Team,
Having a hard time trying to get physical server boot from the bootable media if Secure boot enabled. Docs says it is supported, but I can boot up from the media as soon as it is disabled. See the error below. Any suggestions?
Cheers,
Alex
Answer
Linux bootable media does not work with Secure boot
Best answer by regnor
Because of the veeamsnap module you’ll need to import Veeam’s public key in order to make it work with Secure Boot.
To make UEFI systems with Secure Boot work with the pre-built veeamsnap kernel module, Veeam Agent requires the Veeam public key enrolled to the MOK list. The key is available in the veeamsnap-ueficert-5.0.2.4567-1.noarch package residing on the Veeam software repository. Veeam Agent requests the key enrollment during the package installation. After that, you must reboot computer to enroll the key into the UEFI database.
After the package installation, you can check that the key enrollment is planned for the next reboot with the following command: mokutil -N. If the command output shows that the key enrollment is not planned, you can do the following:
- Request the enrollment of the public key manually with the following command: mokutil --import veeamsnap-ueficert.crt.
- Reboot the Veeam Agent computer to enroll the key into the UEFI database.
- Check that the key is successfully enrolled with the following command: mokutil -l.
https://helpcenter.veeam.com/docs/agentforlinux/userguide/installation_process.html?ver=50
+21You can try some of the suggestions here - https://www.veeam.com/kb4183
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
+8Madi Cristil
+14Because of the veeamsnap module you’ll need to import Veeam’s public key in order to make it work with Secure Boot.
To make UEFI systems with Secure Boot work with the pre-built veeamsnap kernel module, Veeam Agent requires the Veeam public key enrolled to the MOK list. The key is available in the veeamsnap-ueficert-5.0.2.4567-1.noarch package residing on the Veeam software repository. Veeam Agent requests the key enrollment during the package installation. After that, you must reboot computer to enroll the key into the UEFI database.
After the package installation, you can check that the key enrollment is planned for the next reboot with the following command: mokutil -N. If the command output shows that the key enrollment is not planned, you can do the following:
- Request the enrollment of the public key manually with the following command: mokutil --import veeamsnap-ueficert.crt.
- Reboot the Veeam Agent computer to enroll the key into the UEFI database.
- Check that the key is successfully enrolled with the following command: mokutil -l.
https://helpcenter.veeam.com/docs/agentforlinux/userguide/installation_process.html?ver=50
Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
+12Another workaround could be disable secure boot, restore, enable secure boot again.
But
Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
Because of the veeamsnap module you’ll need to import Veeam’s public key in order to make it work with Secure Boot.
To make UEFI systems with Secure Boot work with the pre-built veeamsnap kernel module, Veeam Agent requires the Veeam public key enrolled to the MOK list. The key is available in the veeamsnap-ueficert-5.0.2.4567-1.noarch package residing on the Veeam software repository. Veeam Agent requests the key enrollment during the package installation. After that, you must reboot computer to enroll the key into the UEFI database.
After the package installation, you can check that the key enrollment is planned for the next reboot with the following command: mokutil -N. If the command output shows that the key enrollment is not planned, you can do the following:
- Request the enrollment of the public key manually with the following command: mokutil --import veeamsnap-ueficert.crt.
- Reboot the Veeam Agent computer to enroll the key into the UEFI database.
- Check that the key is successfully enrolled with the following command: mokutil -l.
https://helpcenter.veeam.com/docs/agentforlinux/userguide/installation_process.html?ver=50
Appreciated Max. The reason I missed those instructions is that system is air gapped and I was following instructions from “Installing Veeam Agent for Linux in Offline Mode” and that Note is missing there. @Veeam - opportunity to improve the docs?
Unfortunately I am still can’t finish the process. The OS is Ubuntu. as I can’t find deb package in the repository I converted rpm to deb using Alien. Installed the ded on the system, but can’t complete the import:
mokutil --import veeamsnap-ueficert.crt
Failed to get file status, veeamsnap-ueficert.crt
Any more suggestions? Another opportunity for docs improvement? ;-)
Cheers,
Alex.
+14I will see if I can reproduce this on my Ubuntu machine and let you know later.
There's a ‘Send Feedback’ link on the bottom of each helpcenter article. If you want you can send Veeam a suggestion to add the note for offline installations.
Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
I will see if I can reproduce this on my Ubuntu machine and let you know later.
There's a ‘Send Feedback’ link on the bottom of each helpcenter article. If you want you can send Veeam a suggestion to add the note for offline installations.
Thank you! and good point regarding the feedback - just done.
Regards,
Alex.
Folks, update on the issue above. I’ve found in another topic exact path to the cert and it worked (at least certs enrollment):
sudo mokutil --import /etc/uefi/certs/veeamsnap-ueficert.crt
Unfortunately still having the same issue with the book from the media after that. I feel like it is because of ISO was customized with injected drivers? If so, how to deal with that situation?
+14I'm sorry I didn't had the time to test it yesterday. Not sure if custom drivers could cause secure boot to fail. Can you try to boot the generic ISO?
https://www.veeam.com/linux-backup-download.html
Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
And it actually works! I by some reason decided I need to patch it to add HP RAID controller drivers into it. So all problems seems solved now. Thank you Max and Happy Friday all!
+21And it actually works! I by some reason decided I need to patch it to add HP RAID controller drivers into it. So all problems seems solved now. Thank you Max and Happy Friday all!
Glad to hear you solved this one. 👍
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
well, unfortunately I tested a backup/restore and found the server can’t boot any more after all volumes was restored. Wondering if it is because of image was not patched? I am going to open a new topic for that.
+14Good that you got this resolved. I've tried it on my machine yesterday but haven't created the patched ISO so far. Let's see if the other issue can also be solved.
Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.