我有一台运行 20.04 的笔记本电脑(不secure-boot,标题它old)。我想将启动磁盘移动到new启用了安全启动的新笔记本电脑(标题为 )。我不想禁用,因为我安装了 Windows并secure boot要求 保持启用状态。newnewsecure boot
为了测试这对于 是否可行new,我插入了原始安装实时媒体(2019 年xubuntu 18.04USB 上的实时启动映像,用于安装),并尝试启动它。这非常成功。oldnew
接下来,我从 中取出启动盘old,将其插入new,选择该磁盘作为启动介质,然后进入 grub 控制台。这就是我遇到以下错误消息的地方:
Loading Linux 5.4.0-70-generic ...
error: bad shim signature.
Loading initial ramdisk ...
error: you need to load the kernel first.
Press any key to continue...
我启动old以比较启动介质上的内核与磁盘上的内核:
samveen@samveen-X230:~$ sudo sbverify --list /media/temp/casper/vmlinuz
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
samveen@samveen-X230:/media/temp/casper$ sudo sbverify --list /boot/vmlinuz-5.4.0-70-generic
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2017)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
两者都已签名且有效,因此我检查了引导加载程序链(shim 和 grub):
samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/shimx64.efi
warning: data remaining[834920 vs 960472]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/grubx64.efi
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi
warning: data remaining[742792 vs 860824]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
这一切都是有效的,能够Canonical Ltd. Master CA验证一切。
我在这里缺少什么导致无法启动?
经过更多调查后,我发现用于对我正在启动的内核进行签名的证书位于安全启动禁止签名数据库 ( ) (
dbx)中Canonical Ltd. Secure Boot Signing (2017)。为了解决这个问题,我必须更新到最新的
image-generic内核linux-image-5.4.0-172-generic(由最新的 CA 签名),而不是linux-image-5.4.0-70-generic我正在使用的过时的内核。image-generic通过用 Hardware Enablement 内核系列替换该内核系列,修复了缺少驱动程序的其他几个问题linux-generic-hwe-20.04。更多详细信息请访问https://wiki.ubuntu.com/Kernel/LTSEnablementStackDKMS 模块签名已经实现,即使在
old(尽管未使用),当我第一次安装操作系统时(old2019 年的 xubuntu 18.04),已经创建了机器所有者密钥。我只需按照https://wiki.ubuntu.com/UEFI/SecureBoot中记录的流程将 MOK 注册到 Shim 中。编辑:我只需要这个来加载由 DKMS 构建的上游 VirtualBox 内核模块,否则不需要此步骤。旁注
18.04:我在2019 年安装了 Xubuntuold,然后在 2021 年初完成了 dist 升级过程。安装时创建的安全启动设置在 2024 年(安装后 5 年)20.04有效,即使在 dist 升级到。这是 Ubuntu 面向未来的一些计划。尽管我对它的结构并不满意,并计划最终转向上游 Debian,但即使对于最近的笔记本电脑来说,内核系列也是一个不错的选择。new20.0422.0420.04hwe