Discussion:
can't get the secure boot hashtool menu to display again
(too old to reply)
William Schaible
2020-10-02 05:36:06 UTC
Permalink
This concerns booting a knoppix flash drive. I did some tinkering, I've
got an idea how to get the secure boot key made. First, UEFI wanted me
to enroll a hash for the program named loader.efi. I got a menu like this:

* ENROLL HASH
* START UEFI KEY TOOL
* REBOOT TO UEFI MENU
* REBOOT SYSTEM
* EXIT

and I enrolled a hash for loader.efi. Now I need to get that menu again
so I can enroll a hash for the KNOPPIX binary file. But I don't know how
to trigger it. I set knoppix as boot priority #1 in the BIOS and then
tell it to reboot, both with secure boot ON then with it OFF, but that
doesn't trigger the menu. Either way it boots into knoppix but knoppix
doesn't see the main SSD and I can't use wifi. Because there's no key
for knoppix. I need to trigger the system to complain that I need to
enroll a hash. How do I do that?

TIA. Bill S.
Mike Easter
2020-10-02 09:08:00 UTC
Permalink
Post by William Schaible
This concerns booting a knoppix flash drive. I did some tinkering, I've
got an idea how to get the secure boot key made. First, UEFI wanted me
* ENROLL HASH
* START UEFI KEY TOOL
* REBOOT TO UEFI MENU
* REBOOT SYSTEM
* EXIT
and I enrolled a hash for loader.efi.
This is the knoppix page I see about hashtool & loader.efi. When
knoppix enrollment is successful, the knoppix boot screen says/shows
'UEFI Boot'.

https://knopper.net/knoppix/knoppix-uefi-en.html When UEFI Secure Boot
is enabled, the following screen will be shown at start:


There is also a caution note at the end of the page about the difference
in the appearance of the boot screen.
--
Mike Easter
bilsch01
2020-10-02 20:51:20 UTC
Permalink
Post by William Schaible
This concerns booting a knoppix flash drive. I did some tinkering,
I've got an idea how to get the secure boot key made. First, UEFI
wanted me to enroll a hash for the program named loader.efi. I got a
* ENROLL HASH
* START UEFI KEY TOOL
* REBOOT TO UEFI MENU
* REBOOT SYSTEM
* EXIT
and I enrolled a hash for loader.efi.
This is the knoppix page I see about hashtool & loader.efi.  When
knoppix enrollment is successful, the knoppix boot screen says/shows
'UEFI Boot'.
https://knopper.net/knoppix/knoppix-uefi-en.html  When UEFI Secure Boot
There is also a caution note at the end of the page about the difference
in the appearance of the boot screen.
I've seen the screen referenced by the first link you posted. That's the
screen that ultimately got me to the menu shown in my post, which I used
to enrol loader.efi, as mentioned. Your post then mentions another
screen with the following sentence:

When UEFI Secure Boot is enabled, the following screen will be shown at
start:

but there is no link following that sentence. I would like to see the
screen mentioned. Could you post that link again?

So far I haven't been instructed by screen messages or prompts to
perform specific steps to enroll a hash for the knoppix binary or steps
to create a key for it. That's what I am assuming will happen next,
before a key is created though I don't know because I haven't done this
before. I'm assuming I will again see the menu shown above.

The BIOS screen has a 'security' tab which has a 'key management'
heading that lists the number of keys stored. That info hasn't changed
yet which suggests no key for knoppix has yet been saved.

