heads icon indicating copy to clipboard operation
heads copied to clipboard
verified publisher icon linuxboot

"kicksecure iso doesn't boot under Heads

Open makkiato83 opened this issue 2 months ago • 5 comments

Please identify some basic details to help process the report

To reproduce:

  1. Download kicksecure iso from https://www.kicksecure.com/download/iso/17.4.4.6/Kicksecure-Xfce-17.4.4.6.Intel_AMD64.iso
  2. Burn to a usb drive using dd, as usual.
  3. Boot heads and choose "Boot from USB".
  4. Heads will search for usb partitions and will ask for user choice giving options: /dev/sdb1, /dev/sdb2 and /dev/sdb3.
  5. Any of the three choices results in an error.
!!! ERROR: ERROR: Failed to mount /dev/sdb1 as read only !!!
/etc/gui_functions: line 23: [: -ne: unary operator expected
!!!! Something failed during USB boot
!!!! Starting recovery shell

Heads goes back to recovery shell. Running dmesg gives:

...
GPT: Primary header thinks Alt. header is not at the end of the disk.
GPT: 2430031 != 240253439
GPT: Alternate GPT header not at the end of the disk.
GPT: 2430031 != 240253439
GPT: Use Gnu Parted to correct GPT errors.
sdb: sdb1 sdb2 sdb3
isofs_fill_super: bread failed, dev=sdb1, iso_blknum=78, block=156
exFAT-fs (sdb1): invalid boot record signature
exFAT-fs (sdb1): failed to read boot sector
exFAT-fs (sdb1): failed to recognize exfat type
exFAT-fs (sdb1): invalid boot record signature
exFAT-fs (sdb1): failed to read boot sector
exFAT-fs (sdb1): failed to recognize exfat type
isofs_fill_super: bread failed, dev=sdb1, iso_blknum=78, block=156

Some investigations

Connecting the usb drive to another computer (say, as /dev/sda), running sudo fdisk -l /dev/sda gives:

GPT PMBR size mismatch (2430031 != 240253439) will be corrected by write.
The backup GPT table is not on the end of the device.
Disk /dev/sda: 114.56 GiB, 123009761280 bytes, 240253440 sectors
Disk model:  SanDisk 3.2Gen1
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: ...

Device     Start     End Sectors  Size Type
/dev/sda1     64     375     312  156K Microsoft basic data
/dev/sda2    376    9911    9536  4.7M EFI System
/dev/sda3   9912 2429967 2420056  1.2G Microsoft basic data

Trying to mount /dev/sda1 and /dev/sda2 gives:

wrong fs type, bad option, bad superblock on /dev/sda1, missing codepage or helper program, or other error.
       dmesg(1) may have more information after failed mount system call.

Mounting /dev/sda2 works. After mounting, sudo blkid /dev/sda2 gives:

/dev/sda2: SEC_TYPE="msdos" UUID="6898-60D7" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI boot partition" PARTUUID="...."

and sudo file -s /dev/sda2 gives a FAT12 file system:

/dev/sda2: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat", sectors/cluster 4, reserved sectors 4, root entries 512, sectors 9536 (volumes <=32 MB), Media descriptor 0xf8, sectors/FAT 8, sectors/track 32, reserved 0x1, serial number 0x689860d7, unlabeled, FAT (12 bit)

Finally, sudo find mount_point gives:

/mnt/usb
/mnt/usb/EFI
/mnt/usb/EFI/boot
/mnt/usb/EFI/boot/bootx64.efi
/mnt/usb/EFI/boot/grubx64.efi
/mnt/usb/boot
/mnt/usb/boot/grub
/mnt/usb/boot/grub/grub.cfg

A. Provide Hardware Details

  1. I am using a Lenove x230 with heads-EOL_x230-hotp-maximized-v0.2.0-2790-gaaeb63d.

  2. I am using HEADS in "Basic mode"

makkiato83 avatar Oct 24 '25 00:10 makkiato83

I had the opportunity to try the same USB drive on another Lenovo x230, with factory bios, and Kicksecure booted without issues. So this problem is indeed HEADS specific.

makkiato83 avatar Oct 24 '25 17:10 makkiato83

Replicated. This is an hybrid ISO. The disk needs to be mounted (sda here) not a subpartition to discover rootfs and its boot related files).

