Unable to Boot/Flash with Secure-Boot

Hi, I’m unable to get secure boot to work via the instructions.

I’ve tried to add the:
“installer”: {
“secureboot”: true
}

Line of code to the bottom of the config.json in the boot folder on my USB

I’ve also tried to imbed that line within the existing config.json block

Neither boot the OS, they just load to a black screen with a blinking “_”
I’m unable to interact with the device in this state, the solutions is to power down and try again.

I’ve enable secure boot in the bios and reset UEFI settings to default

1: Is there additional guidance on how to setup the config.json file
2: Is there a list of supported hardware?
3: When I add a device from the dashboard I select the Generic x86_ device type using version 4.0.16+rev3…is this the proper selection? Also the fleet itself is mostly Intel NUC device type…will that have an impact?
4: Does secure boot work with NUC device?

Hi Chris,

Currently secure boot is only supported in the Generic x86_64 (GPT) image, so please make sure to download that device type image. The latest version available is fine.

We have verified it works on all versions of Intel NUCs, but some of them might require some atypical configuration. Could you please let us know the NUC’s model so we can offer some guidance?

We have a list of tested hardware, but most x86_64 hardware with a TPMv2 should be supported.

Could you please confirm that you are using the right image and the NUC’ model and we’ll take it from there?

Confirmed the image used was balena-cloud-CMoTest-generic-amd64-4.0.16+rev2-v14.12.2.img

I’m not sure where to find the TPMv2 setup in my bios but here is a snip of the bios main page if that is helpful.

IMG_2164.jpg1512×2016 1.17 MB

Model Information:

image.png1010×1147 71.3 KB

Thank you for the assistance.

-Chris

@cmorones15,
Would you be able to take a picture of the Security tab as well? Often secure boot options are configured from that tab, so we’d like to have a look there if possible.

Can you share what the config.json format should be?

Do you nest the secure line within the existing config file or just append to the bottom as its own separate lines?

Attached is a photo of the security settings tab. Thank you.

-Chris

IMG_2173.jpg2016×1512 1.13 MB

Hi, the config.json would be something like:

{
  "applicationId": 1979282,
  "deviceType": "generic-amd64",
  "userId": 133437,
  "appUpdatePollInterval": 60000,
  "listenPort": 48484,
  "vpnPort": 443,
  "apiEndpoint": "https://api.balena-cloud.com",
  "vpnEndpoint": "cloudlink.balena-cloud.com",
  "registryEndpoint": "registry2.balena-cloud.com",
  "deltaEndpoint": "https://delta.balena-cloud.com",
  "mixpanelToken": "<token>",
  "apiKey": "<token>",
  "logsEndpoint": "https://logs.balena-cloud.com",
  "installer": {
    "secureboot": true
  }
}

Basically, you download the configuration file from the dashboard, Add Device > Download configuration file only, append the installer section above and configure your image with the balenaCLI 'balena os configure](balena CLI Documentation - Balena Documentation) subcommand. Of course you can also download the image, mount the boot partition and carefully modified the config.json there following the instructions in here.

As for the UEFI configuration, as explained in the docs:

Additionally, UEFI must be configured properly prior to provisioning - at this moment the only supported way of provisioning is to set secure boot into "Setup Mode". This removes all the installed keys and leaves the storage accessible for programming from userspace. The installer may reboot the device during provisioning to ensure the keys were successfully installed.

Looking at that security tab, I would think that the Clear secure boot keys should place your device in setup mode and allow the installer to install balenaOS with secure boot.

Could you please give the above a try?

Thank you for the clarification on the config file format.

I’m running into issues after using balena etcher. Previously I would create the bootable disk, be able to view its content from windows file explorer and then update the config.json from within the file explorer. Now when I create a Gereric GPT device, after burning the usb drive is no longer accessible via file explorer. This leaves me unable to make the configuration changes required for secure boot. Am I mixing up my steps or missing something else?

Hi, this points to something not being right on your previous attempts as in the generic-amd64 images the boot partition is an EFI partition that as you say is not auto-mounted by windows.

Try to:

1. Locate Command Prompt in the Start menu, right-click it, and select “Run as Administrator.”
2. Type mountvol P: /S in the Administrator Command Prompt window. This makes it accessible as drive P: from that window.

And please let us know if that works.

That didnt seem to do anything.

Hi,

I would like to take a step back and check whether the same device provisions fine without secure boot. Basically just download the image from the dashboard (preferrably development, as this would give you a password-less login prompt for potential debugging), and try to provision the device. This would help us understand whether the issue is with related to the device in general or secure boot/TPM in particular.

Hi,

A general flash of the NUC works fine. I was able to get a generic GPT image loaded and running a day ago. My issue is with modifying the configuration file. I’m unable to do this with the Generic image. Once I’ve flashed the USB with the generic Image it becomes unavailable for modification.

-Chris