Thanks for your help.
Mike Easter
2020-10-02 22:07:40 UTC
Permalink
Post by bilsch01
This is the knoppix page I see about hashtool & loader.efi.  When
knoppix enrollment is successful, the knoppix boot screen says/shows
'UEFI Boot'.
https://knopper.net/knoppix/knoppix-uefi-en.html  When UEFI Secure
There is also a caution note at the end of the page about the
difference in the appearance of the boot screen.
I've seen the screen referenced by the first link you posted. That's the
screen that ultimately got me to the menu shown in my post, which I used
to enrol loader.efi, as mentioned.  Your post then mentions another
When UEFI Secure Boot is enabled, the following screen will be shown at
but there is no link following that sentence. I would like to see the
screen mentioned. Could you post that link again?
The link *precedes* the sentence I pasted. You cited it above.

https://knopper.net/knoppix/knoppix-uefi-en.html

Above you referred to your 1st msg in which you used 'enroll hash' as
the 1st screen at knoppix says:
Loading Image...

Then you said that you continued to the part where loader.efi was
enrolled as this:
Loading Image...
and presumably this:
Loading Image...
Post by bilsch01
So far I haven't been instructed by screen messages or prompts to
perform specific steps to enroll a hash for the knoppix binary or steps
to create a key for it.
That part is supposed to follow pic 2 above.
Post by bilsch01
That's what I am assuming will happen next, before a key is created
though I don't know because I haven't done this before. I'm assuming
I will again see the menu shown above.
The BIOS screen has a 'security' tab which has a 'key management'
heading that lists the number of keys stored. That info hasn't changed
yet which suggests no key for knoppix has yet been saved.
Hmmm.
--
Mike Easter
bilsch01
2020-10-02 22:46:08 UTC
Permalink
Post by bilsch01
This is the knoppix page I see about hashtool & loader.efi.  When
knoppix enrollment is successful, the knoppix boot screen says/shows
'UEFI Boot'.
https://knopper.net/knoppix/knoppix-uefi-en.html  When UEFI Secure
There is also a caution note at the end of the page about the
difference in the appearance of the boot screen.
I've seen the screen referenced by the first link you posted. That's
the screen that ultimately got me to the menu shown in my post, which
I used to enrol loader.efi, as mentioned.  Your post then mentions
When UEFI Secure Boot is enabled, the following screen will be shown
but there is no link following that sentence. I would like to see the
screen mentioned. Could you post that link again?
The link *precedes* the sentence I pasted.  You cited it above.
https://knopper.net/knoppix/knoppix-uefi-en.html
Above you referred to your 1st msg in which you used 'enroll hash' as
https://knopper.net/pics/2_uefi_enroll_hash.png
Then you said that you continued to the part where loader.efi was
https://knopper.net/pics/3_uefi_enroll_hash.png
https://knopper.net/pics/4_uefi_enroll_hash.png
Post by bilsch01
So far I haven't been instructed by screen messages or prompts to
perform specific steps to enroll a hash for the knoppix binary or
steps to create a key for it.
That part is supposed to follow pic 2 above.
Post by bilsch01
That's what I am assuming will happen next, before a key is created
though I don't know because I haven't done this before. I'm assuming
I will again see the menu shown above.
The BIOS screen has a 'security' tab which has a 'key management'
heading that lists the number of keys stored. That info hasn't changed
yet which suggests no key for knoppix has yet been saved.
Hmmm.
I needed to scroll down, if I had I would have seen the rest. OK. thanks
dyrmak
2020-10-03 09:00:18 UTC
Permalink
En 59 lignes bilsch01 a écrit
Post by bilsch01
I needed to scroll down, if I had I would have seen the rest. OK. thanks
Once your knoppix is integrated, "enrolled", that means from now on
the computer will recognize your flash-drive as a validly integrated
part of the hardware of the computer, if you leave the "Bios" section
as it was during the enrolling. I think the menu on start will lead you
to choose the knoppix drive.
As an aside note, if you clone your flash-drive, thinking that it
is enough to have a bootable copy, you are in for a bit of a surprise,
you will need to ENROLL again the clone as an entire new entity to
integrate it as a new hardware extension.

