Long story short I have a laptop where no one remembers the BIOS password. Secure boot is enabled and it probably wont be turned off ever unless someone finds an old post-it somewhere.
Installing Ubuntu 24.04 worked fine so that will keep it from turning into e-waste for the time being, but after some bad experience with ZFS and Grub I’d really prefer putting ZFSBootMenu on it. Which I tried and failed at.
I’m guessing that the problem is ZFSBootMenu not being signed by the all-mighty Microsoft Secure Boot key while the Ubuntu executables (I’m guessing both Grub and the kernel?) are. I see there should be possibilities to add signing keys to the UEFI key store, but I’m pretty sure that is locked down due to the mentioned BIOS password. I did however wonder if there’s a chance that using Ubuntu’s signed Grub to then boot ZBM would be a viable option, or if that would fail at the unsigned ZBM kernel as well. Yes, this totally negates the point of less complexity, but it would enable the snapshot-rollbacks and be an interesting exercise.
I realize that I’ll probably just cut my losses, count my blessings and be happy that I could install a fresh new OS on what could very quickly have turned into a paper weight but I am curious if someone has played around with this at all. As a last ditch hail Mary, I was also wondering if by pure luck a machine was on the list - there would be a chance to sign ZBM with the leaked test-keys that surfaced recently
Considered ZFSBootMenu installed to a USB and boot from that?
I’ve had similar problems as I tend to build on a secondary machine and then move the disk to my main workstation with lots of “fail to boot” experiences. ZFSBootMenu on USB has allowed me to boot machines that otherwise wouldn’t.
So when I said I failed at putting ZBM on it, I’m pretty sure I actually succeeded just fine but that the machine refused to boot because the ZFSBootMenu EFI-image is unsigned. I don’t think putting it on a usb drive would change that unless Secure boot enforcement is ignored for external devices.
Didn’t mean to be dismissive. I just don’t really see how putting ZFSBootMenu on a different drive will change Secure Boot not accepting its signing key (which I believe is the problem I’m facing). Have you experienced variations in how Secure Boot handles “internal” vs. “external” media?
Down the rabbit hole shall we? Not an expert and not knowing your particular circumstance, pc configuration. Just generally curious in a practical way.
Of course Secureboot (SB) is neither necessarily secure, nor standardised. Variations exist across motherboards and BIOSes. I too have no time for moks and shims.
If you can boot from (Legacy?) USB (Installed Ubuntu from USB?), you haven’t necessarily been subjected to SB. No? So if you can install Ubuntu on ZFS to disk, yet can’t boot from disk, then ZFSBootMenu installed on a bootable USB, with a BIOS configured to boot from USB first, should circumvent SB.
My only experience is as previously described. and SB on this machine is as wonky and confusing as I have seen. Boot from USB is the first option.