Can't RUN AV Linux Live Disc With Secure Boot

[RyanH]

I have seen someone on this forum having issues with installing AV Linux, but this is a bit different in that it's about even loading the live image in the first place. I realize there is a separate forum for MX Linux, but I was hoping to avoid signing up for another forum just to ask one question. I thought that probably enough people here have tried AV Linux that maybe someone knows of a solution.

I want to install AV Linux MX Edition alongside my current Windows 10 and Kubuntu (with Ubuntu Studio wrapper) installations. The AV Linux manual says that using a live DVD is outdated and recommends using a live USB drive instead. I opted to try out a DVD anyway, as I don't need persistence or really want to try out the live AV Linux, only run it and install it (and I had no problems doing so with Kubuntu).

After downloading the AV Linux ISO and checking the checksums, I burned it to a DVD and ran it. I got some quick message about Secure Boot (too quick to read it) before being taken to a menu with a list of options for AV Linux. Basically every option I try either gives a fatal error and shuts down, or shows a Secure Boot-related error and brings me back to the menu - including when I choose the option to use Shim-EFI bootloader (error: Secure Boot forbids loading module from hd0/boot/grub/x86_64-efi/read.mod).

The AV Linux documentation makes no mention of Secure Boot, but the home page offers a link to the GPG key. I don't know the purpose of the GPG key and the page doesn't offer any more details, but I assume it relates to the issue I'm having.

Some slightly older posts re: MX Linux just seem to recommend turning off Secure Boot, which I don't want to do so as not to compromise my current setup. I don't have any options for Secure Boot in the UEFI bios, other than to create a password for it.

My machine is a consumer-grade Acer Aspire (as opposed to business-grade, which, as I understand it, offers additional options). "Shim-signed" is installed with my already installed Kubuntu but, as I mentioned, that doesn't seem to help with running the AV Linux live image.

So my question is: does anyone here know how I can make AV Linux work on my system with Secure Boot (and can I do it via the live disc or Kubuntu rather than Windows)? As I mentioned, I do have this GPG key, if that's helpful. I'm not opposed to creating a live USB drive if that will somehow result in a different outcome than a DVD using the same ISO.

My Linux technical knowledge/confidence is limited, but I do well enough with instructions.

Any assistance would be greatly appreciated.

[GMaq]

Hi!

Some perspective...

Ubuntu is probably about as big and corporate as Linux gets and they have facilities for signed kernels and some of the things required to appease secure boot (which is as much about making other OS's difficult to try and install as it is about 'security' in any real sense..)

MX Linux despite it's popularity and growth is not at a point where it has the kind of manpower and full time developers to provide a secure boot ready product although signed kernels are making their way in through Debian. AV Linux is an arms-length entity from even MX Linux and on top of that uses specialized Liquorix kernels which are not signed and secure boot ready so if you insist on Secure boot better stay where you are because AV Linux is likely never going to feature secure boot and certainly not in the near future..

It's kind of like comparing a Wal-Mart to a Mom and Pop candy store.. I'm not saying this in a pissy way, simply spelling out the vast difference between an entity like Ubuntu and a sole-proprietorship like AV Linux. In the guitar amplifier world Ubuntu is Fender or Marshall and AV Linux is a Dumble...

[RyanH]

Hi!

Some perspective...

Ubuntu is probably about as big and corporate as Linux gets and they have facilities for signed kernels and some of the things required to appease secure boot (which is as much about making other OS's difficult to try and install as it is about 'security' in any real sense..)

MX Linux despite it's popularity and growth is not at a point where it has the kind of manpower and full time developers to provide a secure boot ready product although signed kernels are making their way in through Debian. AV Linux is an arms-length entity from even MX Linux and on top of that uses specialized Liquorix kernels which are not signed and secure boot ready so if you insist on Secure boot better stay where you are because AV Linux is likely never going to feature secure boot and certainly not in the near future..

It's kind of like comparing a Wal-Mart to a Mom and Pop candy store.. I'm not saying this in a pissy way, simply spelling out the vast difference between an entity like Ubuntu and a sole-proprietorship like AV Linux. In the guitar amplifier world Ubuntu is Fender or Marshall and AV Linux is a Dumble...

Thanks for the perspective. I totally get that MX Linux/AV Linux is a different situation to Ubuntu and its derivatives. This is the first time I've stepped outside of the Kubuntu/Ubuntu Studio and KX Studio worlds, so all I know is that there's stuff I don't know. For the record, I'm totally in awe of the people that make/made Linux what it is today, whether it's Ubuntu or one of the more boutique distros.

Mainly I'm just wondering if this GPG key that's included on the AV Linux home page is something I'm supposed to somehow add to my bios or somewhere in the installation process to make it work with Secure Boot. If not, and AV Linux just isn't compatible with Secure Boot, it's not a problem. I'll just put it off until I'm in more of a frame of mind to tinker with my setup or get rid of Windows entirely (I'm so close! I only use it for one piece of software, on a less-than-monthly basis).