dyrmak
--
Las llantas desinfladas
++++ --- ++++
Linux operating system
++++ --- ++++
dyrmak
2020-10-03 09:30:59 UTC
Permalink
En 22 lignes dyrmak a écrit
Post by dyrmak
As an aside note, if you clone your flash-drive, thinking that it
is enough to have a bootable copy, you are in for a bit of a surprise,
you will need to ENROLL again the clone as an entire new entity to
integrate it as a new hardware extension.
I am sorry! I made a brutal mistake here, the aside note is
not the intended one, the correct one here below:

As an aside note, if you happen to have another knoppix flash-drive
made independantly on a similar usb-key, another one that
looks like a clone but not a real clone, you are in for a bit of a
surprise, you will need to ENROLL the second flash-drive as an
entire new entity to integrate it as a new hardware extension.

dyrmak
--
Se me olvidó tu nombre
++++ --- ++++
Linux operating system
++++ --- ++++
Johnny
2020-10-02 22:15:14 UTC
Permalink
On Fri, 2 Oct 2020 13:51:20 -0700
Post by bilsch01
Post by William Schaible
This concerns booting a knoppix flash drive. I did some tinkering,
I've got an idea how to get the secure boot key made. First, UEFI
wanted me to enroll a hash for the program named loader.efi. I got
* ENROLL HASH
* START UEFI KEY TOOL
* REBOOT TO UEFI MENU
* REBOOT SYSTEM
* EXIT
and I enrolled a hash for loader.efi.
This is the knoppix page I see about hashtool & loader.efi.  When
knoppix enrollment is successful, the knoppix boot screen
says/shows 'UEFI Boot'.
https://knopper.net/knoppix/knoppix-uefi-en.html  When UEFI Secure
There is also a caution note at the end of the page about the
difference in the appearance of the boot screen.
I've seen the screen referenced by the first link you posted. That's
the screen that ultimately got me to the menu shown in my post, which
I used to enrol loader.efi, as mentioned. Your post then mentions
When UEFI Secure Boot is enabled, the following screen will be shown
but there is no link following that sentence. I would like to see the
screen mentioned. Could you post that link again?
So far I haven't been instructed by screen messages or prompts to
perform specific steps to enroll a hash for the knoppix binary or
steps to create a key for it. That's what I am assuming will happen
next, before a key is created though I don't know because I haven't
done this before. I'm assuming I will again see the menu shown above.
The BIOS screen has a 'security' tab which has a 'key management'
heading that lists the number of keys stored. That info hasn't
changed yet which suggests no key for knoppix has yet been saved.
Thanks for your help.
Why can't you just disable Key Management? That's what I did.
Mike Easter
2020-10-02 22:50:14 UTC
Permalink
Post by Johnny
Why can't you just disable Key Management? That's what I did.
That's what I did.

And, it wasn't (even) enabled on a W10 refurbed OEM laptop.

During refurb, the refurber replaces whatever OS the OEM had put w/ a
refurb licensed v. of the OS. (Possibly newer than the original, which
I think was the case here, oem MS W8 to refurber MS W10)

I can't see that it/secure has real value; I understand that the
intention is a form of 'security', but that is one of those security
issues that appears to me to be 'more trouble than its worth' TM.
--
Mike Easter
William Schaible
2020-10-03 04:01:22 UTC
Permalink
Post by Johnny
On Fri, 2 Oct 2020 13:51:20 -0700
Post by bilsch01
Post by William Schaible
This concerns booting a knoppix flash drive. I did some tinkering,
I've got an idea how to get the secure boot key made. First, UEFI
wanted me to enroll a hash for the program named loader.efi. I got
* ENROLL HASH
* START UEFI KEY TOOL
* REBOOT TO UEFI MENU
* REBOOT SYSTEM
* EXIT
and I enrolled a hash for loader.efi.
This is the knoppix page I see about hashtool & loader.efi.  When
knoppix enrollment is successful, the knoppix boot screen
says/shows 'UEFI Boot'.
https://knopper.net/knoppix/knoppix-uefi-en.html  When UEFI Secure
There is also a caution note at the end of the page about the
difference in the appearance of the boot screen.
I've seen the screen referenced by the first link you posted. That's
the screen that ultimately got me to the menu shown in my post, which
I used to enrol loader.efi, as mentioned. Your post then mentions
When UEFI Secure Boot is enabled, the following screen will be shown
but there is no link following that sentence. I would like to see the
screen mentioned. Could you post that link again?
So far I haven't been instructed by screen messages or prompts to
perform specific steps to enroll a hash for the knoppix binary or
steps to create a key for it. That's what I am assuming will happen
next, before a key is created though I don't know because I haven't
done this before. I'm assuming I will again see the menu shown above.
The BIOS screen has a 'security' tab which has a 'key management'
heading that lists the number of keys stored. That info hasn't
changed yet which suggests no key for knoppix has yet been saved.
Thanks for your help.
Why can't you just disable Key Management? That's what I did.
There is a way to disable 'secure boot' but there's no option to disable
'key management'. The 'key management' heading simply lists some
information when you hit it. So, I assume you mean disable secure boot.
That I have tried. Here's the problem: when I boot knoppix, start
terminal and type in:

