TerraMaster Forum

Hello,

I attempted initialization on my F2-223 NAS by booting to the internal USB stick after removing my RAID1 drives and formatting the NVMe drive. Upon booting, I am getting the following error:
error: Secure Boot forbids loading module from
(hd1)/boot/grub/x86_64-efi/mdraid1x.mod
—————————————————
- booting form INIT system -
—————————————————

Press any key to continue…

After about five seconds, I get the following message:

EFI stub: UEFI Secure Boot is enabled.


The system and locks up, not even responding to control all delete to reset the device.


How can I fix this error? I have backed up these keys, and it doesn’t seem that restoring them is resolving the issue. Thank you.

bretwashere wrote: ↑20 Jul 2024, 07:16

Do you hear three beeps after a minute or two of booting from a USB stick?

TMpzhen wrote: ↑20 Jul 2024, 11:01

bretwashere wrote: ↑20 Jul 2024, 07:16

Do you hear three beeps after a minute or two of booting from a USB stick?

Hello, thank you for the reply.

When I receive those message, I do not hear three beeps. I have since Disabling secure boot with and restoring an old backup of the internal usb stick. When that boots, I get three beeps. What does the 3 beeps mean?

I guess what I’m asking is can someone please extract the secure boot keys from their bios and post them here? I assume I just need to restore the keys for the signed kernel.

bretwashere wrote: ↑20 Jul 2024, 11:53

I don't quite understand what you mean. Do you want to initialize it now?

Which Operating System are you trying to install?

Hello,

I was downgrading TOS 6 beta to TOS 5.1. My method was as followed:

I removed my mechanical hard disk from the bay, and only had the NVM that was installed into the NAS. I reset back to factory settings via the settings menu, and then following a reboot, I wasn’t getting the three beep feedback. I then connected a monitor and saw that the NAS was attempting to boot into INIT mode, however, I was getting the error that secure boot was forbidding kernel modules to load, and then would lock up at the prompt “Press any key to continue”. I went into the BIOS, backed up all the keys, and then placed the NAS into secure boot setup mode. This caused the same issue; failing to boot via GRUB saying the kernel modules mraid1x, as well as saying “EFI stub: UEFI secure boot is enabled.” The system would lock up here.

I then cleared all keys for secure boot that were stored in the TPM. I got the same error as above, but except for saying that UEFI secure boot was enabled, I got the message “BzImage is not signed”, and then was returned to the GRUB boot menu. Essentially I was in a boot loop.

After hours of messing with it, I got the system booting, however, with secure boot disabled. I had an old backup of the flash drive I made via dd back April 2024. I’m not sure if the internal flash drive got corrupted, but I was finally able to load into INIT mode and set up TOS 5.

So my lingering question is: How do I properly enroll the bzImage booting so i can re-enabled secure boot? Do you happen to have the db, debt, KEK, etc. files available so I can place them back into the TPM?

Also, perhaps a guide be made for when people run into this issue might be helpful. I’m sure the community doesn’t include all Systems Engineers for a living, having expert level knowledge of UEFI, secure boot, and working with Linux kernels/modules.

There are not many in this community willing to help, period! (Outside of @TMsupport)

I know nothing about Secure Boot except I dont (a) have it on my desktops (b) don't use Windows 11. And, if I needed secure boot on the system, I would probably disable it.

That said, I saw this:

Secure Boot is used for stopping malware or custom bootloader to be installed in the PC. It is the feature of the UEFI. With Secure Boot only Microsoft certified Bootloader can be installed in the bios. But it fires back when it comes to installing linux on the PC

My reading says not all Linux base distros will support Secure Boot anyway. I wait to be enlightened concerning TOS.

Gremlin wrote: ↑21 Jul 2024, 19:17 There are not many in this community willing to help, period! (Outside of @TMsupport)

I know nothing about Secure Boot except I dont (a) have it on my desktops (b) don't use Windows 11. And, if I needed secure boot on the system, I would probably disable it.

That said, I saw this:

Secure Boot is used for stopping malware or custom bootloader to be installed in the PC. It is the feature of the UEFI. With Secure Boot only Microsoft certified Bootloader can be installed in the bios. But it fires back when it comes to installing linux on the PC

My reading says not all Linux base distros will support Secure Boot anyway. I wait to be enlightened concerning TOS.

Secure boot can be complicated to work with, I will agree with you there. The F2 series NAS does utilize Secure Boot, as several GRUB modules complain if you disable it via the BIOS. Like I implied in one of my previous posts, I had to do some janky things with the platform keys in order to boot. I cannot remember if I re-signed the bzImage, but all I know is when I restored my flash drive from a backup I made in April 2024, I was able to boot without Secure Boot enabled.

I guess to the moderators of this board: Do you have a stock F2-223-ish machine where you can backup the pk, KEK, db, dbt, etc. keys and upload them to this board so I can re-enable Secure Boot, please?

It's odd. I just got a new F2-424 (The F2 only refers to the HDD slots - the 424 refers to the generation/model) and I did nothing with secure boot and it was not enabled as far as I can see. I was able to instal my 2 hdd with TOS6 installed and it ran fine (mostly, except cooling issues). I have not upgraded to the latest TOS6.420 yet so that might be interesting if it requires secure boot to be enabled (because of the change to the root file system).

{In the event, I doubt TM would expect it to be enabled as they would then have to deal with systems that don't have it, users who don't understand it and those users who would almost certainly mess up the bios. }

Gremlin wrote: ↑28 Jul 2024, 17:28 It's odd. I just got a new F2-424 (The F2 only refers to the HDD slots - the 424 refers to the generation/model) and I did nothing with secure boot and it was not enabled as far as I can see. I was able to instal my 2 hdd with TOS6 installed and it ran fine (mostly, except cooling issues). I have not upgraded to the latest TOS6.420 yet so that might be interesting if it requires secure boot to be enabled (because of the change to the root file system).

{In the event, I doubt TM would expect it to be enabled as they would then have to deal with systems that don't have it, users who don't understand it and those users who would almost certainly mess up the bios. }

Hi,

They have it enabled and its ability to work is due to the fact that the NAS boots to the flash drive all the time first. If you review GRUB configuration, the system can boot in either INIT mode or RAID mode. RAID mode would cause the internal flash drive to boot to TOS, and INIT mode would cause your NAS to go through the initialization setup routines.