0

I have a Dell laptop with factory installed Ubuntu 14.04. This OS would boot fine with Secure Boot turned on. I have now installed 16.04 alongside 14.04, and I can dual boot. I downloaded the 16.04 ISO from the Ubuntu site, but so far as I know it is not signed by Ubuntu. What do I need to do to make the 16.04 boot with Secure Boot turned on?

pgmer6809

Pgmer6809
  • 56
  • 1
    Did you test it? I have installed 16.04 and I see /boot/vmlinuz-4.4.0-21-generic.efi.signed which... looks pretty signed to me. – Zanna Apr 28 '16 at 07:32

2 Answers2

2

I just tried, and was able to boot the Ubuntu desktop 16.04 AMD64 image, written to a USB flash drive, with Secure Boot active on an HP EliteDesk computer. Thus, I can say with some certainty that this image is properly signed for Secure Boot. Several possible causes of your problem spring to mind, some of which you could correct but others you could not:

  • Image CPU type -- Check that you're using the correct image file, and in particular, that it's for the correct CPU type, which should be AMD64 for the vast majority of computers. (AFAIK, i386 images never supported Secure Boot "out of the box.")
  • Image damage -- Use the md5sum utility to verify the integrity of your download. (See here for more on how to do this.)
  • Improper image preparation -- Some tools, such as YUMI/Pen Drive Linux, create USB flash drives that can be booted in BIOS/CSM/legacy mode but not in EFI/UEFI mode. If you used such a tool, your disk might not be bootable in EFI mode. This isn't a Secure Boot issue per se, but you might be mistaking it for one. Try using Rufus, UNetbootin, or dd instead. In fact, even if you used one of these tools, switching to another one might be necessary, since there can be system-to-system quirks and incompatibilities.
  • Computer boot manager issues -- You might be unable to access your computer's built-in boot manager, or you might be selecting the wrong option in the boot manager. For instance, many EFIs present two options for removable media, one of which boots in BIOS/CSM/legacy mode and the other of which boots in EFI/UEFI mode. If you select the former, the disk might not boot if Secure Boot is active; you must select the option that includes the string "UEFI."
  • Non-Secure-Boot regression -- You could be seeing a problem that's unrelated to Secure Boot, such as a new kernel bug. Filing a bug report would be in order in this case, but you'll need to track down the problem with more precision first.
  • New Shim or GRUB bug -- Finally, you might have encountered a new bug with the Shim or GRUB package. If you're convinced this is what happened, you should file a bug report. You might be able to work around it temporarily by swapping out the EFI/BOOT/bootx64.efi file from the 16.04 image with the same file from the 14.04 image; however, before you do this, you should back up your working /boot/efi/ directory tree from your 14.04 installation, since the installation is likely to replace your working shimx64.efi binary with a non-working one. (bootx64.efi and shimx64.efi are the same file; they're just named differently on the installation image vs. an installation to disk.)

It would also be helpful if you describe in more detail what you're doing and what's not working. You claim that the image is not signed, and I'm working under the assumption that this is because you've tried to boot it and can't get it to boot, but even with that assumption, there are details that could be important, such as any error messages you might be seeing. If there's any evidence that GRUB has launched, then that would tend to support a post-GRUB problem. Thus, describing exactly what's happening is important to better diagnose the problem. (If necessary, take a video, post it to YouTube, and post a link to it here.)

Community
  • 1
Rod Smith
  • 44,284
  • 7
  • 63
  • 105
  • Hi Rod, In fact I gave up too soon. When I switch to secure boot mode, and boot, I get a red box on the screen that says, "Invalid Signature Detected" with an OK box there. If I do a CR I get to the grub menu, which looks the same as when I do not secure boot. The grub menu will in fact let me boot 16.04, as well as 14.04. Doing a Restart from the desktop is essentially the same. So other than the extra manual intervention step, there is no issue. – Pgmer6809 Apr 30 '16 at 15:47
  • There is a 'signed' vmlinuz vers 4.4 in the /boot directory, but none in the /boot/efi partition. So I dont know why secure boot is complaining. – Pgmer6809 Apr 30 '16 at 15:55
  • PS. I don't know if this matters, but when I did the install of 16.04, I had secure boot turned off, so that I could boot from the ISO usb Stick. – Pgmer6809 Apr 30 '16 at 15:55
  • First, type sudo efibootmgr -v and verify that the first entry to be booted (as specified on the BootOrder line) references shimx64.efi rather than grubx64.efi. If the system boots via Shim, you should not see a scary warning like what you describe. If you're seeing such a warning when booting via Shim, chances are that indicates a firmware bug. In this case, I recommend you check with the manufacturer to upgrade the firmware. (They probably call it a "BIOS update," although it's really an EFI, not a BIOS.) – Rod Smith Apr 30 '16 at 20:00
  • Hi Rod,I am trying to send you the output of gdisk, /boot/efibootmgr, and ls /boot/efi but this forum keeps telling me my comment is too long. – Pgmer6809 Apr 30 '16 at 22:54
  • here is the output of efibootmgr=====sudo efibootmgr -v BootCurrent: 0001 Timeout: 0 seconds BootOrder: 0002,0001 Boot0001* ubuntu HD(1,GPT,c0f1f78e-84a4-4939-a314-ad0604093a86,0x800,0xfa000)/File(\EFI\UBUNTU\SHIMX64.EFI) Boot0002* Grub2 HD(1,GPT,c0f1f78e-84a4-4939-a314-ad0604093a86,0x800,0xfa000)/File(\EFI\UBUNTU\GRUBX64.EFI) – Pgmer6809 Apr 30 '16 at 22:55
  • here is the output of /boot/efi/ubuntu====sudo efibootmgr -v BootCurrent: 0001 Timeout: 0 seconds BootOrder: 0002,0001 Boot0001* ubuntu HD(1,GPT,c0f1f78e-84a4-4939-a314-ad0604093a86,0x800,0xfa000)/File(\EFI\UBUNTU\SHIMX64.EFI) Boot0002* Grub2 HD(1,GPT,c0f1f78e-84a4-4939-a314-ad0604093a86,0x800,0xfa000)/File(\EFI\UBUNTU\GRUBX64.EFI) .... – Pgmer6809 Apr 30 '16 at 22:56
  • and here is the abbreviated output of gdisk====sudo gdisk /dev/sda====Number Start (sector) End (sector) Size Code Name 1 2048 1026047 500.0 MiB EF00 EFI system partition 2 1026048 1107967 40.0 MiB FFFF Basic data partition 3 1107968 7399423 3.0 GiB 0700 Basic data partition 4 7399424 105601762 46.8 GiB 8300
    5 636571648 703281151 31.8 GiB 8200
    6 105603072 636571647 253.2 GiB 8300     – Pgmer6809 Apr 30 '16 at 23:01
  • DO NOT put program output in comments; it's often too long and the forum software mangles the formatting into near-uselessness. Instead, edit your question and add such output there, preceding each line with four spaces. That will preserve the formatting and keep it legible. That said, it looks like your system is trying to boot GRUB without Shim first and falling back to using Shim. That could explain your failure before getting to GRUB. You could adjust the boot order with sudo efibootmgr -o 1,2. – Rod Smith May 01 '16 at 16:09
1

Rod's suggestion to use shimx64 instead of grubx64 is the answer. Using the efibootmgr or similar, I set the shim to be the bootloader, and now I have no more issues with secure boot, no matter which OS I install or boot from. pgmer6809

Pgmer6809
  • 56