I’ve been attempting to install IncusOS on a Lenovo m910q mini PC but have hit a snag after installation.
The TPM is enabled (was surprised these boxes have TPM2 but have confirmed by looking in /sys/class/tpm/tpm0/device/description and successfully installing Windows 11) as is Secure Boot setup mode.
The installer runs and successfully enrolls the custom Secure Boot keys, reboots, and runs the installation through to completion but the first boot of IncusOS fails with the following error (in red text):
A search seems to indicate that these “Access denied” errors can occur if not everything is signed with the Secure Boot keys.
Is the Installer itself signed with the Secure Boot keys? If so then that would point to something not being signed in IncusOS. If not then the problem may just be the UEFI on this old box.
The .efi is exactly the same as was booted for the installation (unless something got corrupted on disk during copy), so the Access denied here is a bit odd.
It could be that this is an indirect access error, as in the system needs to load an additional component to perform EFI boot of that file (like the NVME storage driver) which fails as it’s not currently trusted due to the full Secure Boot reset from using Setup Mode.
Does your BIOS give you configuration options for the individual keys?
There’s no option in the BIOS for individual keys, but i think you’re right about the NVMe storage driver. I created a new installation image, this time targeting a SATA SSD and the system was able to get through first boot and is now up and running.
Check whether there’s a firmware option to pick the NVME driver, some devices have a choice between Vendor driver and AMI driver with the AMI one not needing additional keys to load.
If that’s not present, then you most likely need the Microsoft 2011 UEFI CA key loaded into DB to allow for the option ROM to load.
Has a copy of those certificates, the 2011 UEFI CA is the first one.
For DB, don’t remove anything, only add our two keys
That way you’ll have your system able to enroll our updated keys while still retaining any pre-existing DB key. That’s not ideal for security as anything signed by those keys will be allowed to run, but it will cover what you need for the NVME controller.
I did not see that option. It only lets me switch to setup mode or user mode it seems.
I read that EFITool may be able to help me but when i tried creating a USB drive with it and entered setup mode I had the IncusOS keys enrolled again without booting into EFITool, I assume i either need to wipe the NVME drive with the IncusOS install prior or I messed something up when creating the EFITool USB.
Note that we do support a TPM-only security mode these days for system that have too broken of a Secure Boot implementation, so that may be useful in your scenario
You can select that in the Advanced section of the image downloader.
I saw that but I was unsure of the implications as the warning does sound quite harsh. Not necessarily the part about the support, but is there a list of the restricted functionalities? Maybe that could be linked in the downloader.
I will try the non secure boot variant next I suppose.
Edit: Tried the non secure boot variant and it installs fine (the secure version did too) but when I boot into IncusOS this time instead of the red error text i just end up with a blank black screen that does not seem to change ever. I tried it with both the CSM setting enabled and disabled. Secure boot is off in either case.
This is getting pretty weird, I have a second Thinkcentre M910Q (I think should be the same cpu even, I5-7500) and on one incusos installed just fine with the non-secure boot version and with the CSM enabled but on the second one i just boot into a blank screen after installation every time. But when i leave the usb connected after the install and reboot it tells me that IncusOS has already been installed and to remove the install medium.
Edit: I had to restart the machine where the install worked and now it’ just giving me a blinking _ on startup that does not go away. The second machine never even gets to this point.
I agree it does not make a lot of sense. I thought that updating the BIOS would have reset the settings there, but maybe not.
I already went through the other day to check if there are any differences but I couldn’t find any. Resetting the settings on the one with the issues did not help either.
The one with the broken install has the Samsung drive, not Intel one.
I bought a used intel SSD of the exact same kind as is in the working thinkcentre and i can confirm that i am able to boot into incusOS from that nvme ssd after instal but not from the samsung one.
I guess it really is just some obscure hardware incompatibility at the end of the day.
Probably unrelated to the original issue from OP tho, if anyone comes across this later.
