2

It started with my computer hanging at the posting screen (the HP logo with a text under it that says: "protected by hp sure start"), it kept hanging for MINUTES before it goes to boot my OS.

I decided to try to fix it, I did a CMOS reset. After that it decided to not even turn on again, after waiting for a while I came back to press the on button and it just turned on.

After that It wouldn't boot to my drive which has Debian installed on it nor my USB flash drive that has Ventoy on it, but it tried to boot through network for some reason, I removed the ethernet cable just to get a message saying that there is no bootable device, which is wrong.

Somehow, I unplugged the USB flash drive and plugged it back in and I restarted the PC, and it tried to boot into the USB flash drive (which is a progress), but I got a message of around the neighborhood of "Verification Failed: (0x1A) security violation", after a while, with my little knowledge, I knew it's a secure boot problem (it's on by default), I tried to tinker with it in the UEFI settings, but the settings didn't get saved although I clicked "save settings and exit" after disabling secure boot.

The option that disabled secure boot was titled "clear escure boot keys".

Time to sleep, left it for tomorrow. Tomorrow, I literally just pressed the on button, and now it decided to boot from the USB flash drive into VentoyOS, I happily removed the USB flash drive so I can boot the drive (in which Debian is installed) but nothing, my guess was that resetting the CMOS cleared the UEFI boot configurations!

I just reinstalled the grub on the driver and it finally booted. I used the computer all day, but the day after (which is today), I just turned on the pc to find out that it would only boot to only one of my dually installed Debians, specifically the one with the grub installed on it.

I have two Debian installations, each on its own drive, the number 1 is the last one (in time) installed that has the grub boot loader which lists both of them and number 2 which is the one that won't boot.

So, it cannot boot to number 2 (the one that doesn't have the grub installed in it), but when I boot to number 1, it boots alright, but it says, "booting in blind mode" or something similar.

Another thing I noticed is that: The message "protected by hp sure start" is being skipped (for some reason).

But then there is this option in the grub menu that says: "UEFI settings" when I press it, It takes me to the UEFI menu with the first option being "continue booting", on which when I click, I just boot really normally with no "blind booting" or anything to both Debian installations.

Questions

This is annoying, but I also want the best of both worlds, so I have some questions;

  1. Why was all of that happening? A short little explanation would really help.
  2. How can I use that as a feature? I like the fact that it tried to boot into the drive so fast by skipping the hp screen.

This is an OEM motherboard, with a, probably, really bad firmware. But what do I know, it might be a feature that I'm not familiar with.

Improve this question
6
  • Your last two sentences does not make sense, please edit your question, and clarify it
    – Ramhound
    Commented Jan 20 at 6:17
  • Thanks, I hope it's clear now.
    – Anas Ouardini
    Commented Jan 20 at 7:00
  • This might help for the "booting in blind mode" message.
    – harrymc
    Commented Jan 20 at 11:31
  • This question would benefit from some editing =] The issue is incorrect UEFI firmware settings, which have been reset to default by doing a CMOS reset. The issue(s) can be found within the Boot page of the UEFI firmware settings and any other page with drive settings such as AHCI, RAID, etc. Things to look for: drive Boot Order, Secure Boot should be enabled, CSM [legacy] Mode should be disabled, etc. Sometimes a distro may need to have itself added to the EFI boot order, but it's rare since UEFI has built-in bootloader certs for every major OS a motherboard is designed to run.
    – JW0914
    Commented Jan 20 at 12:22
  • I edited it a bit, idk if it's better now. If I enable secure boot, it'll prevent me from booting into the drives, there must be some other option that satisfies secure boots' requirements that is not configured correctly by default. Also before I "reseted" the UEFI, I haven't touched anything in the UEFI config.
    – Anas Ouardini
    Commented Jan 20 at 14:03

1 Answer 1

Reset to default
0

You have not disabled Secure Boot. What you did was to delete from the UEFI the database for Secure Boot, which would render the UEFI unable to boot since no corresponding signatures/checksums to secure operating systems would be available.

I suppose that your two Debian system were installed in different modes, so only one is blocked by the fact that its secure boot can no longer be verified.

I can think of the following solutions :

  • Install a new version of the UEFI for your computer model, downloaded only from the manufacturer's website. Even installing again the same UEFI version over itself might fix the problem by returning the missing secure keys.

  • Truly disable Secure Boot in the UEFI. I don't have an HP computer, but link1 mentions a UEFI setting in "Secure Boot Settings > Attempt Secure Boot", and link2 mentions "Security > BIOS Sure Start" and to uncheck the box for "Sure Start Secure Boot Keys Protection". Search for these UEFI entries or similar ones.

Ensure you have external backups for your data before doing any UEFI modifications.

Improve this answer
5
  • I just changed the boot order this morning and there was an booting option called "TOSHIBA (something)", I guess that was the UEFI itself??? However when put it first, the message "protected by hp sure start" started appearing again and both Debians are now booting just fine. I thought I'd install the grub on my main Debian installation and put the "TOSHIBA (something)" back down again, for faster boot again, but I don't know if that would cause some major problems down the road. Also what if I just reset it again, would that return the keys back?
    – Anas Ouardini
    Commented Jan 21 at 4:07
  • Also "UEFI boot option" being down the list of booting options only allow one of the drives to boot. Unless I boot into UEFI from the grub boot loader and get back to grub again (just two options away).
    – Anas Ouardini
    Commented Jan 21 at 5:45
  • Have you tried my two suggestions?
    – harrymc
    Commented Jan 21 at 9:24
  • Well, re-installing the firmware is not worth the risk from my stand point, and about disabling the secure boot, I think I'll do that, it's not that useful. The problem is not that I'm not able to boot, because I can now, I just thought I'd benefit from "blindly booting" since it's faster, that's my main concern right now. I can use it just fine with one driver but not the other. You've mentioned different modes, I wonder what those are and how can I make sure they're both installed in the same one, if that might make them both bootable in blind mode.
    – Anas Ouardini
    Commented Jan 21 at 10:17
  • I meant that one installation passes Secure Boot and the other doesn't. I don't know what was in the Secure Boot database that you deleted, but something evidently was left and allowed one of the installations to boot.
    – harrymc
    Commented Jan 21 at 10:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .