I already have fedora installed on this disk. Yes, I understand the risks of dualboot.
sda1 - /boot/efi 2gb for two systems
sda2 /boot fedora
sda3 / fedora
sda4 - /boot kicksecure 2gb
sda5 - /kicksecure ext4 with luks
kicksecure system does not start “loading initial ramdisk”.
fedora starts up fine
Does “Loading initial ramdisk” stay on screen forever, or is it just the last message you see and then the screen turns black with a blinking cursor in the upper-left corner? (The latter would indicate that the initramfs likely can’t find the root partition, whereas the former would probably indicate either a bootloader or graphics bug.)
This is the last message I see after that the screen goes black and I can only turn off the computer via the power button.
How can I install the system next to fedora on one disk, (grub kicksecure let it be the main one)?
Boot issues are exceptionally complicated to debug. References:
Hence, multi-boot is unsupported and no big efforts are made towards multi-boot user support. Unsupported.
Might be too difficult.
See also:
I don’t understand what the problem is.
I formatted the whole disk and reinstalled only kicksecure with automatic partitioning - the problem remains the same. secureboot is disabled.
BIOS updated
The third time I downloaded the Kicksecure-LXQt-18.1.4.2.Intel_AMD64.iso again, installed it on usb 3.0 via GNOME Disks, selected install on disk - erase and re-install automatically , after reboot I select the first item in grub - black screen again after Loading initial ramdisk
OK, so this is now a single-boot scenario I believe, correct? That rules out multi-boot being the problem. You’re also seeing the kernel and initramfs load, so this isn’t a case of a fallback bootloader issue probably.
This comment was sent in reply to a completely different issue, but I think the same steps will be useful for debugging here:
Can you try that on the installed system (i.e. rather than booting from a USB drive, try to boot the installed system with modified configuration as described in that post), then report the results?
Yes, booting only one system on the disk.
Yes, I did the steps described there and the system booted successfully!
What do I need to do now to keep the system always running without compromising security? Which one of the settings listed in grub is most likely to break the boot?
Hard to tell due to hardware variance. Best solution is probably to do a binary search to find the offending parameter quickest. That’s more efficient than removing one parameter at a time until you find the right one.
efi=disable_early_pci_dma
This setting was breaking the system startup.
Now you need to remove this setting from /etc/default/grub.d/ ?
I also get this error
RDSEED32 is broken. Disabling the corresponding CPUID bit
Failed to start systemd-modules-load.service
and how to add a second system installed on disk to grub menu?
efi=disable_early_pci_dma
Note that disabling the busmaster bit on all PCI bridges during very early boot (efi=disable_early_pci_dma) can cause complete boot failure on certain systems with inadequate resources. Therefore, as always, ensure you have a fallback option to boot into the system whenever modifying any kernel parameters.
Apparently there is known mentions that it cause issues with GPUs getting stuck at a black screen
More aforementioned issues here:
mjg59 | Avoiding gaps in IOMMU protection at boot
Enabling the karg “efi=disable_early_pci_dma” prevents my Lenovo Thinkpad T495 from booting Fedora
Are the other DMA protections enough without this?
Correct. For guidance on this, see:
Known hardware issue with some AMD systems, affects more than just Kicksecure. A BIOS update may fix it.
You probably have Secure Boot enabled, which will prevent tirdad from loading. Either disable Secure Boot, or generate an enroll a Machine Owner Key (MOK). See:
Note that these instructions are a bit out of date, we now have a tool that can do MOK enrollment for you with a single button press. I’ll update that page to reflect the new process. Edit: The page has been updated.
They should already be there, as Kicksecure enables GRUB’s os-prober feature by default. Check /etc/default/grub and ensure GRUB_DISABLE_OS_PROBER=false is set. Boot entries for alternate operating systems will appear at the bottom of the list, below all of the (many) entries for Kicksecure, so they may simply be off-screen. Try pressing the down arrow key until the list scrolls to the point where you can see the other boot entries.
Quoting from the upstream kernel commit message when the feature was introduced:
System firmware may configure the IOMMU to prevent malicious PCI devices from being able to attack the OS via DMA. However, since firmware can’t guarantee that the OS is IOMMU-aware, it will tear down IOMMU configuration when ExitBootServices() is called. This leaves a window between where a hostile device could still cause damage before Linux configures the IOMMU again.
So removing this parameter does introduce some additional risk for a very specific kind of attack. Whether this is a problem depends on whether malicious PCI devices are part of your threat model or not.
I have the latest BIOS version for January 2026 installed
Yes, I have that setting set by default.
I checked the whole list in the grub menu and my fedora system is not listed there.
Now I have to switch through the F12 menu
What is the correct way to disable this setting?
sudoedit /etc/default/grub.d/50_user.cfg
GRUB_CMDLINE_LINUX=“$(echo “$GRUB_CMDLINE_LINUX” | str_replace “efi=disable_early_pci_dma” “”)”
There’s some confusion here - what setting do you want to disable?
To disable os-prober (note that this will remove any chance of your Fedora install showing up in the boot menu), edit /etc/default/grub and set GRUB_DISABLE_OS_PROBER to true. You probably don’t want to do that though.
To disable efi=disable_early_pci_dma, follow the instructions at:
(Read the directions slowly and carefully all the way through, then follow them as written. There is no short version.)
I have set GRUB_DISABLE_OS_PROBER-false
But grub kicksecure does not show fedora in the list.
GRUB_CMDLINE_LINUX=“$(echo “$GRUB_CMDLINE_LINUX” | str_replace “efi=disable_early_pci_dma” “””)“”
This helped disable the setting and fixed the system startup.
RDSEED32 is broken. Disabling the corresponding CPUID bit
Should I ignore this error? bios updated
Not sure what to do then. Might be a limitation of Fedora or your particular Fedora installation.
Great!
If the system is otherwise functional, yes.