我有笔记本电脑 DELL latitude 5491,预装了 Windows 10,启用了安全启动和 EFI 模式。购买后,我在 Windows 旁边安装了 Ubuntu 20.04 作为双引导,并且仍然启用安全引导/EFI。分区2,3和5用于Windows系统,分区1和4用于Ubuntu系统。分区 6 上存储了 Clonezilla Live CD 的 ISO,用于备份。到目前为止一切进展顺利。在下一步中,我将 Parted Magic live CD 的解压 ISO 存储在分区 7 上,编辑了 grub 菜单,但是从 grub 菜单启动 Parted Magic 会出现错误,BzImage 签名无效...但是,当我直接启动 Parted Magic 时从EFI(临时启动菜单或EFI设置),系统正常启动。哪里可能有问题?它看起来像
分区布局:
Device Start End Sectors Size Type
/dev/sda1 2048 1394687 1392640 680M EFI System
/dev/sda2 1394688 1656831 262144 128M Microsoft reserved
/dev/sda3 1656832 507570175 505913344 241,2G Microsoft basic data
/dev/sda4 507570176 983883775 476313600 227,1G Linux filesystem
/dev/sda5 983883776 985911295 2027520 990M Windows recovery environment
/dev/sda6 985911296 987500543 1589248 776M Linux filesystem
/dev/sda7 987500544 1000214527 12713984 6,1G Microsoft basic data
编辑40_custom文件:
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
menuentry "clonezilla" {
set isofile="/clonezilla-live-20210127-groovy-amd64.iso"
loopback loop (hd0,gpt6)$isofile
linuxefi (loop)/live/vmlinuz boot=live components config findiso=$isofile ip=frommedia toram=filesystem.squashfs union=overlay username=user
initrdefi (loop)/live/initrd.img
}
menuentry "partedmagic" {
insmod chain
set root=(hd0,gpt7)
configfile /boot/grub/grub.cfg
}
grub.cfg 文件:
set default="0"
set timeout="20"
set hidden_timeout_quiet=false
set gfxmode=auto
insmod efi_gop
insmod efi_uga
insmod gfxterm
terminal_output gfxterm
set color_normal=white/black
set color_highlight=black/white
loadfont /boot/grub/unicode.pf2
background_image /boot/grub/pmagic.png
set default_settings="edd=on vga=normal mem=32G"
set live_settings="boot=live eject=no"
set linux="/pmagic/bzImage"
set initrd_img="/pmagic/initrd.img /pmagic/fu.img /pmagic/m.img"
set default=2
set message="Loading kernel and initramfs. Please wait..."
menuentry "Parted Magic UEFI Boot Menu"{
set
}
menuentry ' '{
set
}
menuentry "1. Default settings (Runs from RAM 4GB+)"{
echo $message
search --set -f $linux
linux $linux $default_settings
initrd $initrd_img
}
menuentry "1a. Default settings with 4K Monitor"{
echo $message
search --set -f $linux
linux $linux $default_settings m4k=yes
initrd $initrd_img
}
menuentry "1b. Default settings + language menu"{
echo $message
search --set -f $linux
linux $linux $default_settings lang=yes
initrd $initrd_img
}
menuentry ' '{
true
}
menuentry "2. Live with default settings (2GB+ RAM)"{
echo $message
search --set -f $linux
linux $linux $default_settings $live_settings
initrd $initrd_img
}
menuentry "2a. Live with default settings + language menu"{
echo $message
search --set -f $linux
linux $linux $default_settings $live_settings lang=yes
initrd $initrd_img
}
menuentry ' '{
true
}
menuentry "3. Black/Blank Screen workaround"{
echo $message
search --set -f $linux
linux $linux $default_settings nomodeset
initrd $initrd_img
}
menuentry "4. No official NVIDIA driver - Use Nouveau NVIDIA driver instead."{
echo $message
search --set -f $linux
linux $linux $default_settings modprobe="nouveau"
initrd $initrd_img
}
menuentry "5. *** Hyper-V ***"{
echo $message
search --set -f $linux
linux $linux $default_settings fbdev=yes
initrd $initrd_img
}
menuentry "6. Memtest86+" {
chainloader /boot/memtest/BOOTX64.EFI
}
menuentry "7. EFI Shell" {
insmod fat
insmod chain
terminal_output console
chainloader /boot/edk2/Shell.efi
}
menuentry ' '{
true
}
submenu "Extras Menu"{
set default_settings="edd=on vga=normal mem=32G"
set live_settings="boot=live eject=no"
set linux="/pmagic/bzImage"
set initrd_img="/pmagic/initrd.img /pmagic/fu.img /pmagic/m.img"
set message="Loading kernel and initramfs. Please wait..."
