The simple solution is to disable Secure Boot, as described on this page of mine. To be sure, it's better to run with Secure Boot enabled, but if the feature isn't working as designed, it's a liability.
For more thorough diagnostics, I recommend you start by examining your EFI boot entries by typing sudo efibootmgr -v
, as in:
$ sudo efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0003,0007,0001
Boot0000* rEFInd Boot Manager HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\refind\refind_x64.efi)
Boot0001* Lenovo Recovery System HD(3,276800,1f4000,de3b7563-97f5-48c6-ab7f-2f5d6d57c644)File(\EFI\Microsoft\Boot\LrsBootMgr.efi)RC
Boot0003* ubuntu HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\ubuntu\shimx64.efi)RC
Boot0007* Windows Boot Manager HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
Check the BootOrder
line and examine each of the entires specified in order. For instance, in this example, 0000
is first, and Boot0000
launches rEFInd. What you should examine in more detail is the file that's launched, such as \EFI\refind\refind_x64.efi
for this example's Boot0000
. In the case of a standard Ubuntu Secure Boot launch, the file should be shimx64.efi
, which of course is not the case for this example's Boot0000
-- but it is true for this example's next boot entry, Boot0003
.
This example would probably produce a Secure Boot warning such as you describe on most computers, but after that warning, GRUB and Ubuntu might launch, since when Boot0000
failed, the system would move on to Boot0003
, which should succeed. It's possible that something like this is happening to you -- but it's probably launching grubx64.efi
first, and then either failing to move on or shimx64.efi
might not have an entry. If this is the case for you, you could tweak the boot order with the -o
option to efibootmgr
or create a new entry entirely. The details depend on what you see from efibootmgr -v
and what's actually installed on your hard disk, though.
If your efibootmgr -v
output shows that the computer should be launching shimx64.efi
first, then I recommend you compare that file to the EFI/BOOT/bootx64.efi
file on the Ubuntu installation media that do boot. Check their file sizes with ls -l
and check if they're identical with diff
; for instance:
diff /mnt/cd-media/EFI/BOOT/bootx64.efi /mnt/esp/EFI/ubuntu/shimx64.efi
(The mount points are likely to be different, of course.) These files should be identical, which diff
indicates by providing no output. If they aren't, you could try overwriting the shimx64.efi
on the hard disk with bootx64.efi
from the installation medium. If the two files are not identical because of a package upgrade, that would be cause for filing a bug report. They might not be identical for some other reason, though, like disk corruption or a (very rare) error when copying files.
If the files are identical but the external medium boots and the hard disk doesn't, then that probably means you've got a buggy EFI. You might look for an update on your manufacturer's Web site. (They probably call it a "BIOS update," although it's really not a BIOS.) If that doesn't help, you might try filing a bug report with the manufacturer.
Best Answer
Setting up PreLoader
/boot/efi/
and at least contains a folder namedEFI
. From the platform perspective (your computer) this folder is\EFI\
during the boot stage. (/media/my_efi_system_partition/EFI
=\EFI\
)\EFI\BOOT\loader.efi
. Some loaders like gummiboot need to be configured properly.\EFI\BOOT\bootx64.efi
andHashTool.efi
to the same directory.You can find more detailed explanations over at Rod Smith's site.
Using HashTool
If you followed the instructions carefully and have Secure Boot enabled, you should be greeted by the following screens upon next boot, which guide you through enrolling the hash of the unsigned loader that would otherwise break the chain of trust.