Thanks again.

[GMaq]

Hi,

Oops sorry I didn't answer that part of the question..

The GPG key on the website has nothing to do with booting. When you download the ISO file you are provided with MD5 SHA256 and a GPG signature file to verify that the download is safe and hasn't been tampered with. In order to verify the GPG signature you need to import or download my public GPG key and that's why it is there..

Not everyone does this, many people are content with merely matching MD5 and/or SHA256 but the GPG signature is provided as an extra security layer for those who want the peace of mind..

[RyanH]

Oh, okay. Sweet, thanks for the info!

As an aside to this (now that I know you're behind AV Linux), I have to say your manual for this MX Edition is a beautiful thing. Possibly one of the nicest manuals I've seen for anything Linux-related. Nice to look at, comprehensive, and easy to understand. I look forward to trying out the distro... and also your recommended partitioning strategy.

Cheers.

[Gps]

Can't you turn off secure boot in the bios ?

I seriously doubt it less safe for most or all home users.

[wjl]

Probably not directly related to this, but when buying/considering new hardware, beware... just wrote about it... see https://wolfgang.lonien.de/2022/07/try-before-you-buy/

[RyanH]

Can't you turn off secure boot in the bios ?

I seriously doubt it less safe for most or all home users.

Hi Gps. At the time I was posting, all I knew about Secure Boot was that it existed. It didn't cause any issues when I got the laptop and installed Kubuntu, so I didn't bother to look into it any further. So I wasn't just concerned about the safety aspect of turning it off; I also wasn't sure if my bios would let me do so or if that would have any effect on my existing Kubuntu or Windows.

I have since figured out how to turn it off and it doesn't seem to affect anything, so I'm good to go!

Cheers.

[RyanH]

Probably not directly related to this, but when buying/considering new hardware, beware... just wrote about it... see https://wolfgang.lonien.de/2022/07/try-before-you-buy/

Yes, I read the Reg (and now your) article about the Lenovo thing. Seems like they're saying MS made them do it, but someone from Dell is suggesting otherwise. Let's hope that this doesn't become the new normal, or that the Linux community can exert enough pressure to stop it. I can't really afford one of the Linux-only laptops that are currently available, and probably most of them aren't certified for use here in Canada anyhow. And I'm not really interested in figuring out how to build my own laptop - I spend all my time making music!

I will definitely make sure to do my research next time I'm in the market for a new computer.

Cheers.

[bluzee]

Secure boot seems like a rather silly thing. When someone has physical access to your device secure boot can't stop them. Encrypting your drive will slow them down some what.

[sunrat]

Secure boot seems like a rather silly thing. When someone has physical access to your device secure boot can't stop them. Encrypting your drive will slow them down some what.

Agreed Secure Boot is fairly useless for its intended purpose (unless its prime purpose is to make Linux life harder ).
Encrypting your drive on an audio production system will slow it down though so is anti-productive.

[Gps]

Can't you turn off secure boot in the bios ?

I seriously doubt it less safe for most or all home users.

Hi Gps. At the time I was posting, all I knew about Secure Boot was that it existed. It didn't cause any issues when I got the laptop and installed Kubuntu, so I didn't bother to look into it any further. So I wasn't just concerned about the safety aspect of turning it off; I also wasn't sure if my bios would let me do so or if that would have any effect on my existing Kubuntu or Windows.

I have since figured out how to turn it off and it doesn't seem to affect anything, so I'm good to go!

Cheers.

I had a lot of issues to have windows 10 installed with secureboot. Yes your reading that right, I had issues with windows, not my main OS openSUSE.
This even ended with installing windows with secure boot, then after install turning it off in the bios.
With secure boot on, I get during boot up a distorted screen.

For trouble like this I always go to a dutch forum called Tweakers. Something like tom' s hardware.
They suggested to turn off secure boot, to get rid of that distorted screen.

Nobody how ever had any clue on why this was happening. Registering to a forum of the motherboard manufacturer did not help either.

Thank you MS

[raboof]

Secure Boot is kinda neat for a somewhat-narrow set of use cases. As long as you (with physical access, and auditably) can turn it off or replace the set of trusted keys (so you can only boot stuff *you* signed), I have no problems with it.

However, Microsoft is currently pressuring vendors into disabling the option to specify your own trusted keys (https://mjg59.dreamwidth.org/60248.html). This is anti-competitive evil, and I really hope it will be shot down both legally and practically.

[RyanH]

Yeah, I hope so too. Seems like when it comes to tech, there's a lot of evil afoot.

It's funny, I only use one MS product (Windows), for about ten minutes per month (and that only to access an Apple product, iTunes), yet I spend a lot of time thinking about the company - and not the least bit favorably. I will thank them for one thing, though: my discovery of Linux. I had zero interest in checking out another operating system until all that initial Win 10 stuff threw me into a panic and I started looking for a way to regain control of my computer and my privacy. Now I'm in computer - and music production - heaven!