3

This is basically the same question as one from a few days ago. I wanted to just add a comment to that question but couldn't due to lack of reputation.

Verification failed: (0x1A) Security Violation while installing Ubuntu

Basically, I was running Linux Mint 21.1 and just for the heck of it I deleted the install and installed Ubuntu 22.10. After using it a few days there was a problem with suspend I couldn't solve so I was going to reinstall Mint. When I tried though my Mint live usb that had worked in the past wouldn't work, giving the security violation message. At that point I tried both an Ubuntu and Kubuntu 22.04 iso that had also worked in the past. Both failed.

I went back to Ubuntu 22.10 which worked but again with suspend problems. 22.04.2 was released a few days ago so I gave it a try. It worked, except it has the same suspend problems that from research seem to be tied to the new 5.19 kernel.

I'd like to get back to Mint 21.1, a 22.04 derivative, so my question is this: What caused the ISOs that previously worked to fail? (20.04 fails as well). About the same time that all that was going on I also did the monthly Windows updates. Do Microsoft signing keys get updated in firmware?

I verified the integrity of all of these downloads and verified the gpg signatures of the hash files.

Again, apologies for repeating a question and thanks in advance for the help.
John G.

John G.
  • 41
  • Only Ubuntu and official flavors of Ubuntu are on-topic here, refer https://askubuntu.com/help/on-topic where you'll find other SE sites where you question will be welcome if you don't want to use a Linux Mint forum. (One advantage of Ubuntu is it's many support options, you opted for Linux Mint so take advantage of its support options, or SE Unix & Linux found in the on-topic link) – guiverc Feb 26 '23 at 22:36
  • 1
    Ubuntu 22.10 contains a different software stack than 22.04. Ubuntu has two year development cycles; the 22.04 being the completion of the cycle that started at end 2020-April & involved interim releases of 20.10, 21.04 & 21.10 before final LTS at 22.04. Ubuntu 22.10 is the first of the interim releases in the work towards Ubuntu 24.04 LTS. There is more than just a kernel change in 22.10 ! Either way your focus appears your return to Linux Mint, a non-Ubuntu (it's Ubuntu based though but differs in many ways) product that is off-topic here. – guiverc Feb 26 '23 at 22:38
  • 1
    FYI: You mention ISOs that worked in the past; so where they the same ISO (Ubuntu has released three different ISOs for 22.04 thus far for the same architecture, ie. 22.04, 22.04.1, 22.04.2 plus numerous others for flavors, different architectures etc), as that maybe your answer to why it worked in the past (you're comparing a different stack that changed) or your hardware/firmware was updated? maybe. If no hardware upgrades; I'd contrast the manifests of the ISO to look for changes - ie. what has upgraded! to narrow down issue.. I keep them (esp. those that work) for that reason. – guiverc Feb 26 '23 at 22:42
  • Not exactly sure what you are asking. I save the LTS ISOs I've used in the past that are still supported. These are the exact ISOs that I used in the past. Ubuntu 22.04.1 and all previous editions that worked on this computer no longer work. Disregard any mention of Mint. I mentioned it for comparison. I understand the concept of LTS point releases. It has nothing to do with changes in the underlying application software. My guess is that it has something to do with the signing keys. Thanks. John G – John G. Feb 26 '23 at 23:40
  • Ubuntu 22.04.2 LTS has a newer SHIM where as 22.04.1 & prior ISOs used a now deprecated shim... Such changes are documented (the 22.04.2 LTS was delayed a week and the changing of SHIM & required testing was a good portion of why & thus was heavily mentioned very specifically in my opinion). Also note later point release ISOs have updated software, and on rare occasion that DOES MEAN later versions of software (if it's less work to update version than backport security fixes; but each of these cases are documented prior to being released if you want news/blogs etc) – guiverc Feb 26 '23 at 23:50
  • Thank you. We're getting closer. :-) I obviously know nothing about the secure boot process but I would have thought the SHIM would have been signed with the same key from MS that previous versions were signed with. Whatever changed made all previous Ubuntu versions obsolete (on my computer). I've tried reading the material at rodsbooks.com for insight but it's way over my head. – John G. Feb 27 '23 at 00:00
  • The SHIM updates are always worked out in advance with all parties so all updates occur at the same time... ie. Canonical/Ubuntu, Microsoft and other companies decide when they can have updates so they roll out prior to the agreed activation time, so are installed prior to the time where whatever OS that is running & time hits agreed time and thus implements change... Microsoft depreated the key at the identical time as was agreed; but not before newer media was available.. – guiverc Feb 27 '23 at 00:11
  • So it would seem that I just need to re-download the previous LTS versions. I had considered that but thought I'd just be downloading the same file. I'll give that a try. – John G. Feb 27 '23 at 00:26
  • https://fridge.ubuntu.com/2023/02/24/ubuntu-22-04-2-lts-released/ shows the recent release of Ubuntu 22.04.2, 22.04.1 was from some time ago... and you can use tools such as zsync to update an ISO to the latest by downloading only the differences between them (if bandwidth matters). I'm aware of most of this stuff due to my Ubuntu News hat & thus watching all official publications etc.. as most things are warned of prior to the actual change for those that watch. – guiverc Feb 27 '23 at 00:44
  • This maybe of interest (& hopefully useful) to you - https://discourse.lubuntu.me/t/how-to-resolve-security-violation-errors-on-bootup/4049 (I've not read it yet, but I trust the source & thus approved it & will read it when I can).... FYI: I was just pinged by arraybolt3 that live differs to installed systems thus not the same... your issue was hit in QA, but I can't advise with what was learnt not being there... – guiverc Feb 27 '23 at 01:21
  • Does this answer your question? Verification failed: (0x1A) Security Violation while installing Ubuntu – Pablo Bianchi Jul 04 '23 at 01:24

