Fedora Linux Support Community & Resources Center
  #1  
Old 23rd February 2013, 08:22 PM
Computerphile Offline
Registered User
 
Join Date: Nov 2009
Location: Bergen, Norway
Posts: 62
linuxchrome
Binary is verified by the vendor certificate?

My new laptop (Dell Inspiron 14z) comes with preinstalled Windoze 8, and I can't seem to install Fedora on the damn thing. Fedora 17 CDs and DVDs gets recognized as boot media, but immediately after choosing that media to boot from, Windoze starts up again. If I however put a Fedora 18 DVD in the damn thing, it boots, but only to show the "Binary is verified by the vendor certificate." message. I've also tried booting from a USB key, but same message appears. I figure this must be my first battle with UEFI and 18 has an advantage over Fedora 17, but I still can't figure out how to move forward with the installation. Anyone got any tips?
__________________
Powered by: Fedora 15 (and on a really good day: Macallan Fine Oak 18 year old + Cohiba Siglo VI)
Reply With Quote
  #2  
Old 24th February 2013, 01:31 AM
george_toolan Offline
Registered User
 
Join Date: Dec 2006
Posts: 2,077
linuxfirefox
Re: Binary is verified by the vendor certificate?

It's a bug and not a feature ;-)

Try to disable secure boot in your BIOS setup.
Reply With Quote
  #3  
Old 3rd March 2013, 04:05 PM
pasmoi Offline
Registered User
 
Join Date: Mar 2013
Location: somewhere you don't need to know
Posts: 3
linuxfirefox
Re: Binary is verified by the vendor certificate?

Don't do it.

I have this error too when booting on fedora core 18 dvd, so i ended up installing it by deactivating UEFI in the bios.
(my laptop is a MSI GE60 0ND)

But then, fedora completely screwed up my windows 8 boot.
It even screwed booting on the system restore partition.

So now, i'm totally screwed up: i lost windows 8 on my computer :-(


So my advise for anyone in the same situation reading this post: don't install fedora (or any other distro) by deactivating UEFI in your Bios, because you'd loose windows 8.
Wait for this bug to be fixed in fedora, or use a distro that works with UEFI, and that can be installed in UEFI mode.


(and for me, i'll see if i can get the manufacturer to put back the factory content of the hard drive, but that will probably cost me a few month without my new computer, and additional money)
_________
Probably my first and last post on this forum, since after that, i may once again stay 10 years without using rh/fedora.
I used Red Hat Linux 5.2 in year 1998 ... and stoped with 7.3 in 2002.

Last edited by pasmoi; 3rd March 2013 at 04:16 PM.
Reply With Quote
  #4  
Old 3rd March 2013, 04:13 PM
DBelton Offline
Administrator
 
Join Date: Aug 2009
Posts: 7,320
linuxfirefox
Re: Binary is verified by the vendor certificate?

There is a big difference in disabling secure boot and disabling uEFI. You can disable secure boot, but still boot uEFI.

Your Windows 8 should still be there, but since you disabled uEFI, you can't boot it. If you enable uEFI, then you should be able to boot Windows 8.

If you have Windows 8 installed in uEFI mode, then you have to install Fedora in uEFI mode to have both available.
Reply With Quote
  #5  
Old 3rd March 2013, 04:53 PM
pasmoi Offline
Registered User
 
Join Date: Mar 2013
Location: somewhere you don't need to know
Posts: 3
linuxfirefox
Re: Binary is verified by the vendor certificate?

lol, no, you don't understand ...

Of curse i re-activated everything to try to boot again in windows 8.
But the windows boot in not available anymore.
The special boot partition is still there, but for some reason (maybe what they call "security"), the UEFI refuses to see it or to boot on it. I've even spend half the day on an UEFI shell (tried both v1 and v2) (from an arch linux live dvd), trying to manually boot it ... but that just does not work. I think i understand that their so called "security chain" has been broken.

As i said, when installed in non-uefi mode, fedora have corrupted the windows boot.