sudo fdisk -l

fdisk lists the knoppix flash drive but not the SSD containing Windows.
I AM accustomed to running fdisk while booted in knoppix on a computer
with a UEFI SSD - never a problem. But on this new computer, when booted
in knoppix fdisk doesn't show the SSD, neither does gparted, also I've
noticed there's no wireless capability.
The computer is ASUS F512JA-OH36.
TIA. Bill S.
Johnny
2020-10-03 17:15:09 UTC
Permalink
On Fri, 2 Oct 2020 21:01:22 -0700
Post by William Schaible
Post by Johnny
On Fri, 2 Oct 2020 13:51:20 -0700
Post by bilsch01
Post by William Schaible
This concerns booting a knoppix flash drive. I did some
tinkering, I've got an idea how to get the secure boot key made.
First, UEFI wanted me to enroll a hash for the program named
* ENROLL HASH
* START UEFI KEY TOOL
* REBOOT TO UEFI MENU
* REBOOT SYSTEM
* EXIT
and I enrolled a hash for loader.efi.
This is the knoppix page I see about hashtool & loader.efi.  When
knoppix enrollment is successful, the knoppix boot screen
says/shows 'UEFI Boot'.
https://knopper.net/knoppix/knoppix-uefi-en.html  When UEFI Secure
There is also a caution note at the end of the page about the
difference in the appearance of the boot screen.
I've seen the screen referenced by the first link you posted.
That's the screen that ultimately got me to the menu shown in my
post, which I used to enrol loader.efi, as mentioned. Your post
When UEFI Secure Boot is enabled, the following screen will be
but there is no link following that sentence. I would like to see
the screen mentioned. Could you post that link again?
So far I haven't been instructed by screen messages or prompts to
perform specific steps to enroll a hash for the knoppix binary or
steps to create a key for it. That's what I am assuming will happen
next, before a key is created though I don't know because I haven't
done this before. I'm assuming I will again see the menu shown above.
The BIOS screen has a 'security' tab which has a 'key management'
heading that lists the number of keys stored. That info hasn't
changed yet which suggests no key for knoppix has yet been saved.
Thanks for your help.
Why can't you just disable Key Management? That's what I did.
There is a way to disable 'secure boot' but there's no option to
disable 'key management'. The 'key management' heading simply lists
some information when you hit it. So, I assume you mean disable
secure boot.
What kind of computer do you have?
bilsch01
2020-10-03 21:57:42 UTC
Permalink
Post by Johnny
On Fri, 2 Oct 2020 21:01:22 -0700
Post by William Schaible
Post by Johnny
On Fri, 2 Oct 2020 13:51:20 -0700
Post by bilsch01
Post by William Schaible
This concerns booting a knoppix flash drive. I did some
tinkering, I've got an idea how to get the secure boot key made.
First, UEFI wanted me to enroll a hash for the program named
* ENROLL HASH
* START UEFI KEY TOOL
* REBOOT TO UEFI MENU
* REBOOT SYSTEM
* EXIT
and I enrolled a hash for loader.efi.
This is the knoppix page I see about hashtool & loader.efi.  When
knoppix enrollment is successful, the knoppix boot screen
says/shows 'UEFI Boot'.
https://knopper.net/knoppix/knoppix-uefi-en.html  When UEFI Secure
There is also a caution note at the end of the page about the
difference in the appearance of the boot screen.
I've seen the screen referenced by the first link you posted.
That's the screen that ultimately got me to the menu shown in my
post, which I used to enrol loader.efi, as mentioned. Your post
