Skip to main content

Team,

Having a hard time trying to get physical server boot from the bootable media if Secure boot enabled. Docs says it is supported, but I can boot up from the media as soon as it is disabled. See the error below. Any suggestions?

 

 

Cheers,

Alex

You can try some of the suggestions here - https://www.veeam.com/kb4183

 


Thanks Chris, unfortunately non of the suggestions works.


@Mildur 


Because of the veeamsnap module you’ll need to import Veeam’s public key in order to make it work with Secure Boot.

To make UEFI systems with Secure Boot work with the pre-built veeamsnap kernel module, Veeam Agent requires the Veeam public key enrolled to the MOK list. The key is available in the veeamsnap-ueficert-5.0.2.4567-1.noarch package residing on the Veeam software repository. Veeam Agent requests the key enrollment during the package installation. After that, you must reboot computer to enroll the key into the UEFI database.

After the package installation, you can check that the key enrollment is planned for the next reboot with the following command: mokutil -N. If the command output shows that the key enrollment is not planned, you can do the following:

  1. Request the enrollment of the public key manually with the following command: mokutil --import veeamsnap-ueficert.crt.
  2. Reboot the Veeam Agent computer to enroll the key into the UEFI database.
  3. Check that the key is successfully enrolled with the following command: mokutil -l.

https://helpcenter.veeam.com/docs/agentforlinux/userguide/installation_process.html?ver=50


Another workaround could be disable secure boot, restore, enable secure boot again.

But @regnor has already fully answered why :)


Because of the veeamsnap module you’ll need to import Veeam’s public key in order to make it work with Secure Boot.

To make UEFI systems with Secure Boot work with the pre-built veeamsnap kernel module, Veeam Agent requires the Veeam public key enrolled to the MOK list. The key is available in the veeamsnap-ueficert-5.0.2.4567-1.noarch package residing on the Veeam software repository. Veeam Agent requests the key enrollment during the package installation. After that, you must reboot computer to enroll the key into the UEFI database.

After the package installation, you can check that the key enrollment is planned for the next reboot with the following command: mokutil -N. If the command output shows that the key enrollment is not planned, you can do the following:

  1. Request the enrollment of the public key manually with the following command: mokutil --import veeamsnap-ueficert.crt.
  2. Reboot the Veeam Agent computer to enroll the key into the UEFI database.
  3. Check that the key is successfully enrolled with the following command: mokutil -l.

https://helpcenter.veeam.com/docs/agentforlinux/userguide/installation_process.html?ver=50

 

Appreciated Max. The reason I missed those instructions is that system is air gapped and I was following instructions from “Installing Veeam Agent for Linux in Offline Mode” and that Note is missing there. @Veeam - opportunity to improve the docs?

Unfortunately I am still can’t finish the process. The OS is Ubuntu. as I can’t find deb package in the repository I converted rpm to deb using Alien. Installed the ded on the system, but  can’t complete the import:

mokutil --import veeamsnap-ueficert.crt
Failed to get file status, veeamsnap-ueficert.crt

 

Any more suggestions? Another opportunity for docs improvement? ;-)

 

Cheers,

Alex.

 


I will see if I can reproduce this on my Ubuntu machine and let you know later.

There's a ‘Send Feedback’ link on the bottom of each helpcenter article. If you want you can send Veeam a suggestion to add the note for offline installations.


I will see if I can reproduce this on my Ubuntu machine and let you know later.

There's a ‘Send Feedback’ link on the bottom of each helpcenter article. If you want you can send Veeam a suggestion to add the note for offline installations.

 

Thank you! and good point regarding the feedback - just done.

Regards,

Alex.


Folks, update on the issue above. I’ve found in another topic exact path to the cert and it worked (at least certs enrollment):

sudo mokutil --import /etc/uefi/certs/veeamsnap-ueficert.crt

Unfortunately still having the same issue with the book from the media after that. I feel like it is because of ISO was customized with injected drivers? If so, how to deal with that situation?


I'm sorry I didn't had the time to test it yesterday. Not sure if custom drivers could cause secure boot to fail. Can you try to boot the generic ISO?

https://www.veeam.com/linux-backup-download.html


And it actually works! I by some reason decided I need to patch it to add HP RAID controller drivers into it. So all problems seems solved now. Thank you Max and Happy Friday all!

 


And it actually works! I by some reason decided I need to patch it to add HP RAID controller drivers into it. So all problems seems solved now. Thank you Max and Happy Friday all!

 

Glad to hear you solved this one. 👍


well, unfortunately I tested a backup/restore and found the server can’t boot any more after all volumes was restored. Wondering if it is because of image was not patched? I am going to open a new topic for that.


Good that you got this resolved. I've tried it on my machine yesterday but haven't created the patched ISO so far. Let's see if the other issue can also be solved. 


Comment