Now, when i boot in UEFI secure mode, all i have is a menu with 2 entries:
UEFI: network IPV6 device
UEFI: network IPV4 device

Ho, and for installing fedora in UEFI mode, that's what people getting this "Binary is verified by the vendor certificate" error have well understood, and are trying to do. But that just does not seem possible with fedora on our laptops ... (cf this topic).

Thanks for trying to help me anyway.
But don't worry for me, i'll (probably) get this fixed by the manufacturer. I just posted here so that other people does not destroy their windoz 8 boot like i did.
(i did not expect any help. Yet i'm grateful for you trying to help me).

(A more annoying problem for me is that it's for work that i need both windows 8 and fedora core, on such a computer, and that for now ... as i'm running short on time, i may even have to leave this one like that, with just fedora, and buy another one for just windows 8 ... and of curse, (since it's for software testing and low-level software testing), i need native systems and can't use Virtual machines ... maybe if i can recover the windows 8 fast enough, i'll first install an UEFI working linux (with an grubx64.efi), then i'll chroot install the fedora core inside of it ... or maybe i'll just do all i need to do just from the fedora live cd, without installing to hard drive ... ).

Last edited by pasmoi; 3rd March 2013 at 05:01 PM.
Reply With Quote
  #6  
Old 3rd March 2013, 05:00 PM
srs5694 Offline
Registered User
 
Join Date: Jan 2011
Location: Woonsocket, RI
Posts: 521
linuxfirefox
Re: Binary is verified by the vendor certificate?

Quote:
Originally Posted by DBelton View Post
There is a big difference in disabling secure boot and disabling uEFI. You can disable secure boot, but still boot uEFI.

Your Windows 8 should still be there, but since you disabled uEFI, you can't boot it. If you enable uEFI, then you should be able to boot Windows 8.

If you have Windows 8 installed in uEFI mode, then you have to install Fedora in uEFI mode to have both available.
Well said.

I'll add that it is possible to change Linux's boot mode -- you need only install an appropriate boot loader for whatever mode you want to use but aren't using. (You'll probably also have to fiddle with firmware options to get the computer to use the desired boot mode.) For instance, if you've installed Linux in BIOS mode but you want to enable EFI-mode booting, you need to install an EFI boot loader for Linux and then change the firmware settings to get the computer to boot in EFI mode. The tricky thing is that there are obstacles to installing an EFI-mode boot loader when Linux is booting in BIOS mode. There are at least four solutions to this problem:
  • Do it from Windows -- You can install a Linux boot loader from Windows. I don't know of "generic" instructions for doing this, but instructions for installing my rEFInd from Windows are in the rEFInd documentation. This procedure could be generalized to GRUB, ELILO, or whatever.
  • Do it from an emergency boot -- You can boot a Linux emergency disc in EFI mode to do the job. Recent versions of System Rescue CD support EFI-mode boots. You could probably use the Fedora installer, too.
  • Use the fallback boot loader filename -- If no other OS is installed on the computer, you can use the fallback EFI boot loader filename of EFI/BOOT/bootx64.efi (on the ESP) to get your boot loader to boot. This probably won't work if Windows is already installed in EFI mode, though.
  • Hijack the Windows (or other installed) boot loader name -- The Windows boot loader is called EFI/Microsoft/Boot/bootmgfw.efi (on the ESP). If Windows boots in EFI mode, moving that file elsewhere and installing your desired Linux boot loader in its place will get the Linux boot loader booting. You'll probably want to then configure the Linux boot loader to boot the Windows boot loader using its new name. I consider this solution to be impolite at best, and there's a risk that Windows will replace "its" boot loader, thus reverting to a Windows-only boot. Unfortunately, some EFIs are broken and will only boot the Windows boot loader, so this is the only viable option on some systems. This option also has the advantage that it can work from a BIOS-mode boot of Linux. FWIW, my rEFInd boot manager's installation script will install rEFInd in this way if it's run in BIOS mode and if it detects a Windows boot loader.