menuentry "1. Super Grub2 Disk EFI" {
chainloader /boot/supergrub2disk/super_grub2_disk_standalone_x86_64_efi_2.04s1.EFI
}
menuentry "2. Clonezilla"{
echo $message
search --set -f $linux
linux $linux $default_settings clonezilla=yes
initrd $initrd_img
}
menuentry "3. Nwipe"{
echo $message
search --set -f $linux
linux $linux $default_settings nwipe=yes
initrd $initrd_img
}
menuentry "4. Load iSCSI Kernel Modules"{
echo $message
search --set -f $linux
linux $linux $default_settings iscsi=yes
initrd $initrd_img
}
menuentry "5. Load config for xf86-video-qxl module"{
echo $message
search --set -f $linux
linux $linux $default_settings qxl=yes
initrd $initrd_img
}
}
}
submenu "Failsafe Menu"{
set default_settings="edd=on vga=normal mem=32G"
set live_settings="boot=live eject=no"
set linux="/pmagic/bzImage"
set initrd_img="/pmagic/initrd.img /pmagic/fu.img /pmagic/m.img"
set message="Loading kernel and initramfs. Please wait..."
menuentry "1. No ACPI (Advanced Configuration and Power Interface)"{
echo $message
search --set -f $linux
linux $linux $default_settings acpi=off
initrd $initrd_img
}
menuentry "2. Do not eject CD"{
echo $message
search --set -f $linux
linux $linux $default_settings eject=no
initrd $initrd_img
}
menuentry "3. Emulator compatibility"{
echo $message
search --set -f $linux
linux $linux $default_settings $live_settings noreplace-paravirt
initrd $initrd_img
}
menuentry "4. Console (boots to the shell)"{
echo $message
search --set -f $linux
linux $linux $default_settings consoleboot=yes
initrd $initrd_img
}
menuentry "5. Initrd.img (boot to initrd.img shell)"{
echo $message
search --set -f $linux
linux $linux $default_settings initrd_shell=yes
initrd $initrd_img
}
menuentry "6. Radeon no modeset"{
echo $message
search --set -f $linux
linux $linux $default_settings blacklist=radeon
initrd $initrd_img
}
menuentry "7. No / force CPU Frequency Scaling"{
echo $message
search --set -f $linux
linux $linux $default_settings cpufreq=no
initrd $initrd_img
}
menuentry "8. Force vesa workaround"{
echo $message
search --set -f $linux
linux $linux $default_settings xconfig=forcevesa
initrd $initrd_img
}
menuentry "9. Force refresh rate"{
echo $message
search --set -f $linux
linux $linux $default_settings xconfig=forcerefresh nomodeset
initrd $initrd_img
}
menuentry "10. Disable accelerated 3D graphics (DRI)"{
echo $message
search --set -f $linux
linux $linux $default_settings nodri=yes
initrd $initrd_img
}
menuentry "11. Missing Mouse Pointer"{
echo $message
search --set -f $linux
linux $linux $default_settings xmouse=yes
initrd $initrd_img
}
menuentry "12. Macbook Pro 8,x Dual Graphics Workaround"{
echo $message
search --set -f $linux
linux $linux $default_settings
