我有一台运行 20.04 的笔记本电脑(没有secure-boot,标题为old)。我想将启动盘移到一台new启用了安全启动功能的新笔记本电脑(标题为)。我不是想要secure boot在 上禁用new,因为我已经在 上安装了 windows,new 并且要求保持secure boot启用状态。
为了测试这是否可行new,我插入了我最初安装的 live-media(xubuntu 18.04来自2019在 USB 上,用于安装old),并尝试new从中启动。这完全成功了。
接下来,我从 中取出启动盘old,将其插入new,选择该盘作为启动介质,然后进入 grub 控制台。这时我遇到了以下错误消息:
Loading Linux 5.4.0-70-generic ...
error: bad shim signature.
Loading initial ramdisk ...
error: you need to load the kernel first.
Press any key to continue...
我启动old并比较了启动介质上的内核和磁盘上的内核:
samveen@samveen-X230:~$ sudo sbverify --list /media/temp/casper/vmlinuz
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
samveen@samveen-X230:/media/temp/casper$ sudo sbverify --list /boot/vmlinuz-5.4.0-70-generic
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2017)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
两者都已签名且有效,因此我检查了引导加载程序链(shim 和 grub):
samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/shimx64.efi
warning: data remaining[834920 vs 960472]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/grubx64.efi
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi
warning: data remaining[742792 vs 860824]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
这一切都是有效的,并且Canonical Ltd. Master CA能够验证一切。
我遗漏了什么导致启动失败?
答案1
经过进一步调查后,我发现用于签署我正在启动的内核的证书位于安全启动禁止签名数据库 ( dbx) ( Canonical Ltd. Secure Boot Signing (2017)) 中。
为了解决这个问题,我必须更新到最新的image-generic内核linux-image-5.4.0-172-generic(由最新的 CA 签名),而不是linux-image-5.4.0-70-generic我正在使用的过时的内核。
image-generic通过使用硬件支持内核系列替换内核系列,修复了其他几个缺少驱动程序的问题linux-generic-hwe-20.04。更多详细信息请访问https://wiki.ubuntu.com/Kernel/LTSEnablementStack
DKMS 模块签名已在 上实现old(尽管未使用),当我第一次安装操作系统时(old2019 年,在 上安装 xubuntu 18.04),机器所有者密钥已创建。我只需要按照 中记录的流程将我的 MOK 注册到 Shim 中即可https://wiki.ubuntu.com/UEFI/SecureBoot。编辑:我只需要这个来加载由 DKMS 构建的上游 VirtualBox 内核模块,否则不需要这一步。
边注18.04:我在2019 年安装了 Xubuntu old,然后20.04在 2021 年初经历了 dist-upgrade 过程。安装时创建的安全启动设置在new2024 年(安装后 5 年)仍然有效,即使在 dist-upgrade 之后也是20.04如此。Ubuntu 为未来做好了不少规划。尽管我对22.04结构不满意,并计划最终转向上游 Debian,但即使20.04是hwe最近的笔记本电脑,内核系列也是一个不错的选择。