Of course, to do any of these things, you'll need to have a Linux EFI-mode boot loader, and in most cases you'll need to have it available outside of an RPM package. You may need to know how to configure it, too. See my Managing EFI Boot Loaders for Linux page for pointers on locating and configuring a suitable EFI boot loader.
Reply With Quote
  #7  
Old 3rd March 2013, 05:06 PM
pasmoi Offline
Registered User
 
Join Date: Mar 2013
Location: somewhere you don't need to know
Posts: 3
linuxfirefox
Re: Binary is verified by the vendor certificate?

Hum ... no.
Once the windows boot has been destroyed, that's not possible anymore.

I mean, yes, i've afterward replaced my grub2 by an efi-version of grub 2, but the possibility to boot windows is lost.

I've spent a lot of time learning and trying stuff with an UEFI shell, but it seems that now, only the manufacturer can restore my windows booting.


I'm not 100% sure of it, but in their secure stuff, there probably was a checksum of something that has been altered by installing the "native grub" ... And the chain of security is now considered broken from the point of view of the UEFI system.


By the way, the real matter here is to boot the live DVD in UEFI mode in order to install fedora in UEFI mode.
And effort should be focussed on this "Binary is verified by the vendor certificate" error message.

Last edited by pasmoi; 3rd March 2013 at 05:13 PM.
Reply With Quote
  #8  
Old 3rd March 2013, 05:40 PM
srs5694 Offline
Registered User
 
Join Date: Jan 2011
Location: Woonsocket, RI
Posts: 521
linuxfirefox
Re: Binary is verified by the vendor certificate?

Quote:
Originally Posted by pasmoi View Post
Of curse i re-activated everything to try to boot again in windows 8.
But the windows boot in not available anymore.
The special boot partition is still there, but for some reason (maybe what they call "security"), the UEFI refuses to see it or to boot on it.
There are two reasons I can think of for this to happen. Both are correctable:
  • Your NVRAM may have been corrupted or reset, resulting in loss of information in the EFI's boot manager about the location of the Microsoft boot loader file (EFI/Microsoft/Boot/bootmgfw.efi on the ESP). You can correct this problem in Linux from an EFI-mode boot by using the "efibootmgr" utility. Some EFIs also have a built-in tool for doing the same. (Note that "efibootmgr" is useless from a BIOS/legacy-mode boot, though.)
  • The Windows boot loader file may have been deleted. This might have happened if the Linux installer trashed the ESP, for example. This can be corrected by restoring the files from a backup; but unless you have such a backup, the easiest option is to run a Windows recovery tool. I gather such things are available for download, but I don't have a URL handy. Check with your computer manufacturer or with Microsoft, or do a Web search, to find such a tool.

Quote:
I've even spend half the day on an UEFI shell (tried both v1 and v2) (from an arch linux live dvd), trying to manually boot it ... but that just does not work.
If you've gotten an EFI shell to run, then you can look for EFI binaries (files with names ending in .efi) on the ESP and try running them -- especially EFI/Microsoft/Boot/bootmgfw.efi and/or EFI/BOOT/bootx64.efi.

Quote:
I think i understand that their so called "security chain" has been broken.
That doesn't make sense -- at least, not unless you went into the firmware and told it to delete the default set of keys and then replaced them with your own keys. This is a rather involved process, so it's unlikely that you've done it by accident. It's much more likely that you've accidentally deleted the Windows boot loader or removed its entry from NVRAM.

Quote:
As i said, when installed in non-uefi mode, fedora have corrupted the windows boot.
This is possible, although when Fedora installs in BIOS/legacy mode, it doesn't have access to the EFI's boot loader entries; and if you told Fedora to install alongside Windows, it's unlikely that it would have trashed the ESP.

Another possibility is that your firmware is detecting the presence of BIOS-style boot code in the MBR of the hard disk and is therefore booting in BIOS/legacy mode rather than in EFI mode. You might be able to overcome such behavior by adjusting a firmware option, or you might need to delete the BIOS-style boot code:

Code:
dd if=/dev/zero of=/dev/sda bs=440 count=1
This command is rather risky, though; if you mistype a value, you could do a lot of damage to the installation. Also, it will eliminate your ability to boot Linux in BIOS mode. Having a copy of Super GRUB Disk handy can help you recover if this isn't the source of your problem.