outb 0x728 1 # Switch select
outb 0x710 2 # Switch display
outb 0x740 2 # Switch DDC
outb 0x750 0 # Power down discrete graphics
initrd $initrd_img
}
menuentry "13. Libata noncq - Drive will not unlock"{
echo $message
search --set -f $linux
linux $linux $default_settings libata.force=1.0:noncq
initrd $initrd_img
}
menuentry "14. No IPV6 - Stop Network Manager from disconnecting."{
echo $message
search --set -f $linux
linux $linux $default_settings blacklist=ipv6
initrd $initrd_img
}
}
menuentry ' '{
true
}
submenu "List of Cheat Codes"{
menuentry "directory= Directory containing the pmagic folder"{set}
menuentry "iso_filename= [path to/]iso filename"{set}
menuentry "root= SQFS boot device by partition id"{set}
menuentry "label= SQFS boot device by label"{set}
menuentry "uuid= SQFS boot device by [partial] uuid"{set}
menuentry "blacklist= Do not load kernel modules, e.g. blacklist=kmod1:kmod2:kmod3"{set}
menuentry "ahci=no Do not load the ahci kernel module"{set}
menuentry "modprobe= Load kernel modules, e.g. modprobe=kmod4:kmod5:kmod6"{set}
menuentry "consoleboot=yes Do not start X-windows"{set}
menuentry "eject=no Do not eject CD"{set}
menuentry "gpm=no Disable the console mouse server"{set}
menuentry "pmodules=no Do not install pmagic/pmodules"{set}
menuentry "slapt=no Do not install /home/partedmagic/slapt-get/ packages"{set}
menuentry "scripts=no Do not execute pmagic/pmodules/scripts"{set}
menuentry "sound=no Do not let ALSA set volume levels (mute)"{set}
menuentry "numlock=on Set numlock to on at boot"{set}
menuentry "conky=no Do not auto-start conky"{set}
menuentry "zfs=no Do not start zfs services"{set}
menuentry "hostname= Set hostname to XXXXXX[.YYYYYY.ZZZ]"{set}
menuentry "timeconfig=<timezone>|no Set timezone | do not start timeconfig at boot"{set}
menuentry "clockfmt=<format> clockfmt=%R (24-hours), clockfmt=%l:%M%P (am/pm)"{set}
menuentry "mdadm=no Do not assemble raid filesystems"{set}
menuentry "lvm=no Do not start the device mapper"{set}
menuentry "sshd=no Do not start SSH daemon"{set}
menuentry "bluetooth=no Do not start the bluetooth daemon"{set}
menuentry "consolekit=no Do not start the consolekit daemon"{set}
menuentry "dmeventd=no Do not start the device mapper event daemon"{set}
menuentry "dbus=no Do not start the Dbus daemon"{set}
menuentry "smart=no Do not start the smartmontools daemon"{set}
menuentry "fstabdaemon=no Do not start the Parted Magic /etc/fstab daemon"{set}
menuentry "nfs=no Do not start the NFS daemon"{set}
menuentry "acpid=no Do not start the acpi daemon"{set}
menuentry "cups=no Do not start the CUPS server"{set}
menuentry "netw=no Do not start the network at boot"{set}
menuentry "samba=yes Start the samba daemons"{set}
