{"id":6448,"date":"2017-07-11T18:56:39","date_gmt":"2017-07-11T18:56:39","guid":{"rendered":"http:\/\/blog.bachi.net\/?p=6448"},"modified":"2019-03-29T11:22:27","modified_gmt":"2019-03-29T11:22:27","slug":"hp-elitebook-850-g4-advanced-secure-boot","status":"publish","type":"post","link":"https:\/\/blog.bachi.net\/?p=6448","title":{"rendered":"HP EliteBook 850 G4 Advanced – UEFI \/ EFI \/ Secure Boot"},"content":{"rendered":"

EFI system partition<\/a><\/p>\n

EFI Installieren<\/a>
\nEFI Bootmanagement<\/a>
\nEFI Nachbearbeitung<\/a>
\nEFI Problembehebung<\/a><\/p>\n

Linux Mint Installation Guide – EFI SecureBoot<\/a><\/p>\n

wiki.ubuntu.com SecureBoot<\/a>
\nwiki.ubuntu.com DKMS<\/a><\/p>\n

\r\n$ [ -d \/sys\/firmware\/efi ] && echo UEFI || echo BIOS\r\nUEFI\r\n<\/pre>\n
\r\n$ sudo grub-install \r\nInstalling for x86_64-efi platform.\r\nInstallation finished. No error reported.\r\n<\/pre>\n
\r\n$ ls -la \/boot\/efi\r\ndrwx------ 6 root root 4096 Jun 26 10:54 EFI\r\n-rwx------ 1 root root    0 M\u00e4r 10 06:48 SYSTEM\r\ndrwx------ 2 root root 4096 M\u00e4r 10 08:51 System Volume Information\r\ndrwx------ 2 root root 4096 M\u00e4r 18 12:11 Temp\r\n\r\n$ ls -la \/boot\/efi\/EFI\r\ndrwx------ 2 root root 4096 M\u00e4r 10 06:48 Boot\r\ndrwx------ 5 root root 4096 Jun 26 10:54 HP\r\ndrwx------ 4 root root 4096 M\u00e4r 10 06:48 Microsoft\r\ndrwx------ 3 root root 4096 Jul 11 20:24 ubuntu\r\n\r\n$ ls -la \/boot\/efi\/EFI\/ubuntu\r\ndrwx------ 2 root root    4096 M\u00e4r 18 13:47 fw\r\n-rwx------ 1 root root   64352 M\u00e4r 18 13:47 fwupx64.efi\r\n-rwx------ 1 root root     117 M\u00e4r 18 13:48 grub.cfg\r\n-rwx------ 1 root root  120832 Jul 11 21:09 grubx64.efi\r\n-rwx------ 1 root root 1289424 M\u00e4r 18 13:48 shimx64.efi\r\n<\/pre>\n
Reinstall Grub2<\/h1>\n
How to reinstall GRUB2 EFI?<\/a><\/p>\n
\r\n$ dpkg -l | grep grub\r\nii  grub-common                                 2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader (common files)\r\nrc  grub-efi-amd64                              2.02~beta2-36ubuntu3.8                        amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version)\r\nii  grub-efi-amd64-bin                          2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)\r\nii  grub-gfxpayload-lists                       0.7                                           amd64        GRUB gfxpayload blacklist\r\nii  grub-pc                                     2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader, version 2 (PC\/BIOS version)\r\nii  grub-pc-bin                                 2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader, version 2 (PC\/BIOS binaries)\r\nii  grub2                                       2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader, version 2 (dummy package)\r\nii  grub2-common                                2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader (common files for version 2)\r\n<\/pre>\n
\r\n$ sudo apt-get install --reinstall grub-efi-amd64\r\nReading package lists... Done\r\nBuilding dependency tree       \r\nReading state information... Done\r\nThe following package was automatically installed and is no longer required:\r\n  grub-pc-bin\r\nUse 'sudo apt autoremove' to remove it.\r\nThe following packages will be REMOVED:\r\n  grub-gfxpayload-lists grub-pc grub2\r\nThe following NEW packages will be installed:\r\n  grub-efi-amd64\r\n0 upgraded, 1 newly installed, 3 to remove and 15 not upgraded.\r\nNeed to get 65.6 kB of archives.\r\nAfter this operation, 430 kB disk space will be freed.\r\nDo you want to continue? [Y\/n] y\r\nGet:1 http:\/\/ch.archive.ubuntu.com\/ubuntu xenial-updates\/main amd64 grub-efi-amd64 amd64 2.02~beta2-36ubuntu3.11 [65.6 kB]\r\nFetched 65.6 kB in 0s (563 kB\/s)        \r\nPreconfiguring packages ...\r\n(Reading database ... 203932 files and directories currently installed.)\r\nRemoving grub2 (2.02~beta2-36ubuntu3.11) ...\r\nRemoving grub-gfxpayload-lists (0.7) ...\r\nRemoving grub-pc (2.02~beta2-36ubuntu3.11) ...\r\nProcessing triggers for man-db (2.7.5-1) ...\r\nSelecting previously unselected package grub-efi-amd64.\r\n(Reading database ... 203908 files and directories currently installed.)\r\nPreparing to unpack ...\/grub-efi-amd64_2.02~beta2-36ubuntu3.11_amd64.deb ...\r\nUnpacking grub-efi-amd64 (2.02~beta2-36ubuntu3.11) ...