Secure Boot Shim-anigans Ahoy!

Posted on 12 January, 2025 by dk

So, I had to purchase a new laptop for someone, and as per usual, it came with the entire SSD capacity allocated, which I still feel is bad practice – specifically ensuring there is unallocated space that the drive firmware knows about, assuming TRIM is supported by both OS, controller and drive, (which, AFAIK, all “modern” OS and hardware do) to improve the drive’s wear-leveling ability and thereby extending the SSD’s lifespan.

To do so, I use a “rule of thumb” to leave ~20% of unpartitioned space – at the “end” of the disk (from a “logical” view of the partition table, regardless MBR or GPT). Usually, I simply use a “multi-boot” USB stick created using YUMI or Ventoy (the former now looking like a “wrapping” of the latter in its latest “exFAT” variant).

Aware of the shenanigans/rain dance required to make UEFI secure boot work from such bootloaders, like hundreds of other times (but never done for awhile), I simply (1) disabled CSM in BIOS, (2) enabled secure boot (and rebooted), (3) manually loaded the ENROLL_THIS_KEY_IN_MOKMANAGER.cer into the key store via BIOS from the prepared Ventoy USB disk…

I then confidently rebooted the laptop, pointing to the USB UEFI as the boot device, then ran headlong into the wall with a sickening SMACK. The wall was black, with only the words “Verifying shim SBAT data failed: Security Policy Violation” emblazoned across the top…

Attempting to fix this on this “new” laptop took me off on tangent, wasting nearly a half day trying to research and resolve… Hopefully this helps someone else with the “summary” below, assuming you have a working Linux system that can mount the USB device’s bootloader (i.e. EFI partition), since Windows cannot (without jumping through hoops)…

Continue reading →

Missing The (Mount) Point…

Posted on 12 July, 2021 by dk

So my Silverstone DS-380 casing’s power LED seems to have bought it… In an attempt to try fix it (or at least test it), I had to get to the motherboard and that meant I had to remove all the drives, drive cage, etc… Since piecing everything back together again was a pain, I left the 3.5″ spinning media drives out to boot the system several times during testing.

After giving up on the power LED, I re-plugged in everything + the drives… Only to find that, of some 11 different ZFS sub pools, 10 were missing…

My heart stopped and the universe whirled around me…

zpool status showed the drives were all present and accounted for…

Thankfully, zfs list showed all my ZFS sub pools/”partitions” were still there… So, what gives?

Continue reading →

My Name Is Bond… eno1 and enp3s0 Bond…

Posted on 27 October, 2016 by dk

With two NICs available on my motherboard (one Intel I217V and one Atheros AR8161B), whereas the product specifications warns that “teaming is not supported”, I am aware that any capable network stack would be able to handle teaming via software (disregarding drivers and assuming certain hardware acceleration features like TCP offloading is disabled).

Of course, proper LACP/802.13ad (bonding mode #4) set up requires upstream networking equipment support (i.e. your network switch also requires such support). Fortunately, I happen to have a TP-Link TL-SG3424P managed switch which does support this. Obviously, this is overkill, but I highly recommend the TP-Link TL-SG2008 if 8 ports are sufficient. As I had the chance to run multiple Cat6 cable runs from the closet/store to the various rooms in my apartment when it was renovated, I could, and do, use a SG2008s as a trunk port in my study which is link-aggregated to the SG3424P.

Network Manager

Some instructions on the big, bad Internet mentioned using the Network Manager from the desktop. All that did was to mess up the settings.

Fortunately, I had backups of the /etc/network/interfaces file which I could revert the damage the Network Manager did. So, I finally did the sane thing and just disabled the Network Manager:

http://xmodulo.com/disable-network-manager-linux.html

If You Want Something Done Right, You Have To Do It Yourself…

So, we come back to the good ol’ shell…

Continue reading →

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.