grub2 - Ubuntu 16.10 Unable to Boot under Secureboot After OS Update - Ask Ubuntu


my laptop model hp envy 4-1220tx ultrabook. installed ubuntu 16.10 secureboot enabled.

yesterday installed os update ubuntu software. today, when tried boot computer ubuntu under secureboot, fails authenticate efi file , therefore cannot boot.

now can boot turning off secureboot.

i have checked file /var/log/apt/history.log , found related records:

start-date: 2016-11-04  22:28:23 commandline: aptdaemon role='role-upgrade-system' sender=':1.3522' upgrade: grub-common:amd64 (2.02~beta2-36ubuntu11, 2.02~beta2-36ubuntu11.1), grub2-common:amd64 (2.02~beta2-36ubuntu11, 2.02~beta2-36ubuntu11.1), grub-efi-amd64-bin:amd64 (2.02~beta2-36ubuntu11, 2.02~beta2-36ubuntu11.1), grub-efi-amd64:amd64 (2.02~beta2-36ubuntu11, 2.02~beta2-36ubuntu11.1), grub-efi-amd64-signed:amd64 (1.74+2.02~beta2-36ubuntu11, 1.74.1+2.02~beta2-36ubuntu11.1), shim:amd64 (0.9+1465500757.14a5905.is.0.8-0ubuntu3, 0.9+1474479173.6c180c6-0ubuntu1) remove: shim-signed:amd64 (1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3) end-date: 2016-11-04  22:30:18

i have tried reinstalling package shim-signed encountered following error:

$ sudo apt install shim shim-signed reading package lists... done building dependency tree        reading state information... done following additional packages installed:   grub-common grub-efi-amd64-bin grub2-common os-prober suggested packages:   multiboot-doc grub-emu xorriso desktop-base following new packages installed:   grub-common grub-efi-amd64-bin grub2-common os-prober shim shim-signed 0 upgraded, 6 newly installed, 0 remove , 0 not upgraded. need 3,704 kb of archives. after operation, 20.3 mb of additional disk space used. want continue? [y/n] y get:1 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 grub-common amd64 2.02~beta2-36ubuntu11 [1,751 kb] get:2 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 grub2-common amd64 2.02~beta2-36ubuntu11 [526 kb] get:3 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 os-prober amd64 1.70ubuntu3 [18.8 kb] get:4 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 shim amd64 0.9+1465500757.14a5905.is.0.8-0ubuntu3 [442 kb] get:5 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 grub-efi-amd64-bin amd64 2.02~beta2-36ubuntu11 [652 kb] get:6 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 shim-signed amd64 1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3 [315 kb] fetched 3,704 kb in 1s (2,134 kb/s)   preconfiguring packages ... selecting unselected package grub-common. (reading database ... 299379 files , directories installed.) preparing unpack .../0-grub-common_2.02~beta2-36ubuntu11_amd64.deb ... unpacking grub-common (2.02~beta2-36ubuntu11) ... selecting unselected package grub2-common. preparing unpack .../1-grub2-common_2.02~beta2-36ubuntu11_amd64.deb ... unpacking grub2-common (2.02~beta2-36ubuntu11) ... selecting unselected package os-prober. preparing unpack .../2-os-prober_1.70ubuntu3_amd64.deb ... unpacking os-prober (1.70ubuntu3) ... selecting unselected package shim. preparing unpack .../3-shim_0.9+1465500757.14a5905.is.0.8-0ubuntu3_amd64.deb ... unpacking shim (0.9+1465500757.14a5905.is.0.8-0ubuntu3) ... selecting unselected package grub-efi-amd64-bin. preparing unpack .../4-grub-efi-amd64-bin_2.02~beta2-36ubuntu11_amd64.deb ... unpacking grub-efi-amd64-bin (2.02~beta2-36ubuntu11) ... selecting unselected package shim-signed. preparing unpack .../5-shim-signed_1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3_amd64.deb ... unpacking shim-signed (1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3) ... processing triggers ureadahead (0.100.0-19) ... ureadahead reprofiled on next reboot processing triggers install-info (6.1.0.dfsg.1-8) ... setting shim (0.9+1465500757.14a5905.is.0.8-0ubuntu3) ... setting os-prober (1.70ubuntu3) ... setting grub-common (2.02~beta2-36ubuntu11) ... update-rc.d: warning: start , stop actions no longer supported; falling defaults processing triggers systemd (231-9ubuntu1) ... processing triggers man-db (2.7.5-1) ... setting grub-efi-amd64-bin (2.02~beta2-36ubuntu11) ... setting grub2-common (2.02~beta2-36ubuntu11) ... setting shim-signed (1.21.3+0.9+1465500757.14a5905.is.0.8-0ubuntu3) ... installing x86_64-efi platform. installation finished. no error reported. no dkms packages installed: not changing secure boot validation state.

