Booting with UEFI SecureBoot fails

boot grub2 18.04 uefi secure-boot
5,753

Ubuntu doesn't have a true secure boot option (it switches to insecure mode right away when secure boot is properly set up with it), but you can use the secure boot shim anyway if you need to turn on secure boot in BIOS/UEFI (like if you dual boot with an OS like Windows 10 that requires it).

Try this:

  1. Switch back to legacy boot in the UEFI/BIOS menu.
  2. Boot Ubuntu.

  3. In a terminal, run:

    sudo apt update; sudo apt install shim-signed

  4. Switch back to secure boot in the UEFI/BIOS setup. You may need to pick a bootloader to use for the Ubuntu boot menu option. If so, it's EFI/ubuntu/shimx64.efi.

  5. Attempt to boot Ubuntu.
Share:
5,753

Related videos on Youtube

John G
Author by

John G

Updated on September 18, 2022

Comments

  • John G
    John G over 1 year

    I have just installed Ubuntu on an old (3-4 years old) HP laptop.

    At the time of the installation the BIOS was setup for "Legacy Boot Mode" and the "Secure Boot" option was disabled. (Understandably so, since all BIOSes deactivate secure boot when supporting legacy mode i.e. dos AFAIK). Unfortunately though, I never realized this at the time of installation.

    I followed this great community guide for manual full system encryption which even ensures that the boot partition is encrypted. As part of the scripts made by the author of that guide, grub is installed with the following command:

    grub-install --target=x86_64-efi --uefi-secure-boot --efi-directory=/boot/efi --bootloader=ubuntu --boot-directory=/boot/efi/EFI/ubuntu --recheck /dev/[DRIVE]

    I'm not sure what the --uefi-secure-boot flag does but the installation worked perfectly and my system was running.

    I then realised that the secure boot was disabled in the BIOS, wanted to change this, and disabled legacy mode support and enabled secure boot. For some reason my machine doesn't boot now. It shows the error as displayed as in the screenshot below: enter image description here

    If I disable secure boot (Note: only secure boot, but still leave legacy mode support disabled as well), then the boot works perfectly again.

    Note: In the image the device with UUID beginning with "29bb6762" is my boot partition.

    Note2: Following is the how my HDD is partitioned. (exactly the same as in the linked Manual Full System Encryption wiki

    /dev/sda1 - UEFI partition. FAT 32
/dev/sda2 - LUKS
/dev/mapper/system-root
/dev/mapper/system-boot
/dev/mapper/system-swap
    • The root, boot, and swap are sitting on a volume group. (The LUKS partition is formatted as LVM)
    • and /dev/mapper/system-boot has the same device id as the grub error in the screenshot.
    • oldfred
      oldfred over 5 years
      Have you updated UEFI from HP? Most older HP only booted "Windows Boot Manager" entry. But newer ones now seem to work. If still issue you can have Windows description but boot shimx64.efi. askubuntu.com/questions/486752/…
    • ubfan1
      ubfan1 over 5 years
      See Bug #1453980 for some problems with grub's --uefi-secure-boot in the simpler case of just installing to a USB.
  • John G
    John G over 5 years
    @chai-t-rex Does that mean really mean that it's switching to secure boot? Sounds like the BIOS loads a signed shim, which in turn loads a signed kernel. From my understanding of secure boot (which is minimal to say the least), that seems like what all secure boots do. Even the windows ones. Do correct me if I'm wrong though.
  • Chai T. Rex
    Chai T. Rex over 5 years
    @kapad I'm going to check on that. I know I have the signed shim with an unsigned kernel and it loads fine, it just says it's switching to insecure mode. I found some secure kernels and apparently one is installed, so I'll see about figuring out how to enable it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I fix broken boot after shim update?
System always boots to grub prompt
How Shim verifies binaries in secure boot?
Is re-enabling Secure Boot in UEFI secure?
"The 'grub-efi-amd64-signed' package failed to install into /target/" during installation of Ubuntu 18.04
update-grub does not update /boot/efi/EFI/ubuntu/grub.cfg
Failed 18.04.1 installation - The 'grub-efi-amd64-signed' package failed to install
Failed to open \EFI\Microsoft\Boot\grubx64.efi - 80000000000000E
Ubuntu Grub/EFI won't boot - I really need help
Grub freezes when naturally booting, but works when selected from EFI menu