Secure Boot Error: Invalid signature detected. Check secure boot policy in setup
10,925
When secure boot is enabled, the bootloader to use is shimx64.efi, not gurbx64.efi. the BootOrder you posted has "0008" first in the order, which is the grub entry. Put "0000" first in the BootOrder, and secure boot should work.
Related videos on Youtube
Author by
nom
Updated on September 18, 2022Comments
-
nom over 1 year
I have installed Ubuntu 16.10 on a machine (Dell Inspiron) with UEFI and Secure Boot enabled, but when I boot I get a message from the firmware saying "Invalid signature detected. Check secure boot policy in setup". Ubuntu and grub are installed in UEFI mode but I still get the error, how do I fix this without turning off secure boot?
sudo efibootmgr -v
:BootCurrent: 0000 Timeout: 0 seconds BootOrder: 0008,0000,0005,0004 Boot0000* ubuntu HD(1,GPT,24a5c7af-e4c8-42c8-888a-637a223cb97a,0x800,0x100000)/File(\EFI\UBUNTU\SHIMX64.EFI) Boot0004* Onboard NIC(IPV4) PciRoot(0x0)/Pci(0x1c,0x3)/Pci(0x0,0x0)/MAC(74e6e201e3ee,0)/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)..BO Boot0005* Onboard NIC(IPV6) PciRoot(0x0)/Pci(0x1c,0x3)/Pci(0x0,0x0)/MAC(74e6e201e3ee,0)/IPv6([::]:<->[::]:,0,0)..BO Boot0008* ubuntu HD(1,GPT,24a5c7af-e4c8-42c8-888a-637a223cb97a,0x800,0x100000)/File(\EFI\UBUNTU\GRUBX64.EFI)
-
oldfred over 7 yearsCan you boot with Secure Boot off? What brand/model system. Some only boot "Windows Boot Manager", so we have to do work arounds. askubuntu.com/questions/486752/… and: askubuntu.com/questions/582073/dual-boot-but-only-windows-boots/…
-
nom over 7 years@oldfred I can boot with secure boot turned on too, but I get that error message every time I do so (Ubuntu starts running normally after that). The machine is a Dell Inspiron.
-
oldfred over 7 yearsDell usually works, not sure with Secure boot. Do you have signed kernels. Or when you booted flash drive installer did you install with Secure boot on? If you had to install proprietary video, Internet or Sound drivers, then Secure boot must be off. Another thread on Dell: ubuntuforums.org/showthread.php?t=2342359
-
nom over 7 years@oldfred How do I check if my kernel is signed? When I booted the flash drive installer secure boot was on. I selected the option to install proprietary drivers but unselected the check box to disable secure boot.
-
oldfred over 7 yearsNot sure what happens if you do not turn off Secure boot and install proprietary drivers. I think then you get the error message you have as now kernels are not signed, even if originally signed. Ubuntu does not know if proprietary driver is correct since it cannot see into it, so cannot sign it. And it has to be integrated into kernel to be used.
-
Rod Smith over 7 yearsIf you get that error and then the boot proceeds normally, my suspicion is that your firmware's boot manager is configured to boot something that's not properly signed but that a subsequent entry is properly signed. This might happen if the first entry was to GRUB (
grubx64.efi
) directly and the second entry was to Shim (shimx64.efi
). Examining your boot entries withsudo efibootmgr -v
should reveal this. (Edit your question to include the output of that command.) If I'm right, re-ordering the boot entries withefibootmgr -o {boot order}
should fix the problem. -
nom over 7 years@RodSmith I think you are right because the first boot entry is
SHIMX64.EFI
and the last one is grub. I booted using the last entry and I didn't see the message. Thanks. -
nom over 7 years@RodSmith Can I just delete the SHIMX64.EFI entry?
-
ubfan1 over 7 yearsNo, the "Bootorder" has 0008 first, which is grubx64.efi, and which fails a secure boot, but next is 0000 which is shimx64.efi, which works. put 0000 first in order, not 8, and things will work.
-
Droplet over 3 years@ubfan1, could you make this an answer please? I initially overlooked this thinking it was unsolved. Plus, the answer can be displayed in search engines. I was exactly the solution that I needed
-
-
Adam Smith about 3 yearsWorked for me. More discussion: askubuntu.com/questions/342365/…