how can resolve problem?

how should deal dkms part?

which file failing authenticate? shimx64.efi? grubx64.efi? else? if former, recommend track down , install earlier shim binary. (dozens of them exist.) note, however, ubuntu shim launch ubuntu's grub, @ least unless add ubuntu's key mok list. (see here bunch of keys, including canonical's.) if grub failing launch, try earlier grub; or bug in shim.

note efis can finicky keys. i've seen refuse launch signed binaries when secure boot enabled, though other binaries signed same keys launch fine. may root cause of problem, , reason i'm suggesting drop known-working binaries.

if problem grub, try using refind rather grub, adds complexity when secure boot involved -- see secure boot page of refind's documentation. (in brief, you'll have add @ least 1 key mok list. if problem "finicky efi" issue mentioned earlier, may find refind binaries work whereas others don't. version provided in debian package distribute (in refind's sourceforge files section) 1 that's least cause problems.

if want go hard route, , take total control of computer's secure boot subsystem, see this page of mine. page describes how replace of computer's secure boot keys own keys, enabling boot without using shim; however, depending on keys install , programs use, may need sign or of efi binaries yourself. lot of work, , not worth bypass problem you're having, might worth considering if want take full control of secure boot on system.

all said, i've seen many secure boot problems i'm increasingly of opinion it's better disable it, @ least on linux-only systems. (with windows installed, odds of malware infection goes way up, since malware authors tend target popular oses, desktop , laptop computers means windows.) disabling secure boot admittedly leave system vulnerable types of attack, number of secure boot hassles great enough cost in time use secure boot greater cost in time of problem secure boot bypass -- is, although malware consume lot of time, when multiply probability of malware causing problems should leave secure boot off, suspicion result far less time you'll spend solving secure boot problems. that's guess, though. if disable secure boot, keeping proper backups becomes more important, since of time associated infection involve recovery of lost files.


Comments

Post a Comment

Popular posts from this blog

download - Firefox cannot save files (most of the time), how to solve? - Super User

this not full duplicate of this question or this question , though base question same. however, questions have no answers. for on half year have problems downloading files firefox. when click on download link, download dialog opened asking me do, save or open it. immediately, there error/warning pop-up (twice, can see 1 @ first) ok button. looks this message : "c:\users\%user%\appdata\local\temp\wbbdv9k8.zip.part not saved because source file not read. try again later or contact server administrator." replace '%user%' name of user trying download. after closing pop-up, download dialog disappears , have minimize firefox , open again, see other pop-up. downloading exact same file internet explorer work, not desired. i tried solutions here . tried solutions here . tried disabling extensions. tried fixing permissions on temp folder. tried making files , folder in profile directory non-readonly. tried running firefox administrator. tried
Read more

windows - "-2146893807 NTE_NOT_FOUND" when repair certificate store - Super User

i try repair certificate store in windows 10 doing c:\windows\system32>certutil -store -user ‎330000019dba8d5dddb98062a900000000019d "personal" certutil: -store command failed: 0x80090011 (-2146893807 nte_not_found) certutil: object not found. i have double check mmc, certificate details serial number of certificate. still fail repair certificate store. can please help? i getting same error when trying export pfx. turns out had export c:\cert.pfx instead of cert.pfx (it trying export file cert store ( cert:\localmachine\my ).
Read more

sql server - "Configuration file does not exist", Event ID 274 - Super User

sql server 2014 standard in server 2012 r2 i installed sql server 2014 in drive d: i following error: microsoft ssis service: registry setting specifying configuration file not exist. attempting load default config file. simply add c:\program files\microsoft sql server\1?0\dts\binn\msdtssrvr.ini.xml to default reg_sz value in: hkey_local_machine\software\microsoft\microsoft sql server\1?0\ssis\serviceconfigfile where ? replaced matching sql server version
Read more