\r\nSetting up grub-efi-amd64 (2.02~beta2-36ubuntu3.11) ...\r\nInstalling for x86_64-efi platform.\r\nInstallation finished. No error reported.\r\nGenerating grub configuration file ...\r\nFound Windows Boot Manager on \/dev\/nvme0n1p1@\/EFI\/Microsoft\/Boot\/bootmgfw.efi\r\nFound linux image: \/boot\/vmlinuz-4.8.0-41-generic\r\nFound initrd image: \/boot\/initrd.img-4.8.0-41-generic\r\nFound linux image: \/boot\/vmlinuz-4.8.0-36-generic\r\nFound initrd image: \/boot\/initrd.img-4.8.0-36-generic\r\nAdding boot menu entry for EFI firmware configuration\r\ndone\r\nProcessing triggers for shim-signed (1.28~16.04.1+0.9+1474479173.6c180c6-1ubuntu1) ...\r\nfind: \u2018\/var\/lib\/dkms\u2019: No such file or directory\r\nNo DKMS packages installed: not changing Secure Boot validation state.\r\n<\/pre>\n
\r\n$ sudo apt-get install linux-signed-generic \r\n$ sudo apt-get install grub-efi-amd64-signed\r\n$ sudo apt-get install shim-signed\r\n\r\n$ dpkg -l | grep grub\r\nii  grub-common                                 2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader (common files)\r\nii  grub-efi-amd64                              2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version)\r\nii  grub-efi-amd64-bin                          2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)\r\nii  grub-efi-amd64-signed                       1.66.11+2.02~beta2-36ubuntu3.11               amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)\r\nrc  grub-pc                                     2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader, version 2 (PC\/BIOS version)\r\nrc  grub2                                       2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader, version 2 (dummy package)\r\nii  grub2-common                                2.02~beta2-36ubuntu3.11                       amd64        GRand Unified Bootloader (common files for version 2)\r\n\r\n$ dpkg -l | grep signed\r\nii  fonts-kacst-one                             5.0+svn11846-7                                all          TrueType font designed for Arabic language\r\nii  fwupdate-signed                             1.11+0.5-2ubuntu4                             amd64        Linux Firmware Updater EFI signed binary\r\nii  grub-efi-amd64-signed                       1.66.11+2.02~beta2-36ubuntu3.11               amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)\r\nii  linux-signed-generic                        4.4.0.83.89                                   amd64        Complete Signed Generic Linux kernel and headers\r\nii  linux-signed-generic-hwe-16.04              4.8.0.41.12                                   amd64        Complete Signed Generic Linux kernel and headers\r\nii  linux-signed-image-4.4.0-83-generic         4.4.0-83.106                                  amd64        Signed kernel image generic\r\nii  linux-signed-image-4.8.0-41-generic         4.8.0-41.44~16.04.1                           amd64        Signed kernel image generic\r\nii  linux-signed-image-generic                  4.4.0.83.89                                   amd64        Signed Generic Linux kernel image\r\nii  linux-signed-image-generic-hwe-16.04        4.8.0.41.12                                   amd64        Signed Generic Linux kernel image\r\nii  shim                                        0.9+1474479173.6c180c6-1ubuntu1               amd64        boot loader to chain-load signed boot loaders under Secure Boot\r\nii  shim-signed                                 1.28~16.04.1+0.9+1474479173.6c180c6-1ubuntu1  amd64        Secure Boot chain-loading bootloader (Microsoft-signed binary)\r\n\r\n$ sudo ls -la \/boot\/efi\/EFI\/ubuntu\r\ndrwx------ 2 root root    4096 M\u00e4r 18 13:47 fw\r\n-rwx------ 1 root root   64352 M\u00e4r 18 13:47 fwupx64.efi\r\n-rwx------ 1 root root     117 Jul 11 21:28 grub.cfg\r\n-rwx------ 1 root root 1121144 Jul 11 21:28 grubx64.efi\r\n-rwx------ 1 root root 1168464 Jul 11 21:28 mmx64.efi\r\n-rwx------ 1 root root 1169992 Jul 11 21:28 shimx64.efi\r\n<\/pre>\n
Div<\/h1>\n
How does Secure Boot actually work?<\/a>
\nSign GRUB2 bootloader to enable UEFI secure boot<\/a>
\nSakaki’s EFI Install Guide\/Configuring Secure Boot<\/a><\/p>\n
