Unsupported enclosure?
Swap: Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
ID-1: swap-1 type: partition size: 8 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/sda2
maj-min: 8:2
Sensors: System Temperatures: cpu: 50.0 C mobo: N/A
Fan Speeds (RPM): N/A
Repos: Packages: note: see --pkg apt: 1932 lib: 979 flatpak: 0
No active apt repos in: /etc/apt/sources.list
Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
1: deb http://deb.debian.org/debian bullseye-updates main contrib non-free
Active apt repos in: /etc/apt/sources.list.d/debian.list
1: deb http://deb.debian.org/debian bullseye main contrib non-free
2: deb http://security.debian.org/debian-security bullseye-security main contrib non-free
Active apt repos in: /etc/apt/sources.list.d/mx.list
1: deb http://mxrepo.com/mx/repo/ bullseye main non-free
2: deb http://mxrepo.com/mx/repo/ bullseye ahs
Info: Processes: 197 Uptime: 0m wakeups: 1 Memory: 7.67 GiB used: 954.8 MiB (12.2%)
Init: SysVinit v: 2.96 runlevel: 5 default: 5 tool: systemctl Compilers: gcc: N/A
alt: 10 Client: shell wrapper v: 5.1.4-release inxi: 3.3.06
Boot Mode: UEFI
SecureBoot enabled
SecureBoot validation is disabled in shim
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 6:12 am
by fehlix
GlockdocVegas wrote: Sun Dec 11, 2022 2:32 am
**LATEST UPDATE**
Well, I was able to boot back into my mx21ahs live usb. Played with boot repair then couldn't boot into it.
Went back to my non ahs live usb and booted up. Played around with boot repair trying to find a combo that would let me boot. Last try was esp on a partition labeled mx linux I think and now secure boot says "selected image did not authenticate " and I cant get past that screen.
That's a bit unclear message: "Played with boot repair then couldn't boot into it."
Please report more clearly, what you have done to have it "dead"-repaired. Are you saying you "boot-repair"ed something onto the LiveUSB? And now can't boot with the LiveUSB anymore. If so you might have selected the "ESP" on the LiveUSB, and overwritten with boot-repair" the efi-bootloader with a non-signed efi-loader. But neither the LiveUSB nor the installed system are ready to run "grub-install" with secure boot enabled to create a secure-boot'able system, b/c boot-repair, will generate a un-signed efi-bootloader and overwrite the existing signed efi-boot loader in the ESP of the LiveUSB, if you have select the LiveUSB as target.
In theory you can manually fix the LiveUSB, b/c the the LiveUSB, when have been create with "MX Live USB Maker", would have a copy of efi-Loader within two places: Within the /EFI direcotry on the first "main" ext4 partition and a 2nd copy in the FAT32 EFI partition (ESP). But that depends whether the LiveUSB was created with MX LUM (Live USB Maker) or not.
You would need to "copy" the content of /EFI/boot/*efi onto the other location.
E.g. when with Rufus made, you would have overwritten the only one existing.
Either give details how LiveUSB was create, and what did you selected as ESP.
Or, simplest do re-create a LiveUSB with MX-LUM again.
After that, next steps to enable secure-booting efi-loader on installed system...
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 6:35 am
by GlockdocVegas
Forgive me, I know just enough to be dangerous! LOL
OK, lemme see if I can clear things up. From the beginning...bought a used Deskpro Mini, secure boot is enabled, seller hasn't gotten me bios password yet ( probably can't ) and somehow I was able to boot into a live mx21ahs bootable usb created with live usb maker and installed mx21ahs. Secure boot is on and didn't do anything that would turn it off. Everything was fine.
Yesterday I opened the case to install a nvme ssda and see if I could find either a cmos reset button or a bios jumper and reset the bios. I did not have the screw to install the ssd and didn't pop the RAM back in properly, system would not start, just flashed an error message w the power button. Realized the RAM wasn't seated, pulled the ssd out, disconnected the drive that came with the system, put the ram in right, plugged the drive back in, put everything together and could no longer boot into the system. I got " please install an operating system. No os found ".
Today I saw the above response about mx21 non ahs being signed, flashed that usb in live usb maker, boot up. Saw everything was still on the hard drive and ran boot repair. Chose "repair grub" then rebooted. That did not work. Followed the instructions to turn secure boot off in shim and did that.
Next , from the live usb, I tried "reisntall" with "mbr" and " sda1". That didn't work. Next I tried "esp" and a different partition and I could not boot into anything. I kept getting 'selected image did not authenticate". Could not get past that screen.
I tried 2 or 3 different live usbs, nothing would boot. Reflashed the mx21 non ahs as write only via live usb maker and it booted.
That is where I currently am. I am thinking somehow I borked up the bootloader but I have no idea what would have possibly done that.
At this point I am thinking tomorrow when I get the screw for the ssd and install it I will be able to install MX21 on that drive and that will fix whatever I did.
However, if I can fix it before doing that maybe I can either figure out what I did wrong or learn a solution that I can use to help others or myself next time I jump into the rabbit hole with just enough knowledge.
Thank you everyone for your time and answers.
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 7:07 am
by fehlix
OK, I may have a view.
Adopting the information given within this thread
MX-21 Secure Boot to your situation I'd see those steps:
* Boot with MX LiveUSB, which may now boot in secure-boot "disabled in shim" with either standard or also non-signed AHS kernel in the LiveUSB session.
* Open Terminal and run:
which should find and list the installed system
=> select the isntalled system to "visit" with chroot
Do now this at the "chroot>" prompt:
Note: No "sudo" needed.
