0

I installed Ubuntu 16.04 along with an existing installation of Windows 10 on my laptop (see Installing Ubuntu 16.04.2 alongside Windows 10 on an Acer Travelmate B117).

That was working fine until Ubuntu reminded me of some system updates which I installed. After this, I cannot boot the laptop in Secure Boot mode anymore. When trying to boot, I get a message "Security Boot Failed". There are no more options except switching the laptop off.

When disabling the Secure Boot mode, I see the boot manager again and I still can start Ubuntu, but not Windows.

How can I restore the settings prior to the last system update? Or how can I configure Ubuntu to start in Secure Boot mode again?

The output of the efibootmgr looks like this:

$ sudo efibootmgr -v
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,2001,0004,2002,2003
Boot0000* ubuntu    HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)
Boot0001* Unknown Device:   HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)RC
Boot0002* Grub  PciRoot(0x0)/Pci(0x13,0x0)/Sata(0,0,0)/HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\grubx64.efi)A01 ..
Boot0003* Ubuntu    PciRoot(0x0)/Pci(0x14,0x0)/USB(7,0)/HD(1,MBR,0x4294967243,0x800,0x737f000)/File(\EFI\BOOT\BOOTx64.EFI)A01 ..
Boot0004* Windows Boot Manager  HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...6................
Boot0005* Unknown Device:   FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(c57ad6b7-0515-40a8-9d21-551652854e37)RC...0
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

The BitLocker message that is shown when trying to start Windows in Non-Secure Mode is in German and says something like: 

BitLocker Recovery 
Please enter BitLocker Recovery Key: ....
Reason: Secure Boot was disabled, please enable Secure Boot or disable BitLocker

This is the screen I see when switching on my laptop in Secure Mode: Security Boot Failed

This is the efibootmgr output after the efibootmgr -o command suggested by Rod Smith:

$ sudo efibootmgr -v
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,2001,0004,2002,2003
Boot0000* ubuntu    HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)
Boot0001* Unknown Device:   HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)RC
Boot0002* Grub  PciRoot(0x0)/Pci(0x13,0x0)/Sata(0,0,0)/HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\grubx64.efi)A01 ..
Boot0003* Ubuntu    PciRoot(0x0)/Pci(0x14,0x0)/USB(7,0)/HD(1,MBR,0x4294967243,0x800,0x737f000)/File(\EFI\BOOT\BOOTx64.EFI)A01 ..
Boot0004* Windows Boot Manager  HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...6................
Boot0005* Unknown Device:   FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(c57ad6b7-0515-40a8-9d21-551652854e37)RC...0
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC
MrSparkle
  • 3
  • This sounds like an incompatibility between your firmware and either Shim or GRUB; however, it's also possible that you're looking at a misconfiguration. Could you show the output of sudo efibootmgr -v on your system? (Edit your question to add that output.) Also, why can't you start Windows? That is, is the option missing from GRUB, do you no longer see a GRUB menu, or does the Windows option in GRUB no longer work? If the last of those, what symptoms are you seeing? It's conceivable (but unlikely) that the Windows problem is Windows-specific, not Ubuntu- or GRUB-specific. – Rod Smith Apr 24 '17 at 15:17
  • I added the output of the efibootmgr to my question. Also, when booting in user Secure Boot mode, I only see the “Security Boot Failed” message, but no boot manager. When booting with Secure Boot disabled, I can choose Windows in the boot manager, but end up with an error message from BitLocker. – MrSparkle Apr 24 '17 at 21:44
  • Also,as I mentioned, it worked fine before installing the latest Ubuntu system updates. So, if there is some incompatibility, it wasn't incompatible before. – MrSparkle Apr 25 '17 at 19:46

1 Answers1

2

You should be able to get the system to boot with Secure Boot active by using the following command in Ubuntu:

sudo efibootmgr -o 0000,0002,2001,0004,2002,2003

This command changes the BootOrder variable (shown in the efibootmgr output you posted), adding Boot0000 (the ubuntu entry, which launches shimx64.efi) to the start of the boot order list. Right now, that entry is not in the boot order list; but Boot0002, which launches grubx64.efi directly, is at the start of the list. This is the source of your Secure Boot problem; Shim is a central part of Ubuntu's Secure Boot support, so bypassing Shim makes it impossible to boot with Secure Boot active. (See this page of mine for more information on Secure Boot.)