Quote:
Ho, and for installing fedora in UEFI mode, that's what people getting this "Binary is verified by the vendor certificate" error have well understood,
That's not an error message. It's generated by the shim.efi boot program, which is Fedora's way of dealing with Secure Boot. The message indicates that shim has verified the authenticity of a follow-on binary (GRUB or the kernel) against its built-in key. Shim displays other messages if the binary is verified against a machine owner key (MOK) or if it's not been authenticated.

If you're seeing that message but the computer then reboots, hangs, or otherwise misbehaves, chances are you've got a buggy boot loader, a kernel/hardware incompatibility, or some other problem that's not related to Secure Boot.

Quote:
But don't worry for me, i'll (probably) get this fixed by the manufacturer.
You can almost certainly get this working without the manufacturer's help; and going to the manufacturer will just put you back at Square One in dealing with the installation. Using an EFI shell, as you've managed to do, is one way to proceed, although of course you need to know what you're doing with the shell. (See my tips earlier.) I have two more suggestions:
  • Download the USB flash drive or CD-R image of my rEFInd boot manager. Disable Secure Boot but enable EFI-mode booting in your firmware and try using rEFInd. It's conceivable that it will find your Windows boot loader and enable you to boot it. With the right configuration, it can also boot Linux, although you'll probably need to add a configuration file or manually adjust your boot options to get Linux to boot. There are many possible paths to recovery once you get rEFInd launching, but the best path depends on what you find, so I can't provide a simple step-by-step guide, especially not without more information. If you try this method and have some success but don't quite get everything working, post back with details.
  • Run the Boot Info Script and post the RESULTS.txt file that it generates, either as a link or between code tags. This will provide us with detailed information about your partitioning and installed boot loaders. Such information will help in diagnosing your problem and coming up with a solution.


---------- Post added at 12:40 PM ---------- Previous post was at 12:31 PM ----------

Quote:
Originally Posted by pasmoi View Post
I've spent a lot of time learning and trying stuff with an UEFI shell, but it seems that now, only the manufacturer can restore my windows booting.
I can guarantee that you're mistaken. If nothing else, installing a retail copy of Windows will work. That's drastic, though, and chances are there are easier ways to do it.

Quote:
I'm not 100% sure of it, but in their secure stuff, there probably was a checksum of something that has been altered by installing the "native grub" ... And the chain of security is now considered broken from the point of view of the UEFI system.
That wouldn't happen unless there was filesystem corruption, and if that were the case, the problem would be more fundamental than a Secure Boot violation, since the boot loader binary would be damaged.

Furthermore, it's possible to disable Secure Boot without disabling UEFI booting. In fact, you mentioned booting an Arch Linux live CD in EFI mode earlier, and Arch doesn't yet support Secure Boot. Thus, you must have disabled Secure Boot in your firmware, at least when booting Arch.

Thus, I can conclude with 100% certainty that your problem is not fundamentally a Secure Boot problem, with the caveat that if you're fiddling with your firmware settings, you could be enabling and disabling Secure Boot and therefore changing that detail as you do your testing.

Quote:
And effort should be focussed on this "Binary is verified by the vendor certificate" error message.
As noted in my last post, that's not an error message; it indicates that shim's Secure Boot checks have succeeded!

Please note that I know what I'm talking about on this subject; I maintain rEFInd, and I've dealt with Secure Boot on the level of source code within rEFInd. I don't know it as well as Matthew Garrett, but I know it better than most who post here.
Reply With Quote
  #9  
Old 4th March 2013, 01:19 AM
Computerphile Offline
Registered User
 
Join Date: Nov 2009
Location: Bergen, Norway
Posts: 62
linuxchrome
Re: Binary is verified by the vendor certificate?

