Ubuntu – How to enable Secure Boot without issue

biosbootsecure-bootSecurityuefi

I read here that it is essential to have Secure Boot enabled:

However I find that when I enable Secure Boot, it changes it so that systems can boot with UEFI boot, but not Legacy, it also disables CMS. However, when I then try to boot my system, I get 3 different start things that I can boot from:

- ATAPI CD1: PLDS DVD-RW DS8A8SH
- ATA HDD0: TOSHIBA MK5065GSX
> PCI LAN
    - LAN(3C970E7102F6) -IPv4
    - LAN(3C970E7102F6) -IPv6

But no matter which of them I choose, I just get back to that screen and cannot boot, then the only way is to go to the other tab and select Setup, go back into BIOS, and disable Secure Boot, and then say that both Legacy and UEFI are supported in the Setup options (as just disabling Secure Boot does not work).

So I am assuming that my current and only OS, Ubuntu GNOME 15.04 (64-bit), does not support UEFI boot, and only Legacy. So is there anything that I can do about this so that I can enable Secure Boot? And why does it only support Legacy anyway? And just as a quick note, this didn't work when I had Windows 7 (a long long time ago in a galaxy far far away…) either.

Best Answer

Boot loaders are written for the computer's firmware. This is analogous to software, which is written for a particular OS. Thus, you don't "convert... the bootloader to UEFI"; that would be like "converting the mail client to Windows" or "converting the photo editor to Linux." Instead, you install a new program for the desired environment. In some cases, the new program may have the same name as the old one (as in Thunderbird or GIMP, which are available for both Windows and Linux; or GRUB 2, which is available for both BIOS and EFI). In other cases, there are OS- or firmware-specific programs, such as efibootmgr (a Linux-specific tool) or rEFInd (an EFI-specific boot manager).

If your computer is currently booting in BIOS/CSM/legacy mode, then to boot in EFI mode, you must do several things:

Convert the disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT). This step may not be strictly required, but some EFIs can be fussy, and using MBR may require installing your boot loader to the fallback filename (EFI/BOOT/bootx64.efi), which most tools won't do by default. Thus, an MBR-to-GPT conversion is desirable. This can be done fairly painlessly with my gdisk program (which is installed in Ubuntu by default), as described here.
Create an EFI System Partition (ESP). This is a partition where EFI boot loaders reside. It has no exact equivalent in BIOS. You'll probably have to use GParted to resize at least one partition to make room for the ESP. I recommend making it 550MiB in size. Although an ESP is usually the first or second partition on a disk, the realities of partition resizing mean that it may work better to make it the last partition on the disk if you're converting from BIOS/MBR to EFI/GPT.
Install an EFI boot loader. GRUB 2 is the traditional boot loader, and it can be installed fairly automatically by booting an Ubuntu live CD in EFI mode and running Boot Repair. Boot Repair should also set things up to work with Secure Boot. Most other boot loaders will require jumping through some extra hoops to work with Secure Boot, although sometimes this isn't too bad -- if it detects Shim (the most common Linux tool for supporting Secure Boot), my own rEFInd will set itself up to use Secure Boot.
Reboot and hope it all works. Any number of things can go wrong with all this. If you have problems, your best bet is to search here and elsewhere for a solution, and if you don't find one, post a new question here or on some other forum.

Note that in a Linux installation, the only truly critical software difference between a BIOS-mode and an EFI-mode installation is the boot loader. Thus, switching from BIOS-mode to EFI-mode booting doesn't require additional software changes. (In practice, installing an EFI-mode GRUB is likely to pull in some other related packages, like efibootmgr. These are indeed helpful, but not critical for booting.) There are no changes to the kernel, C libraries, shells, GUI, or other core tools required under EFI compared to BIOS. As I've written above, partitioning will need to be adjusted, but that doesn't require any software changes. Secure Boot requires Shim, PreLoader, or special custom setups; and depending on the boot loader, a signed kernel may be required.

As you might gather from this, Ubuntu should work fine with Secure Boot. (There are occasional exceptions because of finicky EFIs, though. Also, using Secure Boot makes it easier to misconfigure something so that it breaks.) When doing a fresh install with Secure Boot active, it should all be pretty transparent. When you do a conversion from an existing BIOS-mode installation, you're more likely to run into problems, since conversion tools don't really exist (unless you count Boot Repair, which does only part of the job). Thus, you'll end up doing more manually, which means there's more room to miss a step or make a mistake.

For more information on Linux and Secure Boot, read my main Web page on the subject, which covers basic principles and typical configurations. If you want to go really hard-core with a custom Secure Boot configuration, read my page on taking complete control of Secure Boot. This describes how to configure the system to boot with Secure Boot active but without Shim or PreLoader, and in a way that enables you to lock Microsoft tools out, if you so desire.

Best Answer

Related Solutions

Ubuntu – How to fix Secure Boot error “Image failed to verify with *ACCESS DENIED*” on startup

Ubuntu – secure boot issue : win10 & ubuntu16.04

Related Question

Ubuntu – How to fix Secure Boot error “Image failed to verify with ACCESS DENIED” on startup