#349 Cant boot on UEFI with secure boot because...

[Mark Petersen]

Hi all creators of this wonderfull Clonig tool and ty for your continuing work.

---

Now i have two little or sort of big problem on UEFI hardware with Secure Boot on

---

The first is that none of them recognize Clonezilla on USB.
That can be solved by unpacking the .zip on a fat32 partition and running the run makeboot.sh.

This happens because these Two devices only recognises ".efi" files on fat32 partitions.

For that i propose making an image wit a fat32 partiton with the appropriate .efi files on.
So using something like Balena Etcher just works out of the boks when plugging in.

---

Now the next is alot harder.

The UEFI on both system complains that the images of etc. grubx64.efi cant be verified and is a security violation.

And i was sort of wondering if u are using the correctly signed grub2 in the ubuntu repo called

grub-efi-amd64-signed

for the Image ?

If not can it be added?

Im up for testing if it should be a possibility.

---

Now i have flashed, reflashed and transferred atleast 10 times with tools like Balena Etcher, rufus (Both MBR and GPT partition scheme) and transferred files myself to a fat32 partition.

And i end up getting told everytime that the etc. grubx64.efi cant be verified and is a security violation.

Hope u can have a look at these two bugs.

Best Regards,
Darkyere

[Mark Petersen]

Btw. If i disable Secure Boot or go for legacy support (CSM).
The UEFI doesnt allow acces to the internal drive so that doesnt work either.

[Steven Shiau]

Surely, the grub we used in Clonezilla live is from the signed package of Debian or Ubuntu.
The machines here we have can successfully boot Clonezilla live either 2.6.7-28 or 20200702-focal amd64 version when secure boot mode is enabled.
Have you tried on different types of hardware?

Steven

[Mark Petersen]

I have only tried on my HP Pavaillion Sleekbook 15 and Acer TC-115.

Both of them wont even see the USB if the .efi is not on a fat32 partition.
So there i still believe that it would be usefull to have the EFI folder on a seperate fat32 partition.

About the other bug i have if Grub2 is the signed version i have no clue why they fail Secuire Boot verification. I must be out of luck somehow :/

[Steven Shiau]

"So there i still believe that it would be usefull to have the EFI folder on a seperate fat32 partition." -> Basically yes. ESP must be on a FAT partition,:
https://en.wikipedia.org/wiki/EFI_system_partition

Steven

[Mark Petersen]

Is it something that can be done ?
I really dont mind testing a Clonezilla version if it could make it easier in the future for others to boot from USB.

[Steven Shiau]

Which one did you mean?
If it's the secure boot one, you can give testing Clonezilla live 2.6.8-12 or 20200922-* amd64 a try:
https://clonezilla.org/downloads.php
In addition, please also give it a try on different type of machine, and also put Clonezilla live on different USB flash drive. It would be easier to isolate the issue.

Steven

[Mark Petersen]

I just meant the .efi on fat32 partition.
It would make it simpler if one could just flash with etc. Balena Etcher or similar and UEFI worked out of the box.

The Verification failure must be on my end since its is the signed grub from ubuntu/debian.
I am gonna attemt to update the BIOS and see if it makes a difference.
Unfortunately that means wiping my Ubuntu 20.04 (Beacuse its on zfs) and installing windows but i dont seem to have a lot of options.

[Steven Shiau]

Since you mentioned secure boot, it means you want to boot uEFI machine, there is no need to run makeboot.sh.
Just unzip Clonezilla live amd64 zip on a FAT32 partition of USB flash drive. Then it will work.
The boot loader on MBR is for legacy BIOS, not for uEFI.
You can forget about those flash tools actually in your case.
We won't release an image of Clonezilla live containg file system. We believe the zip or iso format is more universal. Especially to unzip the zip file to a USB flash drive won't overwrite the existing files on the flash drive.

Steven

[Mark Petersen]

Okay i seem to have found a solution.

My Acer TC-115 wouldten register the USB even on fat32 at all.
My HP Pavillion Touchsmart 15 couldten register the usb either but i could manually browse to the file within UEFI boot menu just to end up with Verification failed.

In these attempts i tried transferring both the stable and testing version to a fat32 partition. And it didnt work even if i tried with other USB keys
.
Either they werent seen or the had signature failure if i finally got in.

Clonezilla 2.6.7-28 = clonezilla-live-20200703-focal-amd64
clonezilla 2.6.8-12 = clonezilla-live-20200922-focal-amd64

---

So what i did to fix it on my "troublesome" devices was a bit complicated and took some trial and error.