* check to verfy you can see nvram/efivars:
* check to verify the ESP is mounted at /boot/efi
If the last step confirm efivars are visable and ESP is mounted onto /boot/efi
Do this:
* refresh package list
and package-install signed efi-loder
Code: Select all
apt install grub-efi-amd64-signed shim-signed
when done
grub-Install twice signed efi-grub-loader and grub:
Code: Select all
grub-install --bootloader-id=MX21 --force-extra-removable
and
Code: Select all
grub-install --bootloader-id=debian --force-extra-removable
and finaly re-generate the grub-menu:
Check to see the "new" UEFI-loader listed in NVRAM:
Exit with
and press q Quit
Shutdown, remove/pull-out LiveUSB, and reboot.
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 10:16 am
by GlockdocVegas
Here is a screenshot of the 1st 2 commands. Unless I am missing it, I don't see nvram or esp so I stopped until I get more info =)
Screenshot_2022-12-11_10-13-39.png
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 10:31 am
by Huckleberry Finn
... But ... Do you have an ESP partition on hdd (sda) (fat32 formatted with boot and esp flags) or am I missing something ?
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 10:38 am
by GlockdocVegas
Tell me how to find out and I can answer..........
Based on the output on the bottom of that screenshot I am going to say no, but I am over my head here.
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 10:49 am
by Huckleberry Finn
Ok, just GParted on live session ...
You can create a small one (no matter where it is on disk, at the end etc.). If needed only: first shrink the MX partition a bit (from right side to left ... 100-250 MiB , or more if you like while you're at it), then create a new partition (fat32) ... finally right click on it: "Manage Flags", but both boot and esp .
Later you can try MX Boot Repair.. "Reinstall Grub" ... ESP ...
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 11:03 am
by GlockdocVegas
I followed your instructions and created the partition, added the flags, ran boot repair, reinstall grub, esp, new partion.
Rebooted and I am back to not being able to boot the system or live usb. I get the “system did not authenticate error again”.
Bed time here in Thailand. I will tackle it again tomorrow. When this happened earlier today I was able to reflash the live usb and boot into it. i will try that tomorrow.
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 11:14 am
by Huckleberry Finn
Ok. But at least you have an ESP partition now.. :)
(Your next trials / our suggestions won't be "in vain" ).
Re: Can't boot....weird situation
Posted: Sun Dec 11, 2022 11:45 am
by fehlix
GlockdocVegas wrote: Sun Dec 11, 2022 10:16 am
Here is a screenshot of the 1st 2 commands. Unless I am missing it, I don't see nvram or esp so I stopped until I get more info =)
Screenshot_2022-12-11_10-13-39.png
The efibootmgr text output shows the content of NVRAM's efivars.
(I don't know why you post text as IMAGE, that's no very helpfull to help you.)
The "lsblk -f" command show you don't have an ESP (EFI System partition) on the internal drive,
which means you have probaly installed MX-21 originally within BIOS/MBR boot mode.
And probaly also the drive is created/formatted as a msdos/mbr drive instead of an GPT drive.
Now after you have reset UEFI system to factory settings, UEFI-secure boot is enabled,which seems not allow you to
boot into BIOS/MBR installed MX21.
To be honest, ISTM a bit to much of confusion created. Suggest to install from scratch in UEFI-boot mode entire disk,
followed by the advice given with the "MX 21 Secure Boot " thread to enable secureboot installed.
Re: Can't boot....weird situation [Solved]
Posted: Mon Dec 12, 2022 3:52 am
by GlockdocVegas
Thank you all for your input and comments.
After setting up esp I was unable to boot into any of my live usbs or my system.
I had pretty much decided my new computer was going to be a paperweight.
BUT
I finally found the pwd jumper on the motherboard, removed it, which allowed me into bios. I was able to disable secure boot and FINALLY booted into my mx21 system on my hard drive with no problems!!!
WOOOHOOO
Re: Can't boot....weird situation
Posted: Mon Dec 12, 2022 4:25 am
by fehlix
GlockdocVegas wrote: Mon Dec 12, 2022 3:52 am
Well, thank you both for all your input.
After setting up the ESP partition as instructed, I cannot get anything to boot. None of my live USB drives will boot. My system will not boot.
So you are saying you entered the UEFI Boot Options list ("Boot Menu") and selected on the shown list the MX LiveUSB - but it won't boot? What's shown on the screen.
In case you don't know. On most HP's you get to the Boot menu: Either by pressing Esc followed by F10 or F1, which give you a " "Startup Menu", where "Boot menu" (Boot Option list) is shown to select.
Or press Esc followed by F9 to get the Boot Options list, where UEFI bootable entries should be listed.
Re: Can't boot....weird situation
Posted: Mon Dec 12, 2022 4:26 am
by Huckleberry Finn
GlockdocVegas wrote: Mon Dec 12, 2022 3:52 am... After setting up esp I was unable to boot into any of my live usbs or my system...
I would reset Cmos once more (after removing the battery press the power button to drain the remaining electricity (when it's unplugged)).
It must be a coincidence cause there's no relation with the existence of a partition and non booting usb sticks (Windows or Linux).
Edit: I saw the last part of your post just now :)
Re: Can't boot....weird situation
Posted: Wed Dec 14, 2022 3:44 am
by GlockdocVegas
I believe I have solved what started all this mess...........
It appears the Mx21 ahs with kernel 5 is a signed kernel, which allowed me to boot and install mx21 even though secure boot was enabled. At some point after installation when I was setting up the machine to suit me I installed ahs kernel 6, which is not signed. That would explain why I was suddenly no longer able to boot into the mx21 on my system.
I think............LOL
As to why I ended up where nothing would boot and I could only get to the screen that said "secure boot system image did not authenticate" I haven't figured out.
Thought I would post this in case it helps someone else down the road.