I installed 15.10 on a brand new (empty) disk installed in a Lenovo T450s, using a USB.
When I rebooted, however, the laptop refused to boot off the disk.
Going into the BIOS (?) and turning off Secure Boot didn't help by itself. Additionally changing the UEFI boot settings to allow for Legacy boot gave me a working 15.10.
I thought 15.10 was supposed to be UEFI enabled/friendly/etc.
My main question is: What should I have done to have it boot in secure boot mode?
But before that I'd like to know briefly whether I should care.
EDIT: After reading Rod Smith's response:
This got complicated, in that many things went wrong with high unreliability.
I booted the USB and always found the /sys/firmware/efi folder, so I'm not sure how it let me install with CSM the first time.
However, when I set up my own partitions, including a 650MB one at the beginning for EFI, it would fail to install. I got the following error window in the Ubuntu installer:
This machine's firmware has started the installer in UEFI mode but it
looks like there may be existing operating systems already installed using
"BIOS compatibility mode". If you continue to install Debian in UEFI mode,
it might be difficult to reboot the machine into any BIOS-mode operating
systems later.
If you wish to install in UEFI mode and don't care about keeping the
ability to boot one of the existing systems, you have the option to force
that here. If you wish to keep the option to boot an existing operating
system, you should choose NOT to force UEFI installation here.
Neither of the Proceed / Go back buttons did anything. Nor did the close window "x" icon, and the main install window had no non-grey buttons. So the installation hung there.
Rebooting and trying again, the USB live installer failed with a kernel panic. I tried many times, and reliably I could only boot of a USB drive once before it would no longer work. I had to recreate the USB drive each time I wanted to boot from it.
In the end my solution was to use the installer's default partitions (still without a separate /home folder, after all these years) whereupon I had a bootable installation.
I then went back and started over (remaking the USB) and added some partitions, and the new installation still booted fine.
Best Answer
Eduardo Cola's comment is correct. To elaborate....
Your problem almost certainly had nothing to do with Secure Boot. (As a side note, Secure Boot is just one optional feature of EFI firmware.) Secure Boot problems almost always manifest as an inability to boot into anything Linux-related, including the GRUB boot loader itself. Typically, if there's a Secure Boot problem, the computer will skip booting GRUB, sometimes displaying an error message about a Secure Boot violation. Occasionally you'll get to GRUB but won't be able to boot a kernel.
What happened to you is that you installed using the Compatibility Support Module (CSM), aka "legacy boot support" or a similar phrase. The CSM permits booting BIOS-mode boot loaders. That feature must have been enabled in your firmware -- but it's possible that the settings were confusing. For instance, your system might enable BIOS-mode booting from external media even if it's set to favor EFI-mode booting from hard disks. If you then selected your USB flash drive or CD-R via a menu description that did not include the string "UEFI," it would have booted in BIOS/CSM/legacy mode. This normally works OK because the computer will then boot the hard disk in the same way; but it sounds like your firmware may be designed with an option to permit BIOS-mode booting from a USB drive but not from a hard disk. It's possible that there's a firmware option to control this behavior, but I can't be more precise because there are no standards for firmware user interfaces, and every manufacturer seems to like to go their own way on such things. For more on the CSM and how it can cause problems, see my page on the subject.
The easy path for you is to continue booting in BIOS/CSM/legacy mode. There are few downsides to this, although you should be aware of the boot mode for certain types of future activities, like if you want to install a second OS or update Ubuntu via a boot from an external medium.
If you want to convert to EFI/UEFI-mode booting, I recommend you begin by studying your firmware's boot options. Read its manual and try to decipher what any options related to boot mode may mean. Unfortunately, this can be quite difficult, because the meaning of these options is usually poorly described. Set the computer to at least support EFI-mode booting, and plan to set it to prohibit BIOS-mode booting once you get the system converted, to avoid future problems like this. You can then convert the system to boot in EFI mode. There are two approaches to this:
sudo sgdisk -Z /dev/sdawill erase the partition table on/dev/sdain a fraction of a second, which is good enough.) You must be sure to boot the Ubuntu installer in EFI mode. Drop to a shell and check for a directory called/sys/firmware/efiafter you've booted the installer but before you begin the installation process. If that directory is present, you've booted in EFI mode; if it's absent, you've booted in BIOS mode. If you find you've booted in BIOS mode, reboot and select some other boot option until you succeed.gdisk, as described in thegdiskdocumentation. You'll probably also have to create an EFI System Partition (ESP) on the disk. (I recommend you make it 550MiB or a bit larger.) This will probably necessitate shrinking at least one partition, which you can do with GParted. You can then install a boot loader to the ESP. Boot Repair can do this relatively painlessly; or you can boot with a CD-R or USB flash drive of my rEFInd boot manager and then install it by installing its Debian package or PPA.If this is a really fresh installation, re-installing will almost certainly be easier. (I'd find converting easier, but that's only because I know my way around these procedures very well.)
If you want to use Secure Boot, you may; most of the preceding steps will work with Secure Boot either enabled or disabled. One exception is rEFInd: The USB flash drive and CD-R images I distribute won't work with Secure Boot enabled, so you'll need to boot with it disabled. You can still use Secure Boot with rEFInd, but you'll need to jump through some extra hoops and enable it after you've installed rEFInd. (Alternatively, you can re-install or convert your existing system and get GRUB working, then install rEFInd. If you install rEFInd from a working Secure Boot setup, the installer will detect and use the Shim program installed with GRUB.)