To start with on my devices i have learned that they want to only boot on
GPT partitioned drives
with a fat32 partition
but it allso have to be registered/flagged as an EFI partition.

This required some W10 command line love.

My final result after a lot of trial and error looked like this.

# i opened up powershell as admin

diskpart

list disk

select disk X

# Where X is my USB key

clean

convert gpt

create partition primary

format fs=fat32 quick

assign

set id=c12a7328-f81f-11d2-ba4b-00a0c93ec93b override

# This command sets the EFI flag on the partition

Now i transferred the stable version of clonezilla-live-20200703-focal-amd64.zip to the same partition scheme (GPT->fat32->Registered as EFI ).
And this time both my machines recognized the USB keys right away.
But verification fail on both ends.

Then i transferred the clonezilla-live-20200922-focal-amd64.zip to the same partition scheme (GPT->fat32->Registered as EFI ).
Again the USB key's was seen right away and this time no verification fail i was in :D

---

So my computers seems to be some real trouble makers.

To actually make it work at had to follow the rules of these particularly devices.

Etc.
GPT partition scheme (For it to even show up in boot menu)
fat32 (To make it find the .efi files)
and register it as as and EFI partition (To prevent Invalid Signature )
Then transfer .zip file to the devices.

Ty for your time.
Hopefully this will help others in the future.

Best Regards,
Darkyere

[Steven Shiau]

Great. Thanks for sharing your experience.
Since the issue is on the hardware/firmware, not on Clonezilla live. I am closing this bug and set it as invalid status.

Steven

[Mark Petersen]

Well i wouldten say its because of Hardware/Firmware issue. Since its consistent on both an Acer and a HP. Two independent manufacturers.

It may be how some UEFI's works, and thats is why Clonezilla cant boot cause its not partition correctly for some UEFI.

While searching on this issue on the net before posting the bug here. There is a lot of people who cant make Clonezilla work either without disabling secure boot. Which isnt an option for all UEFI hardware out there (Mine included).

I was kinda hoping since i found a solution that works on both an Acer and an HP.

That there would be written a how to on live-usb to try these steps if all else fails.

Basically these steps can be done on linux asswell using something like gdisk to make GPT and set efi flag, then format fat32 and transfer zipeed files.
So that UEFI/Hardware/Firmware that requires this can actually boot from a USB.

[Steven Shiau]

The weird situation is that, I just can not reproduce this issue on my 3 physical machines with a Sandisk 256 GB USB stick:

1. Acer Swift 7 notebook
2. Asus VC60
3. Asus T10
   These 3 machines are secure-boot enabled in the BIOS, and they are all set as uEFI boot only.

My steps:

1. I formated the USB stick with FAT32 file system. The USB stick has only one partition:
   Model: SanDisk Ultra USB 3.0 (scsi)
   Disk /dev/sdc: 252GB
   Sector size (logical/physical): 512B/512B
   Partition Table: msdos
   Disk Flags:

Number Start End Size Type File system Flags
1 32.8kB 252GB 252GB primary fat32

1. pumount /dev/sdc1 /media/disk
2. unzip clonezilla-live-2.6.7-28-amd64.zip -d /media/disk
3. sudo bash /media/disk/utils/linux/makeboot.sh /dev/sdc1
4. pumount /dev/sdc1

Then with this USB sitck, I can successfully boot all of them. Without any issue. The boot menu, the language and keyboard configurations ran without any issue, and I can start to run Clonezilla to either saving an image, restore an image or disk cloning.
The above tests were done today, about 30 mins ago before I posted here.
Actually I also used the same steps to put Clonezilla live on a USB flash drive and boot HP Pavilion x360 14-dh1037TX about one month ago. It also ran smoothly.
Therefore, your case is really weird, and you are the only one so far mentioned this issue.

Steven

[Mark Petersen]

I can of course understand if u cant reproduce the error. And im the only one having this case on my devices. That there isnt mush you can do about without the means to test it for yourself.

I just hope that my experience maybe someday will help another person who finds this thread and can make use of it.

The most important part for me in the end is of course that i found a solution that worked for my devices. So all in all im happy that i wrote cause in the end it was first after i wrote i found the reson why it didnt work on my devices.

Just want to add again like in the top of the post.

I am really happy for the work done on clonezilla.

Just the start of this month i belive it was. I had to Restore a machine saving me a lot of time in resintalling and configuring the system.

So great work and happy u tried to help me.

Darkyere

[Steven Shiau]

Sure. Thank you very much for your feedback.

Steven