On master:

  • dump iso in heads directory (or hardlink [sudo ln src dst] to wherever file really is on disk, which is what I do here)
./docker_repro.sh make BOARD=qemu-coreboot-fbwhiptail-tpm2 INSTALL_IMG=Kicksecure-Xfce-17.4.4.6.Intel_AMD64.iso
./docker_repro.sh make BOARD=qemu-coreboot-fbwhiptail-tpm2 INSTALL_IMG=Kicksecure-Xfce-17.4.4.6.Intel_AMD64.iso run

GUI related Image Image

Debug trace and console related output

!!!!! Starting recovery shell
bash-5.1# mount /dev/sda /media 
[  225.464174] ISO 9660 Extensions: Microsoft Joliet Level 3
[  225.472864] ISO 9660 Extensions: Microsoft Joliet Level 3
[  225.479764] ISO 9660 Extensions: RRIP_1991A
bash-5.1# kexec-select-boot -b /media
[  234.841211] TRACE: /bin/kexec-select-boot(8): main
[  234.923157]  *** WARNING: Hash of TPM2 primary key handle does not exist ***
[  236.021107]  *** WARNING: Please rebuild the TPM2 primary key handle hash by setting a default OS to boot. ***
[  237.088015]  *** WARNING: Select Options-> Boot Options -> Show OS Boot Menu -> <Pick OS> -> Make default ***
[  238.139625] DEBUG: Hash of TPM2 primary key handle does not exist under /media/kexec_primhdl_hash.txt
[  238.163255] TRACE: /etc/functions(821): check_config
[  238.238987] TRACE: /bin/kexec-select-boot(392): main
[  238.298883] TPM: Extending PCR[4] to prevent further secret unsealing
[  238.372420] TRACE: /bin/tpmr(847): main
[  238.385463] TPM: Extending PCR[4] with generic
[  238.417129] TRACE: /bin/tpmr(233): tpm2_extend
[  238.492811] TRACE: /bin/tpmr(244): tpm2_extend
[  238.608848] DEBUG: TPM: Will extend PCR[4] with hash of string generic
[  238.898806] sha256: 4 : 0x46ACFDD26CE0503BD959F102B49CF25178A594EBBD2ED72DF111908EE24D6636
[  238.946483] TRACE: /bin/tpmr(262): tpm2_extend
[  239.006148] DEBUG: TPM: Extended PCR[4] with hash 3a2e8954befdbd6e7eac2f10d4301a2923cd65a5f38bf80914019b55a03f78c4
[  239.052525] +++ Scanning for unsigned boot options
[  239.108739] TRACE: /etc/functions(1197): scan_boot_options
[  239.254161] DEBUG: kexec-parse-boot /media /media/boot/grub/config.cfg
[  239.381634] TRACE: /bin/kexec-parse-boot(5): main
[  239.450975] DEBUG: filedir= /media/boot/grub
[  239.537101] DEBUG: bootdir= /media
[  239.573646] DEBUG: bootlen= 6
[  239.630640] DEBUG: appenddir= /boot/grub
[  239.730526] DEBUG: kexec-parse-boot /media /media/boot/grub/grub.cfg
[  239.902029] TRACE: /bin/kexec-parse-boot(5): main
[  239.976461] DEBUG: filedir= /media/boot/grub
[  240.039894] DEBUG: bootdir= /media
[  240.105478] DEBUG: bootlen= 6
[  240.159181] DEBUG: appenddir= /boot/grub
[  240.604519] DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /live/vmlinuz-6.1.0-37-amd64 rd.live.overlay.overlayfs=1 boot=live components splash live-config.hostname=localhost rd.live.image root=live:CDLABEL=kicksecure rd.live.dir=live rd.live.squashimg=filesystem.squashfs mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force kvm-intel.vmentry_l1d_flush=always mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt kvm.mitigate_smt_rsb=1 gather_data_sampling=force reg_file_data_sampling=on indirect_target_selection=force slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 efi_pstore.pstore_disable=1 erst_disable amd_iommu=force_isolation intel_iommu=on iommu=force
[  240.708733] iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy loglevel=0 quiet rd.emergency=halt rd.shell=0 iso-scan/filename=${iso_path}
