mkusb grub doesn't work with secure boot on (lubuntu live persistent usb)

Question

I'd like to make a persistent-live-usb lubuntu 22.04 that works on systems with enabled Secure Boot (bios option).

I've tried the dus-persistent method in mkusb, but I'm only able to access the grub (made by mkusb) when secure boot is off. During the install I've ticked the options 'msdos', 'upefi', 'd-n-i' (because I wish the system to be compatible with as much hardware as possible). The usb produced this way contains also a standard (non-persistent) lubuntu live that works with secure boot on. Only the grub that contains the persistent boot options isn't accessible when secure boot is on. Tested on UEFI.

I need to boot the system just by going to a one-time boot menu (usually F12 key on most pcs).

Edit2: on a second try mkusb-plug did what I needed (see the answer of sudodus) although imperfectly-slowly (see discussion under their answer)

You can try formating the flash drive to FAT32, extracting the iso file into the partition and installing grub2 to boot into it with "persistent" parameter attached. I used to do this in college with Lubuntu and Xubuntu, I will try to make a USB and report back with an answer. — Strong will, Oct 01 '23 at 22:17
@andrej, Do you need a full desktop environment? Would it be OK with a simple window manager or even a text screen? In that case you can start from a compressed image of Ubuntu Server (version Jammy alias 22.04.x LTS) according to this link and maybe add a simple window manager (for example fluxbox) according to this link. — sudodus, Oct 03 '23 at 08:19
@andrej, I verified that a working Ubuntu Server can be made from the compressed image of Ubuntu Server (version Jammy alias 22.04.x LTS) for a Dell Latitude 3520 with secure boot. There is a delay of approx 2 minutes during boot (after it complained 'unable to get SMM Dell signature'), but have faith, it will come back and prompt you to log in. -- And this system is very light-weight and snappy, when you have logged in. — sudodus, Oct 03 '23 at 11:36

sudodus · Accepted Answer · 2023-10-20T12:09:59.723

4

Persistent live USB drives for secure boot

When you tick the option 'msdos' in 'dus-persistent' of mkusb, you will prepare the persistent live system for really old computers.

I would recommend using the default settings in order to get good portability between new and 'middle-aged' computers. Before writing this answer I made a persistent live system from the current Lubuntu LTS iso file [using 'dus-persistent']

dus lubuntu-22.04.3-desktop-amd64.iso

and tested it in a Lenovo V130 in UEFI mode with secure boot. It works, as illustrated with the following screenshot,

It works for me with a persistent live drive made by mkusb-plug too, as illustrated with the following screenshot,

Edit: added test in Dell Latitude 3520

It worked for me to boot a persistent live system made by 'mkusb-plug' in a Dell Latitude 3520 with an Intel generation 11 i3 CPU (so rather new and with a modern 'tight' secure boot system). See the following screenshot,

Edit 2: `dus-iso2usb` improved for new computers.

In 'mkusb' version 23.1.6, 'mkusb-plug' (version 2.8.7 and newer versions) works in new computers (for example Dell Latitude 3520).

In 'mkusb' version 23.2.0, after upgrading the grub boot structure of 'dus-iso2usb' (from grub 2.0.6 to grub 2.12-rc1) it works in UEFI mode with secure boot in new computers too (tested in Dell Latitude 3520).

'Memtest86+ v6.20' is also added, and it can run in UEFI mode (but not with secure boot).

Persistent live USB drives for some old computers

However, there are old computers, that need other settings [than the default] in order to boot, and I suggest using another USB boot drive for that purpose. You have already explored the settings available in 'dus-persistent'.

In some old computers, some of the settings available in 'dus-iso2usb' may work (when 'dus-persistent' and 'mkusb-plug' fail to make bootable USB drives).

Only 64-bit architecture

Please remember that the current versions of Lubuntu use 64-bit architecture. It means that 32-bit computers need some other Linux distro, for example Debian or Puppy Linux.

edited Oct 20 '23 at 12:09

answered Oct 02 '23 at 08:45

sudodus

46,324
5
88
152

1

Thank you for the answer! I've used the default settings in dus-persistent ('msdos' unticked) on a Dell P54G laptop as you suggested. With Secure Boot enabled and booting into the grub with persistent options, the computer goes into 'Dell hardware diagnostics' and reports no bootable media. With Secure Boot disabled, the grub and the persistent system boots OK.
I've used dus 23.1.6 with lubuntu-22.04.3-desktop-amd64.iso, running on a persistent live system made by the method explained in my first post. The target usb was plugged into the pc after booting.
– andrej Oct 02 '23 at 19:46
@andrej, I looked for the specs of Dell P54G and found 'Datormodell XPS 9350 Processor • 6:e generationen Intel Core i3. i5, i7'. Is that correct? In that case the computer is some years old, and it should boot according to my descriptions. I have tested both newer and older Dells. If there is a newer UEFI-BIOS system, I suggest that you upgrade it and try again. (I know that several Dells have problems that are solved after the UEFI-BIOS is upgraded, but I don't know about your particular computer. -- Is there a way to 'allow USB boot with secure boot' in the UEFI-BIOS menus? – sudodus Oct 02 '23 at 20:11
the specs are correct. Sadly I can't upgrade BIOS since it is not my PC, I'm travelling without a computer and using a persistent live usb across different devices here and there, so I need maximum portability and make no changes to other people's machines. In the meanwhile I tested also the mkusb-plug method again and it produces only one bootable partition, that with Secure Boot enabled gives error: file 'boot' not found after which it goes into the live-only (non persistent) boot options (Try or Install Lubuntu/...) – andrej Oct 02 '23 at 20:36
@andrej, When made persistent live by mkusb-plug, the grub menu 'Try or Install Lubuntu' means persistent live (the first boot option in the list). Did you check if you could boot into it and if it was really a persistent live system? – sudodus Oct 02 '23 at 20:46
@andrej, It works for me in a rather new Dell. See the edited answer. – sudodus Oct 02 '23 at 21:18
1

I tested the one made with mkusb-plug and it did work indeed as a persistent live no matter the error. The boot was very slow compared to the dus-persistent method, it took maybe 15min to boot up (upon boot the system was extremely slow), where a non-persistent live lubuntu on the same usb stick takes maybe a minute or two (and is OK-ish in terms of speed to work with). Thank you for the help, I'll keep exploring the options further to make a faster persistent live usb that works with enabled secure boot. Your answer was correct. – andrej Oct 02 '23 at 21:25
@andrej, I'm glad that I could help you find a method that works, even if it is not perfect. – sudodus Oct 02 '23 at 21:29
1

I've tested dus-iso2usb on mkusb 23.2.0 (default settings) and it did produce a persistent live Lubuntu 22.04 that I could boot with Secure Boot Enabled on a Dell latitude E6430. The persistent system was also faster compared with the one produced with the older mkusb-plug. Thank you for the upgrade! Nevertheless, the speed was still too slow to use (boot took several minutes, opening of apps as well). The live (non-persistent) system on the same stick was fast and snappy. Also I missed the 'persistent live to RAM' option in the grub menu which I use very often on my current system. – andrej Dec 08 '23 at 12:03
@andrej, Thanks for the feed-back. You can easily edit the grub.cfg file and add the boot option toram on the 'linux' line of the menuentry for booting a persistent live system. -- The persistent live system is slow because of the slow read speed of the USB drive. If you use an SSD connected via USB3 instead of a USB pendrive, you will get a much more responsive system. – sudodus Dec 08 '23 at 16:01