[Discuss] hp laptop

Bill Bogstad bogstad at pobox.com
Thu May 25 14:43:26 EDT 2023 

On Wed, May 17, 2023 at 10:09 AM dan moylan <jdm at moylan.us> wrote:
>
>
> ben kallus replies:
> > On Tuesday, May 16, 2023, dan moylan <jdm at moylan.us> wrote:
>
> >> just got a new hp laptop 14-fqOxxx (or fq0xxx) also known as
> >> an hp notebook.  fumbled through setup to get the USB
> >> memory stick on top (ventoy -- loaded with fc38), and when
> >> booting, i get:
>
> >>                   ERROR
> >> verification failed (0x1A) security violation
> >>                    OK
>
> >> i hit ok and it boots into windows.  i have no idea as to
> >> how to proceed.  any suggestions?
>
> > Sounds like a secure boot problem. Have you tried disabling
> > secure boot, or just clearing the keys?
>
> yup, managed to stumble through disabling secure boot.  installation
> of fc38 no in progress.

TL/DR: If you had upgraded your VenToy install to the most recent
version, it would have probably "just worked".

I also have an HP laptop (elitebook-g8-845) on which I recently
installed Ubuntu 22.04.   I'm pretty sure that if you had used a USB
stick with just Fedora on it, that you wouldn't have had a problem.
As far as I know, all the major Linux distributions have made peace
with secure boot (i.e. got MS to sign a key for them with which they
sign their kernel binaries/boot loaders).   I suspect the problem you
had was with Ventoy.  Just this week, I used Ventoy to run a
Memtest86+ ISO after a memory upgrade on my elitebook with secure boot
still enabled.   I'm still trying to figure out exactly how it works,
but I believe that the most recent Ventoy releases support secure boot
without having to get anything signed by MS directly.   Instead, it
uses already signed key management software to have you manually
select & install their key into your "BIOS" the first time you boot
Ventoy.   You then reboot and Ventoy runs fine.   I think you can
still run into problems if the ISO that Ventoy is trying to boot
doesn't also have signed loaders/kernel binaries, but as I said major
Linux distributions already do this.   If you want to compile your own
Linux kernels, then you would have to do something similar for a key
pair that you generated for yourself.   It's a bit like PGP keys or
SSL certificates, but less well documented. :-)

Bill

More information about the Discuss mailing list