Sometimes in the process of installing Linux CentOS on a virtual machine running on a Hyper-V server, users experiences Hyper-V Boot Error: "The Image’s Hash and Certificate Are not Allowed (DB)".
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to fix Hyper-V related errors.
In this context, we shall look into the main causes of this error and how to tackle it.
Why are the image's hash and certificate not allowed?
As earlier stated, this error happens in the process of installing Linux CentOS on a virtual machine running on a Hyper-V server.
The main reason for this error to occur is that the Hyper-V by default uses UEFI with Secure Boot mode enabled for its Generation 2 virtual machines.
Secure Boot prevents the boot from an untrusted Linux bootloader in the ISO file. Thus this error occurs. For example, when the error occurs, you will see an error message such as ;
The image's hash and certificate are not allowed (DB).
No UEFI-compatible file system was found.
Now operating system was loaded. Press a key to retry the boot sequence ...
Note: Configuration changes may require the virtual machine to be reset.
How to fix the error "image's hash and certificate are not allowed"?
Start by initiating the installation and disable Secure Boot in the virtual machine settings (Settings >> Security >> uncheck the option Enable Secure Boot).
Or else we can leave Secure Boot enabled. But we prefer using Microsoft UEFI Certificate Authority template instead of Microsoft Windows. Because according to Microsoft, this template allows you to run Linux distros in the Secure Boot compatibility mode.
Then we restart the VM and boot it again from the CentOS installation ISO image or another Linux distribution.
In the same way, we manage the Secure Boot and templates setting of VM using PowerShell. Execute the following command to get the current VM firmware settings;
Get-VMFirmware -VMName "centos7"
You can use the command we use to disable Secure Boot mode for the VM:
Set-VMFirmware -VMName "centos7" -EnableSecureBoot Off
Finally, in order to change the bootloader certificate validation template to the one compatible with most Linux distros, execute;
Set-VMFirmware -VMName "centos7" -EnableSecureBoot On -SecureBootTemplate "MicrosoftUEFICertificateAuthority"