1

I have just installed Ubuntu on an old (3-4 years old) HP laptop.

At the time of the installation the BIOS was setup for "Legacy Boot Mode" and the "Secure Boot" option was disabled. (Understandably so, since all BIOSes deactivate secure boot when supporting legacy mode i.e. dos AFAIK). Unfortunately though, I never realized this at the time of installation.

I followed this great community guide for manual full system encryption which even ensures that the boot partition is encrypted. As part of the scripts made by the author of that guide, grub is installed with the following command:

grub-install --target=x86_64-efi --uefi-secure-boot --efi-directory=/boot/efi --bootloader=ubuntu --boot-directory=/boot/efi/EFI/ubuntu --recheck /dev/[DRIVE]

I'm not sure what the --uefi-secure-boot flag does but the installation worked perfectly and my system was running.

I then realised that the secure boot was disabled in the BIOS, wanted to change this, and disabled legacy mode support and enabled secure boot. For some reason my machine doesn't boot now. It shows the error as displayed as in the screenshot below: enter image description here

If I disable secure boot (Note: only secure boot, but still leave legacy mode support disabled as well), then the boot works perfectly again.

Note: In the image the device with UUID beginning with "29bb6762" is my boot partition.

Note2: Following is the how my HDD is partitioned. (exactly the same as in the linked Manual Full System Encryption wiki

/dev/sda1 - UEFI partition. FAT 32
/dev/sda2 - LUKS
/dev/mapper/system-root
/dev/mapper/system-boot
/dev/mapper/system-swap
  • The root, boot, and swap are sitting on a volume group. (The LUKS partition is formatted as LVM)
  • and /dev/mapper/system-boot has the same device id as the grub error in the screenshot.
kapad
  • 1,062
  • Have you updated UEFI from HP? Most older HP only booted "Windows Boot Manager" entry. But newer ones now seem to work. If still issue you can have Windows description but boot shimx64.efi. https://askubuntu.com/questions/486752/dual-boot-win-8-ubuntu-loads-only-win/486789#486789 – oldfred Sep 28 '18 at 15:37
  • See Bug #1453980 for some problems with grub's --uefi-secure-boot in the simpler case of just installing to a USB. – ubfan1 Sep 28 '18 at 15:44

1 Answers1

1

Ubuntu doesn't have a true secure boot option (it switches to insecure mode right away when secure boot is properly set up with it), but you can use the secure boot shim anyway if you need to turn on secure boot in BIOS/UEFI (like if you dual boot with an OS like Windows 10 that requires it).

Try this:

  1. Switch back to legacy boot in the UEFI/BIOS menu.
  2. Boot Ubuntu.

  3. In a terminal, run:

    sudo apt update; sudo apt install shim-signed

  4. Switch back to secure boot in the UEFI/BIOS setup. You may need to pick a bootloader to use for the Ubuntu boot menu option. If so, it's EFI/ubuntu/shimx64.efi.

  5. Attempt to boot Ubuntu.
Chai T. Rex
  • 5,193
  • @chai-t-rex Does that mean really mean that it's switching to secure boot? Sounds like the BIOS loads a signed shim, which in turn loads a signed kernel. From my understanding of secure boot (which is minimal to say the least), that seems like what all secure boots do. Even the windows ones. Do correct me if I'm wrong though. – kapad Sep 30 '18 at 17:35
  • @kapad I'm going to check on that. I know I have the signed shim with an unsigned kernel and it loads fine, it just says it's switching to insecure mode. I found some secure kernels and apparently one is installed, so I'll see about figuring out how to enable it. – Chai T. Rex Sep 30 '18 at 20:20