20

I'm trying to install Ubuntu 22.04.1 via a USB drive, but when I want to boot the USB drive when the secure boot is enabled, I get the error Verification failed:(0x1A) Security Violation.

screenshot

I need the secure boot to be enabled. Back then, I had no problems doing so. I recently used the command mokutil --reset to clear the machine owner keys because there were a lot of them and I wanted to make things cleaner.

I also tried to add mmx64.efi and grubx64.efi to the trusted files in BIOS, but I got another error (i.e., shim_lock protocol not found). I was not doing anything special related to secure boot to boot my USB drive before (even when I installed my first Linux distro). Why can't I do that now?

Pablo Bianchi
  • 15,657
Ali Safapour
  • 331
  • It depends on if UEFI has Canonical keys. – Pilot6 Feb 24 '23 at 12:27
  • 1
    Try Ubuntu 22.04.2 or Ubuntu 22.10 as they used SHIM 15.9 rather than the recently deprecated version found in 22.04.1 and prior ISOs. This will only impact systems where Secure uEFI boot is enabled, which you appear to want. – guiverc Feb 26 '23 at 22:46
  • 1
    Ran into this issue by simply trying out a newer live disk than my current installation. – BaTycoon Nov 02 '23 at 15:25

4 Answers4

26

If you are using Ventoy, the solution is in the official documentation (also mentioned on this issue).

Press OK, Press any key to perform MOK management, Enroll key from disk, VTOYEFI, ENROLL_THIS_KEY_IN_MOKMANAGER.cer, Continue, Yes, Reboot.

screenshot

Pablo Bianchi
  • 15,657
10

This is an excerpt from this answer that I just wrote.

What happened here is that Canonical updated their UEFI Secure Boot signing key and your system's Secure Boot Advanced Targeting variable. In plain terms, they made it so that newer boot files they release are bootable, and older ones aren't. If you got the update and then try to boot an OS that is still using the older files, it won't work and you get a Security Violation error.

Normally the solution here is to update your installation so that you have newer boot files. In this instance, though, you're trying to install from an ISO that has the older boot files. So you can't update the boot files. You have two choices here.

  • Disable Secure Boot and leave it that way.
  • Disable Secure Boot, boot the 22.04.1 ISO, install, update, and then enable Secure Boot again.

Sadly, both solutions require that you disable Secure Boot at least temporarily.

ArrayBolt3
  • 3,129
1

It's possible that the Ubuntu image you downloaded and wrote to the USB drive is not signed with a key that is trusted by the Secure Boot feature of your computer's bios. This could be because the image is unsigned, or because the key used to sign the image is not in the list of trusted keys in your computer's bios.

You must use a bootloader that is signed with a key that is trusted by bios. This will allow the system to verify the digital signature of the bootloader, and load it without triggering the security violation error.

Marco
  • 179
  • 1
    You're correct, but official Ubuntu images (obtained from the [official download site][1]) should be correctly signed. If not, then it's possible they've been tampered with (if obtained through a third-party site) or damaged in transit. Downloading again from the official download site or verifying the downloaded image's checksum should help work around this problem (or at least verify that the image is or is not damaged). [1]:https://ubuntu.com/download – Rod Smith Feb 25 '23 at 21:06
1

Downloading and booting from the 22.04.2 version solved the problem for me.

Ali Safapour
  • 331