1 Answers1

3

This is a tricky one to solve, but doable.

What happened here is that Canonical updated their UEFI Secure Boot signing key and your system's Secure Boot Advanced Targeting variable. In plain terms, they made it so that newer boot files they release are bootable, and older ones aren't. If you got the update and then try to boot an OS that is still using the older files, it won't work and you get a Security Violation error.

Normally the solution here is to update your installation so that you have newer boot files. In this instance, though, you're trying to install from an ISO that has the older boot files. So you can't update the boot files. You have two choices here.

  1. Disable Secure Boot and leave it that way.
  2. Disable Secure Boot, boot the 22.04.1 ISO, install, update, and then enable Secure Boot again.

Sadly, both solutions require that you disable Secure Boot at least temporarily. If that's not possible, you will have to install Ubuntu from a sufficiently new ISO. You can install Ubuntu 22.04.2, then install the usual linux-generic kernel and remove the linux-generic-hwe-22.04 kernel. The following instructions describe how.

Warning: Do not follow these instructions on a working system - this is just for reverting to the 5.15 kernel on a new installation of Ubuntu 22.04.2.

To install the older kernel, run sudo apt install linux-generic - this will automatically pull in everything that makes up the older kernel. However, the newer one will still be installed. To remove it, do sudo apt remove linux-hwe-22.04 && sudo apt autoremove && sudo apt remove linux-image-$(uname -r) linux-headers-$(uname -r) linux-modules-$(uname -r) linux-modules-extra-$(uname -r). Note that this assumes that you are currently booted into the HWE kernel. Also, this will uninstall the kernel that you are actively booted into, so make good and sure you installed the other one first!!! The system will display a dire warning when you try to do this - if you installed the older linux-generic kernel already, you can safely go ahead and tell it to remove the kernel anyway.

Once you're done with that, run ls /boot to make sure that you still actually have a kernel left - if you don't, you forgot to run sudo apt install linux-generic, in which case you should do that lest your system fail to boot. Once you have a properly installed kernel and the HWE kernel is gone, reboot, then run uname -r to make sure that you're booted into a 5.15 kernel. If so, you're done, and you should continue to get 5.15 kernel updates normally.

ArrayBolt3
  • 3,129