When UEFI Secure Boot is enabled, the following screen will be
but there is no link following that sentence. I would like to see
the screen mentioned. Could you post that link again?
So far I haven't been instructed by screen messages or prompts to
perform specific steps to enroll a hash for the knoppix binary or
steps to create a key for it. That's what I am assuming will happen
next, before a key is created though I don't know because I haven't
done this before. I'm assuming I will again see the menu shown above.
The BIOS screen has a 'security' tab which has a 'key management'
heading that lists the number of keys stored. That info hasn't
changed yet which suggests no key for knoppix has yet been saved.
Thanks for your help.
Why can't you just disable Key Management? That's what I did.
There is a way to disable 'secure boot' but there's no option to
disable 'key management'. The 'key management' heading simply lists
some information when you hit it. So, I assume you mean disable
secure boot.
What kind of computer do you have?
ASUS VivoBook F512JA-OH36
BIOS by American Megatrends
version 302
GOP version 14.0.1029
EC version F0031506.306
Paul
2020-10-03 22:27:28 UTC
Permalink
Post by bilsch01
Post by Johnny
On Fri, 2 Oct 2020 21:01:22 -0700
Post by William Schaible
Post by Johnny
On Fri, 2 Oct 2020 13:51:20 -0700
Post by bilsch01
Post by Mike Easter
Post by William Schaible
This concerns booting a knoppix flash drive. I did some
tinkering, I've got an idea how to get the secure boot key made.
First, UEFI wanted me to enroll a hash for the program named
* ENROLL HASH
* START UEFI KEY TOOL
* REBOOT TO UEFI MENU
* REBOOT SYSTEM
* EXIT
and I enrolled a hash for loader.efi.
This is the knoppix page I see about hashtool & loader.efi. When
knoppix enrollment is successful, the knoppix boot screen
says/shows 'UEFI Boot'.
https://knopper.net/knoppix/knoppix-uefi-en.html When UEFI Secure
There is also a caution note at the end of the page about the
difference in the appearance of the boot screen.
I've seen the screen referenced by the first link you posted.
That's the screen that ultimately got me to the menu shown in my
post, which I used to enrol loader.efi, as mentioned. Your post
When UEFI Secure Boot is enabled, the following screen will be
but there is no link following that sentence. I would like to see
the screen mentioned. Could you post that link again?
So far I haven't been instructed by screen messages or prompts to
perform specific steps to enroll a hash for the knoppix binary or
steps to create a key for it. That's what I am assuming will happen
next, before a key is created though I don't know because I haven't
done this before. I'm assuming I will again see the menu shown above.
The BIOS screen has a 'security' tab which has a 'key management'
heading that lists the number of keys stored. That info hasn't
changed yet which suggests no key for knoppix has yet been saved.
Thanks for your help.
Why can't you just disable Key Management? That's what I did.
There is a way to disable 'secure boot' but there's no option to
disable 'key management'. The 'key management' heading simply lists
some information when you hit it. So, I assume you mean disable
secure boot.
What kind of computer do you have?
ASUS VivoBook F512JA-OH36
BIOS by American Megatrends
version 302
GOP version 14.0.1029
EC version F0031506.306
https://www.asus.com/support/FAQ/1042711/

Loading Image...

Paul

Loading...