Disabling secure boot worked for me btw, but then again, I never intended on keeping any windoze leftovers at all. Though, the road to disabling wasn't exactly intuitive, since the first thing I found was a "Standard" vs "Custom" choice, while the real disable secure boot option was hidden like a ninja.
__________________
Powered by: Fedora 15 (and on a really good day: Macallan Fine Oak 18 year old + Cohiba Siglo VI)
Reply With Quote
  #10  
Old 4th March 2013, 12:47 PM
greeniebean Offline
Registered User
 
Join Date: Mar 2013
Location: here
Posts: 3
macosfirefox
Re: Binary is verified by the vendor certificate?

Ok, I'm sorry, but I'm a bit new to these uEFI problems.

Like the OP, I'm getting this "Binary is verified by vendor certificate" error followed by a hang. Unlike the OP, I only want to run Fedora as a live USB. However, I never installed Linux and with one notable exception, my Windows partition okay. (The exception is the live Ubuntu usb I tried before Fedora seems to have installed grub on my laptop and now I can't get it off. But that's a subject for a different thread.)

And if the problem is that Fedora doesn't support my hardware, is there an easy way to take Fedora's shim to a version of Linux that does? If so, how?

I am running an Asus X55A with Windows 8. Is there a Boot Info Script for it? If so, where do I find it?

So far I have tried:

1) Finding a legacy BIOS mode. It turns out that my new computer doesn't have one.

2) I have tried secure boot both enabled and disabled.

3) I have gone into the Windows command window at startup and run bootrec.exe /fixmbr and /fixboot

4) I have both refreshed and reformatted my disk with a retail copy of Windows both options didn't work.

Please keep in mind that I would rather not install Linux on my machine; I just want to load it into RAM as a live USB.

Thank you!
Reply With Quote
  #11  
Old 4th March 2013, 03:33 PM
srs5694 Offline
Registered User
 
Join Date: Jan 2011
Location: Woonsocket, RI
Posts: 521
linuxfirefox
Re: Binary is verified by the vendor certificate?

My first recommendation is to disable Secure Boot. You'll find an option for this in your firmware (what most people persist in calling "BIOS," although that's incorrect) setup screens, but where and under what name varies greatly from one computer to another. You may need to dig for it.

You might also have luck by changing your kernel boot options. Using "nomodeset" helps with some recent computers, for instance.

AFAIK, Boot Info Script works only from Linux; however, you can run it from an emergency system like Parted Magic or System Rescue CD, if you can get one of these to boot.

Chances are your firmware does have a legacy/BIOS/CSM mode, but that's not 100% guaranteed. As with disabling Secure Boot, where you find this option varies greatly from one computer to another. It may even be hidden completely if certain other options are enabled. For instance, a "fast boot" mode might hide the legacy/BIOS/CSM option.

Yes, you can use Fedora's shim on another distribution, but you'll need to add a key to your machine owner key (MOK) list and sign your other distribution's copy of GRUB. See my page on Secure Boot for details.
Reply With Quote
  #12  
Old 4th March 2013, 05:01 PM
greeniebean Offline
Registered User
 
Join Date: Mar 2013
Location: here
Posts: 3
macosfirefox
Re: Binary is verified by the vendor certificate?

Thanks!

Is the firmware option different from the bios screen? If I'm reading the manual correctly, on my model it's F2. Just to be safe I tried both F7 and Delete, and got the normal Windows startup screen. No luck. But I did some Googling, and it looks like they removed the option entirely from my model. I really, really hope I'm missing something, though.

Unfortunately, I can't run Parted Magic or System Rescue CD because I can't run a live USB or even a Live System CD. In fact, I don't even have a Windows CD -- just the Windows partition that came with the laptop. Are there windows versions of these programs that come packaged with the Windows rescue console?

Your page is an excellent overview, but it seems to be a bit more for advanced/intermediate-advanced users. Unfortunately, I'm definitely an elementary-to-lower/intermediate user. I use Linux all the time, but only live USBs for banking. Is there an easier how-to for people like me?

Do you know how long it will be before the uEFI craziness will be resolved for those of us who rely on the graphical installs? At this point I'm debating whether to sell it and build my own desktop or wait for other distros to release builds that'll work with it.

