Ubuntu: Ubuntu 16.10 Unable to Boot under Secureboot After OS Update


My laptop model is HP ENVY 4-1220tx Ultrabook. I installed Ubuntu 16.10 with SecureBoot enabled.

Yesterday I installed an OS Update from Ubuntu Software. Today, when I tried to boot my computer into Ubuntu under SecureBoot, it fails to authenticate the EFI file and therefore cannot boot.

Now I can only boot by turning off SecureBoot.

I have checked the file /var/log/apt/history.log and found related records:

Start-Date: 2016-11-04  22:28:23  Commandline: aptdaemon role='role-upgrade-system' sender=':1.3522'  Upgrade: grub-common:amd64 (2.02~beta2-36ubuntu11, 2.02~beta2-36ubuntu11.1), grub2-common:amd64 (2.02~beta2-36ubuntu11, 2.02~beta2-36ubuntu11.1), grub-efi-amd64-bin:amd64 (2.02~beta2-36ubuntu11, 2.02~beta2-36ubuntu11.1), grub-efi-amd64:amd64 (2.02~beta2-36ubuntu11, 2.02~beta2-36ubuntu11.1), grub-efi-amd64-signed:amd64 (1.74+2.02~beta2-36ubuntu11, 1.74.1+2.02~beta2-36ubuntu11.1), shim:amd64 (0.9+1465500757.14a5905.is.0.8-0ubuntu3, 0.9+1474479173.6c180c6-0ubuntu1)  Remove: shim-signed:amd64 (1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3)  End-Date: 2016-11-04  22:30:18  

I have also tried reinstalling the package shim-signed but encountered the following error:

$ sudo apt install shim shim-signed  Reading package lists... Done  Building dependency tree         Reading state information... Done  The following additional packages will be installed:    grub-common grub-efi-amd64-bin grub2-common os-prober  Suggested packages:    multiboot-doc grub-emu xorriso desktop-base  The following NEW packages will be installed:    grub-common grub-efi-amd64-bin grub2-common os-prober shim shim-signed  0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.  Need to get 3,704 kB of archives.  After this operation, 20.3 MB of additional disk space will be used.  Do you want to continue? [Y/n] Y  Get:1 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 grub-common amd64 2.02~beta2-36ubuntu11 [1,751 kB]  Get:2 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 grub2-common amd64 2.02~beta2-36ubuntu11 [526 kB]  Get:3 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 os-prober amd64 1.70ubuntu3 [18.8 kB]  Get:4 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 shim amd64 0.9+1465500757.14a5905.is.0.8-0ubuntu3 [442 kB]  Get:5 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 grub-efi-amd64-bin amd64 2.02~beta2-36ubuntu11 [652 kB]  Get:6 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 shim-signed amd64 1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3 [315 kB]  Fetched 3,704 kB in 1s (2,134 kB/s)    Preconfiguring packages ...  Selecting previously unselected package grub-common.  (Reading database ... 299379 files and directories currently installed.)  Preparing to unpack .../0-grub-common_2.02~beta2-36ubuntu11_amd64.deb ...  Unpacking grub-common (2.02~beta2-36ubuntu11) ...  Selecting previously unselected package grub2-common.  Preparing to unpack .../1-grub2-common_2.02~beta2-36ubuntu11_amd64.deb ...  Unpacking grub2-common (2.02~beta2-36ubuntu11) ...  Selecting previously unselected package os-prober.  Preparing to unpack .../2-os-prober_1.70ubuntu3_amd64.deb ...  Unpacking os-prober (1.70ubuntu3) ...  Selecting previously unselected package shim.  Preparing to unpack .../3-shim_0.9+1465500757.14a5905.is.0.8-0ubuntu3_amd64.deb ...  Unpacking shim (0.9+1465500757.14a5905.is.0.8-0ubuntu3) ...  Selecting previously unselected package grub-efi-amd64-bin.  Preparing to unpack .../4-grub-efi-amd64-bin_2.02~beta2-36ubuntu11_amd64.deb ...  Unpacking grub-efi-amd64-bin (2.02~beta2-36ubuntu11) ...  Selecting previously unselected package shim-signed.  Preparing to unpack .../5-shim-signed_1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3_amd64.deb ...  Unpacking shim-signed (1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3) ...  Processing triggers for ureadahead (0.100.0-19) ...  ureadahead will be reprofiled on next reboot  Processing triggers for install-info (6.1.0.dfsg.1-8) ...  Setting up shim (0.9+1465500757.14a5905.is.0.8-0ubuntu3) ...  Setting up os-prober (1.70ubuntu3) ...  Setting up grub-common (2.02~beta2-36ubuntu11) ...  update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults  Processing triggers for systemd (231-9ubuntu1) ...  Processing triggers for man-db (2.7.5-1) ...  Setting up grub-efi-amd64-bin (2.02~beta2-36ubuntu11) ...  Setting up grub2-common (2.02~beta2-36ubuntu11) ...  Setting up shim-signed (1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3) ...  Installing for x86_64-efi platform.  Installation finished. No error reported.  No DKMS packages installed: not changing Secure Boot validation state.  

How can I resolve this problem?

How should I deal with the DKMS part?


Which file is it failing to authenticate? shimx64.efi? grubx64.efi? Something else? If the former, I recommend you track down and install an earlier Shim binary. (Dozens of them exist.) Note, however, that only an Ubuntu Shim will launch Ubuntu's GRUB, at least unless you add Ubuntu's key to your MOK list. (See here for a bunch of keys, including Canonical's.) If GRUB is failing to launch, you could try an earlier GRUB; or it could be the bug is in Shim.

Note that some EFIs can be finicky about keys. I've seen some that refuse to launch some signed binaries when Secure Boot is enabled, even though other binaries signed with the same keys launch just fine. This may be the root cause of your problem, and is the reason I'm suggesting you drop back to known-working binaries.

If the problem is with GRUB, you could try using my rEFInd rather than GRUB, but that adds complexity when Secure Boot is involved -- see the Secure Boot page of rEFInd's documentation. (In brief, you'll have to add at least one key to your MOK list. If the problem is the "finicky EFI" issue I mentioned earlier, you may find some rEFInd binaries will work whereas others don't. The version provided in the Debian package I distribute (in rEFInd's Sourceforge files section) is the one that's least likely to cause problems.

If you want to go the hard route, and take total control of your computer's Secure Boot subsystem, see this page of mine. That page describes how to replace all of your computer's Secure Boot keys with your own keys, enabling you to boot without using Shim; however, depending on what keys you install and what programs you use, you may need to sign some or all of your EFI binaries yourself. This is a lot of work, and is probably not worth it just to bypass the problem you're having, but it might be worth considering if you want to take full control of Secure Boot on your system.

All that said, I've seen so many Secure Boot problems that I'm increasingly of the opinion that it's better to just disable it, at least on Linux-only systems. (With Windows installed, the odds of a malware infection goes way up, since malware authors tend to target popular OSes, which for desktop and laptop computers means Windows.) Disabling Secure Boot does admittedly leave your system vulnerable to certain types of attack, but the number of Secure Boot hassles is great enough that the cost in your time to use Secure Boot is probably greater than the likely cost in time of a problem that Secure Boot would bypass -- that is, although malware could consume a lot of your time, when you multiply that by the probability of malware causing problems should you leave Secure Boot off, my suspicion is that the result would be far less than the time you'll spend solving Secure Boot problems. That's just a guess, though. If you do disable Secure Boot, keeping proper backups becomes more important, since much of the time associated with an infection could involve recovery of lost files.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »