A while ago, I had to disable Secure Boot in UEFI in order to install a third-party driver.
Now that this third-party driver isn't required anymore (due to kernel updates), I have uninstalled it.
Having removed that unsigned driver, I thought it might be a good idea now to enable Secure Boot again. Is it? Or could malware have caused damage in the meantime, e.g. adding new Secure Boot keys, so that Secure Boot is not "secure" anymore after it has been disabled once?
Best Answer
Yes, you can safely re-enable Secure Boot. It is very unlikely that something has been damaged.
Afterwards change the default boot loader from
grubx64.efi
toshimx64.efi
in BIOS | UEFI.Otherwise Ubuntu tries to boot with the unsigned boot loader - which of course does not work.
Alternatively you can do it before changing the Secure Boot settings with built-in
efibootmgr
:To list the currently active boot loader files - execute this command :
sudo efibootmgr -v
Change the boot order by running
sudo efibootmgr -o XXXX,YYYY (X,Y = entry number)
In case
shimx64.efi
is not listed, you can add it by executing (X = disk | Y = EFI partition) :sudo efibootmgr -c -w -d /dev/sdXY -p 1 -L "ubuntu" -l '\EFI\ubuntu\shimx64.efi