I never really felt one way or another about Microsoft before, but now I really, really hate them. /tangent

Once again, thank you for all your help!
Reply With Quote
  #13  
Old 4th March 2013, 06:48 PM
Ihatewindows Offline
Banned
 
Join Date: Oct 2012
Location: Fort Wayne, IN
Posts: 1,135
linuxfirefox
Re: Binary is verified by the vendor certificate?

Quote:
I never really felt one way or another about Microsoft before, but now I really, really hate them. /tangent
+1. Linux doesn't need activation, keycodes, and it doesn't suck the lettuce out of my wallet.

Do you have a netbook? how come you can't boot from CD/USB?
Reply With Quote
  #14  
Old 4th March 2013, 11:01 PM
greeniebean Offline
Registered User
 
Join Date: Mar 2013
Location: here
Posts: 3
macosfirefox
Re: Binary is verified by the vendor certificate?

Quote:
Originally Posted by Ihatewindows View Post
+1. Linux doesn't need activation, keycodes, and it doesn't suck the lettuce out of my wallet.

Do you have a netbook? how come you can't boot from CD/USB?
I just got a new throwaway netbook to take with me on a work trip, but it didn't come with a CD or USB. It just came with a 20 GB partition on the HDD. Evidently it's the trendy new way to get us to spend even more money, because when I was thinking of upgrading to Lion, they told me that (1) they'd only do it via download, and (2) a USB would cost $70.

I also double checked my computer. I was definitely in both the firmware and the BIOS settings before. I ran through it again and got a different error message when I disabled secure boot. (Something like "Secure Boot not enabled.")

The only thing I don't understand at all is the Launch CSM option. Is that another way of saying it's the Legacy BIOS? The picture in my manual is of a different Asus model where it clearly states it has a Legacy BIOS option, and I'm getting conflicting answers online. Actually, I think they're just too technical for me to understand.

Should I try:

1) Turning off Fast Boot
2) Turning on Launch CSM
3) Turning off Secure Boot

And seeing what happens, or will that break it?

Thank you!

---------- Post added at 11:01 PM ---------- Previous post was at 10:33 PM ----------

SOLVED!

For Windows 8/Asus X55A...

1) Hit F2 while booting.
2) Use the arrow keys to shift over to "Advanced."
3) Go to "Fast Boot" and hit "Disabled"
4) Go to Launch CSM and hit "Enabled." (Note that Fast Boot will disappear.)
5) Leave the Launch PXE OpROM option Disabled. (I don't know what that does, TBH.)
6) Go down to Boot option Priorities and make sure that your USB is #1 and your DVD is #2.
7) Go to the Security menu and go Secure Boot Control. Disable it.

This won't help you boot the newest version of Fedora, but this will let you boot some other Linuxes. I tested Debian/Tails since I'm going to China for work soon. You should be able to boot the older versions of Fedora with it, right?

Thanks for helping me everyone!
Reply With Quote
  #15  
Old 18th August 2013, 10:07 PM
EdOhh Offline
Registered User
 
Join Date: Aug 2013
Location: SlowerLowerBucksCounty
Posts: 1
linuxfirefox
Re: Binary is verified by the vendor certificate?

I registered with the forum just to say thank you very much. I was fighting with installing over a preloaded win8 on my kids HP and I continually go the same message at startup. But this guided me through it fairly easily. Thanks so much again.
Reply With Quote
Reply

Tags
binary, certificate, uefi, vendor, verified

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Determine HW server's vendor sluge Using Fedora 1 5th May 2012 12:03 PM
Server certificate verification error: unable to get local issuer certificate James Board Using Fedora 0 4th September 2008 12:42 AM
FC8 install has corrupt or missing packages - but two different DVDs verified OK robgreene Installation, Upgrades and Live Media 12 28th March 2008 02:55 AM
Postfix Peer Certificate Not Verified drewsmith Servers & Networking 0 13th March 2007 09:36 PM
Vendor and Product IDs... bjh Hardware & Laptops 2 19th January 2007 05:45 PM


Current GMT-time: 10:05 (Sunday, 21-09-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat