Ubuntu: How to understand Ubuntu UEFI Secure Boot install?


Now that Secure Boot is supported, what special instructions does one have to follow to install Ubuntu on a UEFI Secure Boot enabled PC shipped with Windows 8?

As I understand, Ubuntu >= 12.04.2 ships with signed GRUB2. I searched but cannot get past the "supported" statement. I am looking for specific instructions on registering Ubuntu keys to let the firmware boot Ubuntu.


Thanks. SecureBoot in Ubuntu 12.10 gives me the answer. The Ubuntu first-stage EFI bootloader is signed by Microsoft. The last time I read, Ubuntu had plans to publish their own key which had to be registered in the firmware's database before installing. May be I did not track the story long enough to realize that it is not the case anymore.


Probably start here: help.ubuntu.com/community/UEFI

UEFI (~EFI) is a firmware interface that is widespread on recent computers, especially those more recent than 2010. It is intended to replace the traditional BIOS firmware interface that is prevalent on earlier machines. This page provides information about installing and booting Ubuntu using EFI, as well as about switching between EFI mode and legacy BIOS mode using Ubuntu.


Ubuntu 12.10 is intended to be able to be used with Secure Boot.

Softpedia (Sep-2012) >> Canonical Unveils Plans for Ubuntu 12.10 Secure Boot

Canonical, through Jon Melamut, announced on September 20th that they will plan to implement support for Secure Boot in the upcoming Ubuntu 12.10 (Quantal Quetzal) operating system.

Therefore, after a discussion with Free Software Foundation, Canonical decided to drop the EFILinux bootloader implementation in favor of the GRUB2 bootloader one, signed with their own keys. ..

Muktware (Oct-2012) >> SecureBoot In Ubuntu 12.10

Ubuntu 12.10 is the first distro that supports the Secure Boot architecture by default. Canonical developers have spent a huge amount of time making sure that Ubuntu runs fine and without problems in all hardware. Steve Langasek, an Ubuntu developer has put forward a nice account in his blog, regarding how they are making Secure Boot supported.

closes with ..

Langasek says that they will backport the secure boot mechanism to Ubuntu 12.04 release as well, so that the LTS version can be installed in Secure Boot devices. So the next major service pack of Ubuntu Precise (12.04.2) will include support for SecureBoot.


There is a problem on some machines, particulary laptops - They don't appear to have the "Microsoft Windows UEFI Driver Publisher" public key installed in their BIOS to allow the signed Ubuntu boot loader (and other UEFI software such as ours) to run with Secure Boot option enabled. This is NOT the same key, which Microsoft use to sign their own UEFI Windows Boot Manager and it appears that some BIOS implementations only have this Microsoft exclusive public key.

The solution is either:

  1. For Microsoft to sign third party UEFI binaries with the SAME key as they use for their own bootloader.

  2. For BIOS vendors/computer hardware motherboard manufacturers to be sure they include the data to allow "Microsoft Windows UEFI Driver Publisher" signed binaries to work correctly.

On a Windows 8 machine, enter Mountvol Z: /S in an admin elevated command prompt box. Then in the command prompt do:

copy Z:\EFI\Microsoft\*.efi    C:\test  

Where Z is an unused drive letter.

You can then check in (already created) C:\test folder the digital signatures on the Microsoft .efi files and see that the name of the key is different to the key they used to sign the Ubuntu boot loader.

The Ubuntu boot files can be found in X:\EFI\Boot where X is the CD drive letter.

This needs sorting out, and sorting quickly.

Our research indicates that of laptops tested so far, only ASUS laptops have the correct keys installed in their bios, but we haven't yet managed to check everyone. I am not mentioning here, the names of machines which won't work, but one is a similar name to the one which does!


  1. First install Ubuntu-Secure-Remix-64bit (or Ubuntu12.10 64bit) and use Boot-Repair's Recommended Repair as described in the first paragraph of https://help.ubuntu.com/community/UEFI

  2. If that fails, disable SecureBoot in your firmware as described here: https://help.ubuntu.com/community/UEFI#SecureBoot , and run Boot-Repair again.


Have posted a similar question six months ago and due to being unable to load kernel led to installing a non-linux alternative OS to prove that my firmware and hardware were at least working as expected. The intention was to have this new hardware be my first that had never seen Windows so maybe next time...

Since starting on the quest to make use of the EFI capabilities of my newest hardware have been spending some time on these very useful pages which includes a good synopsis of how to perform an Ubuntu install on a Secure Boot enabled machine and highlight there are other options other than relying on Grub2 and signed keys from Microsoft. Which the link in your update to question indicates as the be all and end all. Just thought would share this is not the case. As the last link in this paragraph shows using rEFInd and your own keys it is possible to manage a linux install with Secure Boot enabled. Which is one of the many options mentioned if not described in detail. Hope you enjoy the reading as much as I!

The alternative is to turn Secure Boot off. I would personally at least try the method described shortly and sweetly by LovinBuntu.

Another useful source of helpful information regarding all things U/EFI is the wiki article here. Which helps describe and specify Windows 8 demands UEFI >= 2.3.1 (latest is now 2.4) and Secure Boot is available from >= 2.2 UEFI specification.
(the wiki page linked shares a link for a similar page EUFI page which scares me no end! Science fiction is not fiction!:p)

Some more links for further reading:

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »