We wanted to test the Secure Boot feature on Balena OS (v3.0.15) using Maxtang EHL-35 motherboard with AMI BIOS v2.22.1282. It has an Intel J6412 CPU with built-in TPM 2.0 chip (with firmware version 600.15).
- We reset the BIOS and entered into Secure Boot setup mode
- USB drive inserted, booted, in the cloud dashboard we wait a minute or two for system to copy all files to the SSD drive
- Installer correctly shuts down the system (all LEDs are off)
- We restarted the machine, set boot device to SSD UEFI and it is stuck in a “Post Provisioning state”
It keeps rebooting after the “Welcome to GRUB” text. Kinda looks like, Secure Boot feature is working but it might have some problem mounting the LUKS root partition. If we enable Secure Boot in the BIOS, the boot process successfully gets to GRUB, so probably signatures are okay, because we tried resetting the keys in the BIOS and it correctly threw and incorrect signature error upon booting.
We followed this guide:
Here are things we have tried:
- Without Secure Boot (–secureBoot), OS image works perfectly
- We tried it with Prod and Dev images as well
- We tried the first boot in the BIOS with Secure Boot enabled and disabled
- In the BIOS the boot order is clean, so all boot order options are disabled except for the first one which is set to USB UEFI, and after the shutdown we set it SSD UEFI.
Interesting thing we noticed: On the first boot the installer creates a device in the fleet, something happens, installer reboots and restart the installer and creates another device (the one that actually will be installed). It is all by itself. Then system shuts down for first boot. Only development image does this. Production image only creates one device only.
Is there any way to get more verbose error messages to help further the investigation?
UPDATE: I tried everything with v3.1.3 OS version, with the same results.
UPDATE2: Here are a few screenshots from the bios.