[  241.001462] DEBUG:  grub_entry: linux initrd= /live/initrd.img-6.1.0-37-amd64
[  241.206385] DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /live/vmlinuz-6.1.0-37-amd64 rd.live.overlay.overlayfs=1 boot=live components splash live-config.hostname=localhost rd.live.image root=live:CDLABEL=kicksecure rd.live.dir=live rd.live.squashimg=filesystem.squashfs mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force kvm-intel.vmentry_l1d_flush=always mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt kvm.mitigate_smt_rsb=1 gather_data_sampling=force reg_file_data_sampling=on indirect_target_selection=force slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 efi_pstore.pstore_disable=1 erst_disable amd_iommu=force_isolation intel_iommu=on iommu=force
[  241.234057] iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy loglevel=0 quiet rd.emergency=halt rd.shell=0 iso-scan/filename=${iso_path} systemd.unit=sysmaint-boot.target boot-role=sysmaint live-config.noautologin
[  241.507126] DEBUG:  grub_entry: linux initrd= /live/initrd.img-6.1.0-37-amd64
[  241.808621] DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /live/vmlinuz-6.1.0-37-amd64 rd.live.overlay.overlayfs=1 boot=live components splash live-config.hostname=localhost rd.live.image root=live:CDLABEL=kicksecure rd.live.dir=live rd.live.squashimg=filesystem.squashfs mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force kvm-intel.vmentry_l1d_flush=always mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt kvm.mitigate_smt_rsb=1 gather_data_sampling=force reg_file_data_sampling=on indirect_target_selection=force slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 efi_pstore.pstore_disable=1 erst_disable amd_iommu=force_isolation intel_iommu=on iommu=force
[  241.869841] iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy loglevel=0 quiet rd.emergency=halt rd.shell=0 iso-scan/filename=${iso_path} boot-role=unrestricted-admin
[  242.120302] DEBUG:  grub_entry: linux initrd= /live/initrd.img-6.1.0-37-amd64
[  242.500785] DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /live/vmlinuz-6.1.0-37-amd64 rd.live.overlay.overlayfs=1 boot=live components splash live-config.hostname=localhost rd.live.image root=live:CDLABEL=kicksecure rd.live.dir=live rd.live.squashimg=filesystem.squashfs mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force kvm-intel.vmentry_l1d_flush=always mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt kvm.mitigate_smt_rsb=1 gather_data_sampling=force reg_file_data_sampling=on indirect_target_selection=force slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 efi_pstore.pstore_disable=1 erst_disable amd_iommu=force_isolation intel_iommu=on iommu=force
[  242.564424] iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy loglevel=0 quiet rd.emergency=halt rd.shell=0 iso-scan/filename=${iso_path} rd.live.overlay.overlayfs=1 boot=live components splash live-config.hostname=localhost rd.live.image root=live:CDLABEL=kicksecure rd.live.dir=live rd.live.squashimg=filesystem.squashfs mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on ssbd=force-on l1tf=full,force kvm-intel.vmentry_l1d_flush=always mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt kvm.mitigate_smt_rsb=1 gather_data_sampling=force reg_file_data_sampling=on indirect_target_selection=force slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100
