• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Invalid signature detected on new PCs

    Scheduled Pinned Locked Moved Unsolved
    FOG Problems
    3
    11
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sega
      last edited by

      Hi,

      we got a few new pcs and I wanted to get them in FOG too. But with the same BIOS settings as the old pcs I’m getting the following error: Secure Boot Violation. Invalid signature detected. Check Secure Boot Policy in Setup.

      The weird thing is: Nearly all options are the same the few different things are (old is the system where FOG is working):
      Operating system: Windows 10 (old) - Windows 11 (new)
      Mainboard: Gigabyte Z690 UD (old) - Gigabyte Z790 AORUS ELITE AX (new)
      BIOS version: F7b (03/28/2022) (old) - F10 (12/25/2023) (new)

      All other things are the same as far as I can see. The factory setting of the Secure Boot was on Custom instead Standard but with neither of the both option the PC can’t load FOG. Our FOG version is 1.5.9 and following my information this version should be working with Secure Boot as it does on the old PCs.

      Does anyone knows what the problem could it be?

      Tom ElliottT 1 Reply Last reply Reply Quote 0
      • Tom ElliottT
        Tom Elliott @sega
        last edited by

        @sega FOG doesn’t have a signed shim/bootable binaries, not by default, so if you had this in the past, I don’t know how you did it but it would seem your new systems have overridden the certificates on the machines themselves which need your “old” certificates placed back on them to allow the booting sequence to successfully operate.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        S 1 Reply Last reply Reply Quote 0
        • S
          sega @Tom Elliott
          last edited by

          @Tom-Elliott Thanks for you quick reply.
          As far as I know (didn’t installed it) there weren’t any certificates installed.
          And, as I read my first post, that could cause a confusion, the old systems still work. So we have both systems currently here and just the old PCs working with the settings.

          Tom ElliottT 1 Reply Last reply Reply Quote 0
          • Tom ElliottT
            Tom Elliott @sega
            last edited by

            @sega FOG doesn’t do secure boot out of the box, we just don’t

            If your old machines are using FOG with Secure Boot Enabled, you need to install the certificates for those boot files on the new machines as well.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

            S 1 Reply Last reply Reply Quote 0
            • S
              sega @Tom Elliott
              last edited by

              @Tom-Elliott I know when we set up the last Pcs we didn’t install any certificates, just changed some settings in the mainboard and thats it (plus updating the BIOS).
              Can you tell me where the certificates could be? Then I could look if there are some on the FOG server.

              Tom ElliottT 1 Reply Last reply Reply Quote 0
              • Tom ElliottT
                Tom Elliott @sega
                last edited by

                @sega It sounds more like you really disabled “secure” boot while maintaining UEFI boot?

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                S 1 Reply Last reply Reply Quote 0
                • S
                  sega @Tom Elliott
                  last edited by

                  @Tom-Elliott I thought that too but these are the settings from the old PCs. The only thing that is weird here, is that Secure boot is enabled but there is also a “Not active”? WhatsApp Image 2024-03-18 at 14.41.15.jpeg

                  Tom ElliottT 1 Reply Last reply Reply Quote 0
                  • Tom ElliottT
                    Tom Elliott @sega
                    last edited by

                    @sega Based on what I can tell, somebody installed the certificates on these machines. How I couldn’t tell you.

                    Our files are not shimmed by us so I cannot tell you what was or wasn’t done. All I know is if secure boot is enabled (as it appears) then somebody manually installed the certificates to ensure it was able to work in a secure boot mode.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      sega @Tom Elliott
                      last edited by

                      @Tom-Elliott Hmm ok, thats really weird. I did the set up for these machines and if they won’t installed with the FOG client,I can’t imagine how… Can you tell me where normally the certificates are?
                      I found some certificates in following folder but I don’t think that’s the right ones… “opt -> fog -> snapins -> ssl -> CA” but I guess that something complete different

                      george1421G 1 Reply Last reply Reply Quote 0
                      • george1421G
                        george1421 Moderator @sega
                        last edited by

                        @sega I think what Tom is referring to is something like this tutorial: https://forums.fogproject.org/topic/15888/imaging-with-fog-and-secure-boot-poc

                        Also like Tom said the FOG Project doesn’t sign either iPXE or the FOS Linux kernel that is beyond the scope of the FOG Project. So if you must have secure boot enabled then you must do something like in the above tutorial, create your own private certificates and upload them to the uefi firmware, then sign ipxe.efi, snp.efi, snponly.efi and bzImage with your custom certificate. Then a computer with secure boot enabled will “trust” the FOG imaging process. Without the FOG Project boot files being singed, your computer will reject them and not boot.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                        1 Reply Last reply Reply Quote 0
                        • S
                          sega
                          last edited by

                          After many try&error runs, I managed to sign the files and to boot into the FOG menu with secure boot enabled. And I can deploy an image, register the host and do all the other things except boot from hard disk. Whenever I choose this option in the FOG menu he just goes back into the menu.
                          When I boot directly from the hard disk it works and also if I disable the secure boot option the FOG menu can boot from hard disk.

                          What could be the problem here? Oh and while I was troubeshooting I updated Ubuntu from 20.04 to 22.04 and FOG to 1.5.10

                          1 Reply Last reply Reply Quote 0
                          • 1 / 1
                          • First post
                            Last post

                          227

                          Online

                          12.0k

                          Users

                          17.3k

                          Topics

                          155.2k

                          Posts
                          Copyright © 2012-2024 FOG Project