Install problems... Odroid-H2

I’m trying to install the latest version of IPFire on new hardware. The hardware is a Odroid-H2 SBC. I have tried both the iso and flash install methods and I can’t make any progress. As a sanity check, I installed the latest version of Ubuntu desktop without any problems, just to exercise the hardware to make sure that I didn’t have any problems.

Any help or guidance please…
Thanks

Have you disabled secure boot?

I have tested IPFire on an other J4105 based system and it has worked in uEFI and legacy mode but boot from NVMe or eMMC is only supported in uEFI mode. But IPFire has no Microsoft signed bootloader like ubuntu, so secure-boot must turned off to start the bootloader.

Thanks for your replay. I found no such menu or submenu in the bios, and out of frustration contacted Ameridroid. They informed me that other end users have had the same experience. There is no method to turn off secure boot at this time.

If there is any other method of installing IPFire, please advise me.

Thanks

Hi Justin,
just for curiosity did you try to do the installation by telling the bios boot from one of the SATA interface you have on that Odroid h2?
I don’t have ore know that board but by searching the images I saw it have two SATA and if the bios can boot from that? ( a other image show it have more boot option) maybe it do not give you that problem?

Best regards

Thanks for your reply. My understanding of this problem is not the hardware that I’m trying to install from, but the signature that is missing and or required for secure boot. My conversation with Ameridroid (the U.S. distributor), is the the developers decided not to include a disable secure boot feature to the bios. Thus, there are only a few distro’s that have the signature built into their iso’s. As I stated at the start of my post, I was able to run Ubuntu desktop without any problems. I did this just to verify the hardware. Going forward, I think that anyone who tries to use new hardware and not knowing if there is legacy support built in will have the same issues. UEFI has been around for some time now, but not being able to disable it has been a real dissapointment. I can only hope the the development team of IPFire visits or revisits this issue, because this hardware is great for a firewall appliance.

Thanks again…

Ok , now I understand it totally, so it’s indeed more problem of the bios , still I may check later for you as my ipfire is on a 2 to 3 years old motherboard, I just don’t remember if I have it on lagacy or UEFI, I needed to change something in the bios a month ago so I could use my dubbele port NIC but I don’t remember what it was as the network needed something to be on in the bios to work.

Again thanks to all…

My perspective:

  1. This SBC is great for a firewall appliance that has to run 24/7.

But I think that Hardkernel’s decision to not offer secure boot disable, will disenfranchise a lot of linux distro’s that could make use of this SBC.

  1. A distro that does not have a secure boot signature, limit it’s use to older hardware and makes itself incompatible with new hardware that comes to market.

  2. As a typical end user, I was unaware of the issues that come into play when you encounter a hardware/software build that have dependencies of secure boot. Bottom line… “The Perfect Storm”.

  3. How I got here. My current IPFire is a Intel dual Nic, mini-ITX motherboard, that does not have AES. Thus I had a problem implementing a VPN. I was able to get by for a couple of years by using a RNG on a usb stick. Unfortunately that solution “bricked” after a later software update. I decided to turn to a SBC that was low on power requirements and had AES-NI built in.

Just call me stuck in the middle…

As a consolation, your Odroid H2 could be a useful 24/7 workstation, running Ubuntu, openSUSE etc, that can boot in Secure Boot mode.

It is technically possible to create your own Secure Boot key. see:
http://rodsbooks.com/efi-programming/why.html

I try to avoid purchasing any IT device for which I can’t first download a fairly complete manual - in order to avoid the “gotcha” that you have encounrtered. “Economy” products tend to be particularly light on documentation.

I did specutatively purchase an AMD mini-PC, that I reported in another thread. As a routine openSUSE user, I would have been able to re-purpose it, should Secure Boot not have been able to be disabled. Mini PC Hardware

Arguably any SBC having Intel CPU is not “great for a firewall appliance”. Lightning Wire Labs mini appliance has an AMD APU.

Again thanks to all, and “rodneyp”

I agree with your response, from what I have found out, by going down the secure boot rabbit hole is that a signature is required in the iso build that is issued by Microsoft. I not sure that rolling your own will work, nor do I have the skill set to take on such an endeavor. Since Microsoft is the CA (certificate of authority) in regards to secure boot, from my perspective this a issue for the developer’s to resolve.

A little late but as I promise, I check my ipfire box really fast( as my wive start to complain what happen with the internet ) my Motherboard is set to Lagacy ( or I think more automatic).
Iam sorry you where not able to use the Odriod h2 it really looks a nice hardware.
The only thing for me is that I am a AMD fan and that is for me the only down side :slightly_smiling_face:
any way I hope you can do something else with it or return it.

Best Regards

So far I am not aware that anyone has run into this before.

I suppose even Microsoft has declared Secure Boot as dead. It does not work, they broke it themselves with shim which will boot anything without checking any signatures whatsoever.

I hope that we won’t have to support it. It is a waste of our development time and does not bring any benefit unfortunately. It certainly does not deserve its name.

2 Likes

I think it’s a different problem. A heise article to the Odroid-H2 stated that the board not support Secure Boot and i have tested an other J4105. IPFire works on this board in uEFI and Legacy mode but only if the CSM is enabled. If i disable the CSM IPFire will not boot at all. It looks that the firmware is also not uEFI compatible with disabled CSM on J4105 boards.

Hi,
I am trying to install the latest version of IPFire in this case on Odroid-H2+ with Secure Boot disabled (BIOS 1.11 beta) and it is still not booting.

[ Only shows a black screen with an underscore at the beginning ]

How did you create your boot media?
Is it working on other computers?
Did you disabled UEFI?

Hi Pike,
Thanks for your reply.

I created the boot media using the IPFire install guide.
Yes, It works on other computers.
Odroid-H2+ only have UEFI BIOS but the secure boot is disabled.

Is there any BIOS manual for your Odroid-H2+?

Yranib,

I just had an ongoing conversation with Ameridroid, which is the distributor for Odroid products here in the U.S.

I contacted them in regards to the release of H2+, and they did not have an answer. The only hope of using this SBC is for a new release of the BIOS to resolve this problem…

There seems to be no interest in resolving this, and as I pointed out to them, they are missing a huge opportunity by not having all the distro’s being able to install. My H2 is just setting on a shelf collecting dust, I have only been able to successfully install Windows or Ubuntu this far…

Have a look at the seeedstudio.com Odyssey-X86J4105864.
I have not contacted them to inquire if this SBC has the same issues.

Hi Justin,
Thanks for your reply.

They may not be interested in solving this because it appears that legacy BIOS support will be removed soon on new hardware.

IPFire x86_64 support uEFI (since IPFire 2.21) but not Secure-Boot enabled which need Microsoft signed bootcode.

Hi Arne,
Thanks for your reply.

I have tried other distros like Alpine Linux which supports UEFI but does not have Secure-Boot and it boots correctly.

I see that IPFire uses GRUB 2.02 (2017) for UEFI boot which may be a bit old while Alpine Linux uses GRUB 2.04 (2019).