\r\n$ sudo efibootmgr\r\nBootCurrent: 0011\r\nTimeout: 0 seconds\r\nBootOrder: 0011,0013,000D,000E,000B,000C,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000F\r\nBoot0000  Startup Menu\r\nBoot0001  System Information\r\nBoot0002  Bios Setup\r\nBoot0003  3rd Party Option ROM Management\r\nBoot0004  System Diagnostics\r\nBoot0005  System Diagnostics\r\nBoot0006  System Diagnostics\r\nBoot0007  System Diagnostics\r\nBoot0008  Boot Menu\r\nBoot0009  HP Recovery\r\nBoot000A* IPV4 Network - Intel(R) Ethernet Connection (4) I219-V\r\nBoot000B* THNSN5512GPUK TOSHIBA-27BS1003T52T\r\nBoot000C* Intel Corporation: IBA CL Slot 00FE v0110\r\nBoot000D  USB:  \r\nBoot000E  USB:  \r\nBoot000F  Network Boot\r\nBoot0010* IPV6 Network - Intel(R) Ethernet Connection (4) I219-V\r\nBoot0011* ubuntu\r\nBoot0012* EFI\\Microsoft\\Boot\\bootmgfw.efi\r\nBoot0013* Windows Boot Manager\r\n\r\n$ sudo efibootmgr -v\r\nBootCurrent: 0011\r\nTimeout: 0 seconds\r\nBootOrder: 0011,0013,000D,000E,000B,000C,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000F\r\nBoot0000  Startup Menu\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)....ISPH\r\nBoot0001  System Information\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0002  Bios Setup\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0003  3rd Party Option ROM Management\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0004  System Diagnostics\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0005  System Diagnostics\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0006  System Diagnostics\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0007  System Diagnostics\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0008  Boot Menu\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0009  HP Recovery\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot000A* IPV4 Network - Intel(R) Ethernet Connection (4) I219-V\tPciRoot(0x0)\/Pci(0x1f,0x6)\/MAC(40b034e99e48,0)\/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)N.....YM....R,Y.....ISPH\r\nBoot000B* THNSN5512GPUK TOSHIBA-27BS1003T52T\tBBS(HD,THNSN5512GPUK TOSHIBA-27BS1003T52T,0x400)\/PciRoot(0x0)\/Pci(0x1d,0x0)\/Pci(0x0,0x0)\/NVMe(0x1,00-08-0D-02-00-1D-9C-DA)......ISPH\r\nBoot000C* Intel Corporation: IBA CL Slot 00FE v0110\tBBS(Network,Intel Corporation: IBA CL Slot 00FE v0110,0x0)\/PciRoot(0x0)\/Pci(0x1f,0x6)\/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)......ISPH\r\nBoot000D  USB:  \tPciRoot(0x0)\/Pci(0x14,0x0)N.....YM....R,Y.....ISPH\r\nBoot000E  USB:  \tBBS(65535,,0x0)\/PciRoot(0x0)\/Pci(0x14,0x0)......ISPH\r\nBoot000F  Network Boot\tFvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)\/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH\r\nBoot0010* IPV6 Network - Intel(R) Ethernet Connection (4) I219-V\tPciRoot(0x0)\/Pci(0x1f,0x6)\/MAC(40b034e99e48,0)\/IPv6([::]:<->[::]:,0,0)N.....YM....R,Y.....ISPH\r\nBoot0011* ubuntu\tHD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)\/File(\\EFI\\ubuntu\\grubx64.efi)\r\nBoot0012* EFI\\Microsoft\\Boot\\bootmgfw.efi\tPciRoot(0x0)\/Pci(0x1d,0x0)\/Pci(0x0,0x0)\/NVMe(0x1,00-08-0D-02-00-1D-9C-DA)\/HD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)\/File(EFI\\Microsoft\\Boot\\bootmgfw.efi) .\/.R.e.c.o.v.e.r.y.B.C.D.......ISPH\r\nBoot0013* Windows Boot Manager\tHD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)\/File(\\EFI\\Microsoft\\Boot\\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...te...................ISPH\r\n<\/pre>\n
\r\n$  hexdump \/sys\/firmware\/efi\/efivars\/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c \r\n0000000 0006 0000 0000                         \r\n0000005\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
EFI system partition EFI Installieren EFI Bootmanagement EFI Nachbearbeitung EFI Problembehebung Linux Mint Installation Guide – EFI SecureBoot wiki.ubuntu.com SecureBoot wiki.ubuntu.com DKMS $ [ -d \/sys\/firmware\/efi ] && echo UEFI || echo BIOS UEFI $ sudo grub-install Installing for x86_64-efi platform. Installation finished. No error reported. $ ls -la \/boot\/efi drwx—— 6 root root 4096 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6448","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/6448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6448"}],"version-history":[{"count":15,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/6448\/revisions"}],"predecessor-version":[{"id":9396,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/6448\/revisions\/9396"}],"wp:attachment":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}