menuentry "rdate=yes Sync time with rdate at boot"{set}
menuentry "monday=1 Monday as first day of the week"{set}
menuentry "ntpd=yes Start the ntpd daemon"{set}
menuentry "cpufreq=no/yes/<gov> No (laptop), force (desktop) CPU freq scaling governor"{set}
menuentry "powermanager=no/yes No (laptop), force (desktop) power manager"{set}
menuentry "iscsi=yes Start iscsi initiator"{set}
menuentry "xconfig=XXXXXX|no Use /etc/X11/xorg.conf.XXXXXX | Undo"{set}
menuentry "nodri=yes No DRI"{set}
menuentry "qxl=yes X to start with QXL device"{set}
menuentry "xmouse=yes Try this if your X does not show a mouse cursor"{set}
menuentry "clonezilla=yes Boot into clonezilla"{set}
menuentry "nwipe=yes Boot into nwipe"{set}
menuentry "cmd= Boot into <command>, e.g. cmd="nwipe --method dod""{set}
menuentry "device_list=yes Show devices/partitions being scanned for the SQFS"{set}
menuentry "removableonly=yes Only scan devices/partitions with "removable" attribute"{set}
menuentry "testing=yes Wait at boot completion, use <Shift+Page Up|Down> to scroll"{set}
menuentry " Press <Enter> to continue"{set}
menuentry ""{set}
menuentry "Keyboard maps:"{set}
menuentry "azerty be-latin1 fr-latin1 fr-latin9 fr-pc fr wangbe wangbe2 ANSI-dvorak"{set}
menuentry "dvorak-l dvorak-r dvorak tr_f-latin5 trf bg-cp1251 bg-cp855 bg_bds-cp1251"{set}
menuentry "bg_bds-utf8 bg_pho-cp1251 bg_pho-utf8 br-abnt br-abnt2 br-latin1-abnt2"{set}
menuentry "br-latin1-us by cf cz-cp1250 cz-lat2-prog cz-lat2 cz defkeymap"{set}
menuentry "defkeymap_V1.0 dk-latin1 dk emacs emacs2 es-cp850 es et-nodeadkeys et"{set}
menuentry "fi-latin1 fi-latin9 fi gr-pc gr hu101 hypermap.m4 il-heb il-phonetic il"{set}
menuentry "is-latin1-us is-latin1 it-ibm it it2 jp106 la-latin1 lt.baltic lt.l4 lt"{set}
menuentry "mk-cp1251 mk-utf mk mk0 nl nl2 no-latin1.doc no-latin1 no pc110 pl pl2"{set}
menuentry "pt-latin1 pt-latin9 ro_win ru-cp1251 ru-ms ru-yawerty ru ru1 ru2 ru3 ru4"{set}
menuentry "ru_win se-fi-ir209 se-fi-lat6 se-ir209 se-lat6 sk-prog-qwerty sk-qwerty"{set}
menuentry "speakup-jfw speakup-jfw.readme speakupmap sr-cy sv-latin1 tr_q-latin5 tralt"{set}
menuentry "trq ua-utf-ws ua-utf ua-ws ua uk us-acentos us croat cz-us-qwertz"{set}
menuentry "de-latin1-nodeadkeys de-latin1 de de_CH-latin1 fr_CH-latin1 fr_CH hu"{set}
menuentry "sg-latin1-lk450 sg-latin1 sg sk-prog-qwertz sk-qwertz slovene"{set}
menuentry "Example:"{set}
menuentry "At the boot menu press <TAB> and then change 'keymap=us' to 'keymap=fr-latin1'"{set}
menuentry ""{set}
menuentry "VGA modes:"{set}
menuentry "Normal VGA console: vga=normal"{set}
menuentry "VESA framebuffer console @ 1024x768x64k: vga=791"{set}
menuentry "VESA framebuffer console @ 1024x768x32k: vga=790"{set}
menuentry "VESA framebuffer console @ 1024x768x256: vga=773"{set}