[  242.636598] vdso32=0 efi_pstore.pstore_disable=1 erst_disable amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy loglevel=0 quiet rd.emergency=halt rd.shell=0 iso-scan/filename=${iso_path} rd.live.check
[  242.900714] DEBUG:  grub_entry: linux initrd= /live/initrd.img-6.1.0-37-amd64
[  243.142462] DEBUG: kexec-parse-boot /media /media/boot/grub/loopback.cfg
[  243.477278] TRACE: /bin/kexec-parse-boot(5): main
[  243.570266] DEBUG: filedir= /media/boot/grub
[  243.641956] DEBUG: bootdir= /media
[  243.706893] DEBUG: bootlen= 6
[  243.761394] DEBUG: appenddir= /boot/grub
[  243.881221] DEBUG: kexec-parse-boot /media /media/boot/grub/memtest.cfg
[  244.096756] TRACE: /bin/kexec-parse-boot(5): main
[  244.208158] DEBUG: filedir= /media/boot/grub
[  244.275122] DEBUG: bootdir= /media
[  244.342481] DEBUG: bootlen= 6
[  244.433613] DEBUG: appenddir= /boot/grub
[  244.632048] DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux16 /live/memtest
[  244.784309] DEBUG: /media/live/memtest doesn't exist
[  245.121249] DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /live/memtest.bin
[  245.787218] DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /live/memtest.efi
[  246.017369] DEBUG: kexec-parse-boot /media /media/boot/grub/theme.cfg
[  246.207077] TRACE: /bin/kexec-parse-boot(5): main
[  246.298717] DEBUG: filedir= /media/boot/grub
[  246.370776] DEBUG: bootdir= /media
[  246.440174] DEBUG: bootlen= 6
[  246.508694] DEBUG: appenddir= /boot/grub
[  246.580334] DEBUG: kexec-parse-boot /media /media/boot/grub/x86_64-efi/grub.cfg
[  246.775614] TRACE: /bin/kexec-parse-boot(5): main
[  246.873028] DEBUG: filedir= /media/boot/grub/x86_64-efi
[  246.934532] DEBUG: bootdir= /media
[  247.001180] DEBUG: bootlen= 6
[  247.079726] DEBUG: appenddir= /boot/grub/x86_64-efi
+++ Select your boot option:
1. LIVE Mode  [ disposable use]
2. LIVE Mode  [ system maintenance, install]
3. LIVE Mode  [ system recovery, install]
4. Verify integrity of the boot medium [kernel /live/vmlinuz-6.1.0-37-amd64]
5. Memory Diagnostic Tool (memtest86+) [kernel /live/memtest.bin]
6. Memory Diagnostic Tool (memtest86+) [kernel /live/memtest.efi]
Choose the boot option [1-6, a to abort]:

tlaurion avatar Oct 31 '25 15:10 tlaurion

Can heads boot Debian?

If heads can boot Debian, it should be able to boot Kicksecure too?

I was under the impression that Kicksecure is a standard compliant ISO. If there is any bug, anything we can fix, please let me know.

Is this a missing feature in heads or but in Kicksecure's ISO?

adrelanos avatar Oct 31 '25 16:10 adrelanos

@adrelanos thank you for replying.

Yes, HEADS can boot Debian without issues. I have just tried booting debian-live-13.1.0-amd64-xfce.iso and HEADS correctly shows the (several) boot options (installer, live, etc) and it works.

makkiato83 avatar Oct 31 '25 17:10 makkiato83

Remark:

a temporary fix is:

  1. reproduce the issue until you get to the recovery shell
  2. in the recovery shell run:

mount /dev/sdb /media kexec-select-boot -b /media

Then it works (although with an error message, see below).

While Kicksecure starts, reaches the GUI and all seems to work, in the boot process an error is signaled:

simple-framebuffer simpler-framebuffer.0: Unable to register simpl
[FAILED] Failed to mount sysroot.mount - /sysroot

makkiato83 avatar Oct 31 '25 17:10 makkiato83