As to booting Windows, I'm afraid I can't offer much help. You wrote in your comment:

I can choose Windows in the boot manager, but end up with an error message from BitLocker.

Unfortunately, that's still pretty vague; it's always important to post the exact and complete error message when asking for help. Furthermore, I don't know a lot about BitLocker, so I'd be unlikely to help even if I knew what that message was. It sounds like this is a Windows-specific problem, though -- maybe your (presumably encrypted) Windows partition has been damaged in some way; or maybe BitLocker is relying on software or settings on the EFI System Partition (ESP) that Ubuntu has altered. In any event, I recommend you post the complete error message to a Windows forum for help on this issue. (Take a digital photo and post it, if the message is long enough to merit this approach.)

Rod Smith
  • 44,284
  • 7
  • 63
  • 105
  • I added the error message of BitLocker to my question. It pretty much says that I need to enable Secure Boot. The command changed the ordering of the boot menu options, but didn't changed the problem that I cannot start the computer with Secure Boot mode enabled anymore. In Secure Boot mode I only see the above error message, but no boot manager or anything else. – MrSparkle Apr 25 '17 at 19:46
  • The point is that something happened while installing the latest Ubuntu system updates. Before, I could start the BootManager, Ubuntu, and Windows in Secure Boot mode, and now it doesn't work anymore. – MrSparkle Apr 25 '17 at 19:52
  • So boot Ubuntu with Secure Boot disabled, use the efibootmgr command I've specified, re-enable Secure Boot, and see what happens. – Rod Smith Apr 25 '17 at 20:09
  • You should still be able to use the EFI boot menu (some function key at power-up) to select the "ubuntu" entry, which runs shim, and should boot in secure mode. You must have been using the EFI menu to boot Windows anyway, since grub still cannot boot Windows in secure mode as far as I know. – ubfan1 Apr 25 '17 at 20:28
  • AFAIK, GRUB can boot Windows with Secure Boot active on most computers, although there is a known bug that prevents this from working on some computers. – Rod Smith Apr 25 '17 at 20:30
  • Again: It all worked perfectly before installing the latest system updates. I could boot in Secure Mode and chose Windows or Ubuntu from the Boot Manager. After the updates, the Boot Manager does not show up, only the error message is displayed. When disabling Secure Mode the Boot Manager is displayed but I can only start Ubuntu. Changing the ordering of the Boot Manager's menu didn't change anything. Whatever happened during the update, I need to reset the previous settings. – MrSparkle Apr 26 '17 at 13:34
  • Are you saying that you've tried the efibootmgr -o ... command I specified and it did not help? If so, please show the output of sudo efibootmgr -v again after issuing the efibootmgr -o ... command and rebooting. If you haven't tried the efibootmgr -o ... command, then please do so. Note that "boot manager" is ambiguous; it could refer either to the computer's built-in boot manager or to GRUB's menu. Thus, it's unclear what you mean when you refer to "the Boot Manager." – Rod Smith Apr 26 '17 at 13:41
  • I added the output of efibootmgr -v after changing the boot order to my question. As I said, that didn't change the issue. Oh, and when I said Boot Manager, I always meant GRUB's menu. Thanks for pointing that out. – MrSparkle Apr 26 '17 at 22:11
  • It looks like your firmware is refusing to accept changes to the BootOrder variable. Sometimes EFIs are flat-out broken this way, but that's likely not the case for you, since it did work at one time. It's more likely that the EFI variable store has gotten corrupted. You can use the firmware setup utility to set everything back to the defaults, which usually fixes such problems. This is likely to wipe out all the boot entries, though. You can re-create one manually or run Boot Repair to completely re-install GRUB. – Rod Smith Apr 28 '17 at 17:36