menuentry "VESA framebuffer console @ 800x600x64k: vga=788"{set}
menuentry "VESA framebuffer console @ 800x600x32k: vga=787"{set}
menuentry "VESA framebuffer console @ 800x600x256: vga=771"{set}
menuentry "VESA framebuffer console @ 640x480x64k: vga=785"{set}
menuentry "VESA framebuffer console @ 640x480x32k: vga=784"{set}
menuentry "VESA framebuffer console @ 640x480x256: vga=769"{set}
}
然而,EFI 设置中分区 7 的“引导加载程序”的路径是:
\EFI\boot\bootx64.efi
当我使用此路径编辑 40_custom 文件而不是使用 grub.cfg 文件时,它以错误结束。
谢谢您的回答。 P。
编辑:
选项1: 我使用了 custom_40 文件的跟随编辑
menuentry "partedmagic" {
insmod chain
set root=(hd0,gpt7)
configfile /boot/EFI/bootx64.efi
}
当我尝试编辑此文件时,请执行以下操作:
menuentry "partedmagic" {
insmod chain
set root=(hd0,gpt7)
chainloader /boot/EFI/bootx64.efi
}
我收到一条错误消息:
引导加载程序尚未验证加载的映像...系统已受到损害。停顿。
选项2: Parted Magic 的 bzImage 的退出过程已成功完成,但当我尝试启动它时,它仍然有错误。
...签名无效,您需要先加载内核。
答案1
Clonezilla 的内核来自 Ubuntu,因此它是使用 Canonical(维护 Ubuntu 发行版的公司)的 Secure Boot 私钥进行签名的。
如果您的引导过程包含shimx64.efi来自 Ubuntu 的引导,它会(非持久地)将 Canonical 的证书添加到固件的安全引导白名单中,这样您就能够引导 Ubuntu 和 Clonezilla。
一些硬件供应商可能还将 Canonical 的安全启动证书包含在固件白名单中,因此这些供应商的系统在启动 Ubuntu 或 Clonezilla 时将能够省略 shim。
显然 Parted Magic live CD 包含其自己的版本,其中shimx64.efi带有另一个安全启动证书。当该版本的填充程序包含在引导过程中时,您将能够在启用安全引导的情况下引导 Parted Magic。
据我所知,您的选择是:
选项1
您可以尝试在 Parted Magic 介质上使用 shim,而不是使用 GRUBconfigfile指令通过 Ubuntu 的 GRUB 加载 Parted Magic 的配置。chainload
menuentry "partedmagic" {
insmod chain
set root=(hd0,gpt7)
chainloader /EFI/boot/bootx64.efi
}
听起来你可能已经尝试过类似的事情,但你尝试过吗?确切地像这样?
选项2
如果您使用机器所有者密钥 (MOK) 设置 Ubuntu 的 shim 以启用第三方内核模块或自定义内核,则可以使用 MOK 私钥重新签署 Parted Magic 的内核,以允许 Ubuntu 的 GRUB 启动它。
假设 MOK 位于默认位置,这可以通过以下方式完成:
openssl x509 -in /var/lib/shim-signed/mok/MOK.der -inform DER -out /var/lib/shim-signed/mok/MOK.pem
mv <mountpoint of sda7>/pmagic/bzImage <mountpoint of sda7>/pmagic/bzImage.orig
那么要么
sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem \
--output <mountpoint of sda7>/pmagic/bzImage \
<mountpoint of sda7>/pmagic/bzImage.orig
或者
osslsigncode -certs /var/lib/shim-signed/mok/MOK.pem -key /var/lib/shim-signed/mok/MOK.priv \-in
-h sha256 <mountpoint of sda7>/pmagic/bzImage.orig \
-out <mountpoint of sda7>/pmagic/bzImage
取决于您可以使用哪种 PE/COFF 二进制签名工具。
选项3
如果您的系统固件允许您操作安全启动密钥白名单 ( db),您可以将 Canonical 和 Parted Magic 的安全启动证书直接添加到固件白名单中。
要从现有签名的二进制文件中提取安全启动证书*.efi:
osslsigncode extract-signature -pem somefile.efi certificate.pkcs7
openssl pkcs7 -inform pem -print_certs -text -in certificate.pkcs7 >certificate.pem
要将证书添加到固件白名单,您可以使用keytool.efi或 BIOS 设置菜单(如果它们包含必要的功能)。如果我没记错的话,keytool.efi将接受 PEM 格式的证书,但固件更可能需要将证书转换为 DER 格式,或者转换为签名或未签名形式的 EFI 签名列表文件(通常分别为*.esl和*.auth)。
选项0
...或者如果您的系统固件允许您禁用安全启动,您当然可以这样做。
清除安全启动主密钥 (PK) 将安全启动切换到设置模式,这将允许启动任何操作系统,因此它基本上相当于禁用安全启动。