Secure Boot Error: Invalid signature detected. Check secure boot policy in setup

uefi 16.10 secure-boot
10,925

When secure boot is enabled, the bootloader to use is shimx64.efi, not gurbx64.efi. the BootOrder you posted has "0008" first in the order, which is the grub entry. Put "0000" first in the BootOrder, and secure boot should work.

Share:
10,925

Related videos on Youtube

nom
Author by

nom

Updated on September 18, 2022

Comments

  • nom
    nom over 1 year

    I have installed Ubuntu 16.10 on a machine (Dell Inspiron) with UEFI and Secure Boot enabled, but when I boot I get a message from the firmware saying "Invalid signature detected. Check secure boot policy in setup". Ubuntu and grub are installed in UEFI mode but I still get the error, how do I fix this without turning off secure boot?

    sudo efibootmgr -v:

    BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0008,0000,0005,0004
Boot0000* ubuntu    HD(1,GPT,24a5c7af-e4c8-42c8-888a-637a223cb97a,0x800,0x100000)/File(\EFI\UBUNTU\SHIMX64.EFI)
Boot0004* Onboard NIC(IPV4)     PciRoot(0x0)/Pci(0x1c,0x3)/Pci(0x0,0x0)/MAC(74e6e201e3ee,0)/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)..BO
Boot0005* Onboard NIC(IPV6) PciRoot(0x0)/Pci(0x1c,0x3)/Pci(0x0,0x0)/MAC(74e6e201e3ee,0)/IPv6([::]:<->[::]:,0,0)..BO
 Boot0008* ubuntu   HD(1,GPT,24a5c7af-e4c8-42c8-888a-637a223cb97a,0x800,0x100000)/File(\EFI\UBUNTU\GRUBX64.EFI)
    • oldfred
      oldfred over 7 years
      Can you boot with Secure Boot off? What brand/model system. Some only boot "Windows Boot Manager", so we have to do work arounds. askubuntu.com/questions/486752/… and: askubuntu.com/questions/582073/dual-boot-but-only-windows-bo‌​ots/…
    • nom
      nom over 7 years
      @oldfred I can boot with secure boot turned on too, but I get that error message every time I do so (Ubuntu starts running normally after that). The machine is a Dell Inspiron.
    • oldfred
      oldfred over 7 years
      Dell usually works, not sure with Secure boot. Do you have signed kernels. Or when you booted flash drive installer did you install with Secure boot on? If you had to install proprietary video, Internet or Sound drivers, then Secure boot must be off. Another thread on Dell: ubuntuforums.org/showthread.php?t=2342359
    • nom
      nom over 7 years
      @oldfred How do I check if my kernel is signed? When I booted the flash drive installer secure boot was on. I selected the option to install proprietary drivers but unselected the check box to disable secure boot.
    • oldfred
      oldfred over 7 years
      Not sure what happens if you do not turn off Secure boot and install proprietary drivers. I think then you get the error message you have as now kernels are not signed, even if originally signed. Ubuntu does not know if proprietary driver is correct since it cannot see into it, so cannot sign it. And it has to be integrated into kernel to be used.
    • Rod Smith
      Rod Smith over 7 years
      If you get that error and then the boot proceeds normally, my suspicion is that your firmware's boot manager is configured to boot something that's not properly signed but that a subsequent entry is properly signed. This might happen if the first entry was to GRUB (grubx64.efi) directly and the second entry was to Shim (shimx64.efi). Examining your boot entries with sudo efibootmgr -v should reveal this. (Edit your question to include the output of that command.) If I'm right, re-ordering the boot entries with efibootmgr -o {boot order} should fix the problem.
    • nom
      nom over 7 years
      @RodSmith I think you are right because the first boot entry is SHIMX64.EFI and the last one is grub. I booted using the last entry and I didn't see the message. Thanks.
    • nom
      nom over 7 years
      @RodSmith Can I just delete the SHIMX64.EFI entry?
    • ubfan1
      ubfan1 over 7 years
      No, the "Bootorder" has 0008 first, which is grubx64.efi, and which fails a secure boot, but next is 0000 which is shimx64.efi, which works. put 0000 first in order, not 8, and things will work.
    • Droplet
      Droplet over 3 years
      @ubfan1, could you make this an answer please? I initially overlooked this thinking it was unsolved. Plus, the answer can be displayed in search engines. I was exactly the solution that I needed
  • Adam Smith
    Adam Smith about 3 years
    Worked for me. More discussion: askubuntu.com/questions/342365/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Grub bootloader not showing up and no Ubuntu boot option in BIOS after installation (boot-info from boot-repair tool attached)
How to enable Secure Boot without issue?
How to use the Linux Foundation's PreLoader?
UEFI 13.04 install on Lenovo IdeaPad Y510p boots Windows instead
Ubuntu 16.10 fails to boot in MSI GP72 Laptop
With secure boot disabled, is there long term vulnerability to malicious code (on 14.10 and 15.04/Win multiboot setups)?
How do I fix broken boot after shim update?
"The VGA card is not supported by UEFI driver"
How to fix Secure Boot error "Image failed to verify with *ACCESS DENIED*" on startup?
Dual Booting Pre-installed Windows 8