Secure Boot doesn't work with ASUS S56CB

What is the error when trying to boot the Ubuntu 13.04 disk with SecureBoot enabled?

Please attach the following files from your system (when booted to Ubuntu):
/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
/sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c

Sorry, I couldn't attach the files in a single post. When I try to boot with SecureBoot, the error is "Secure Boot Violation: Invalid signature detected. Check Secure Boot Policy in Setup" and this is a screenshot of the error: http://i.imgur.com/e10je91.jpg

If I disable SecureBoot, then I'm able to boot into Ubuntu, but only from UEFI boot menu. I mean it's possible to via this menu: http://i.imgur.com/g8oaNYa.jpg

After I choose Ubuntu from UEFI device selection menu, I'm able to boot into Ubuntu (with SecureBoot disabled).

As I didn't want to lose Windows' bootloader, I installed Ubuntu's GRUB to "/boot" partition and when I opened Windows 8, I added Ubuntu entry to bootloader of Windows via EasyBCD. So, now I have this in my start screen of Windows 8: http://i.imgur.com/nmRNTCD.jpg

But when I select Ubuntu, it gives the following error: http://i.imgur.com/IQIl0aN.jpg

PS: I know there are two different problems, and the priority here is to fix Ubuntu's SecureBoot problem (that's my wish also) but I also wanted to say the other problem with Ubuntu in Windows' bootloader.

Thanks, this is very interesting; it shows that not only does your firmware include the expected Microsoft key, your firmware *also* includes the Canonical Secure Boot key. This makes it doubly surprising that the stock Ubuntu image doesn't boot under Secure Boot. Did you add any of these keys yourself, or did these come by default in your firmware?

How did you prepare the Ubuntu USB disk? The preferred way to do this is with a direct dd of the ISO onto the USB disk; the ISO is a hybrid image which is bootable out of the box as a USB disk, whereas many USB "image creator" programs try to modify the image in unpredictable ways when writing.

> PS: I know there are two different problems, and the priority here is to fix Ubuntu's
> SecureBoot problem (that's my wish also) but I also wanted to say the other
> problem with Ubuntu in Windows' bootloader.

Yes. I've focused on the Secure Boot problem, because I understood that to be your priority. The other problem with booting under the Windows bootloader is probably not one that we will commit to fixing.

> Did you add any of these keys yourself, or did these come by default in your firmware?

No, I didn't add anthing before/after installation (and also I don't have that much knowledge either). As much as I follow, I was aware of that Microsoft gave authorization to Ubuntu under UEFI starting from Ubuntu 12.04.2, and I had read (I think on OMG! Ubuntu!) that before Microsoft, Canonical had other its own plans on UEFI, so I thought maybe I don't have the required Microsoft keys, but as you explain that's not the case then.

> How did you prepare the Ubuntu USB disk?

I've just bought this ASUS computer, so it's very new and I've been reading a lot about UEFI before the installation. So, I had Ubuntu 13.04 installed in my old laptop and I prepared the USB with Ubuntu's pre-installed USB installer software (usb-creator-gtk). I was thinking of using YUMI or Unetbootin in order to write image under Windows, but I thought that may cause changes in the ISO file and so didn't use them.

Before starting creating USB, I re-downloaded the 13.04 image in order to make sure that I have the most updated one, and controlled md5sum after the download. Additionally, I also burnt the image to a DVD and tried in that way too. I had the same result, so I'm sure that there couldn't be anything wrong regarding the installation media.

So, what to do now? :/

I forgot to add: The only thing I did was to update my BIOS firmware from 204 to 205 downloading from ASUS: http://www.asus.com/Notebooks_Ultrabooks/S56CB#support_Download_36

I don't think it'd change anything, but just wanted to include in case it helps in some way.

On Mon, Jul 15, 2013 at 11:59:02PM -0000, Şâkir Aşçı wrote:
> > How did you prepare the Ubuntu USB disk?

> I've just bought this ASUS computer, so it's very new and I've been
> reading a lot about UEFI before the installation. So, I had Ubuntu 13.04
> installed in my old laptop and I prepared the USB with Ubuntu's pre-
> installed USB installer software (usb-creator-gtk). I was thinking of
> using YUMI or Unetbootin in order to write image under Windows, but I
> thought that may cause changes in the ISO file and so didn't use them.

> Before starting creating USB, I re-downloaded the 13.04 image in order
> to make sure that I have the most updated one, and controlled md5sum
> after the download. Additionally, I also burnt the image to a DVD and
> tried in that way too. I had the same result, so I'm sure that there
> couldn't be anything wrong regarding the installation media.

> So, what to do now? :/

To rule out this being a problem with usb-creator, please rewrite the USB
stick directly using dd. Please note that you must be *very careful* when
using this method: because you are writing to the device directly, if you
get the wrong device name, you can overwrite your system's main disk.

On your existing Ubuntu installation, *before* plugging in your USB stick,
run from the commandline:

 $ ls -l /dev/sdb

this should say:

  ls: cannot access /dev/sdb: No such file or directory

If so, then 'sdb' is the correct device. If not, repeat for sdc, sdd, etc.

Plug the USB stick into the computer, and repeat the last command. If you
have the right device name, it should now show you the device, not an error
message.

Once you have the correct device, run:

 $ sudo dd if=/path/to/ubuntu.iso bs=$((1024*1024)) of =/dev/sdN

where /dev/sdN is the device corresponding to the USB stick.

When that command completes, you will have a USB stick with the unmodified
Ubuntu image. If that still fails, then there's definitely some problem
with shim (though I don't know what). If it succeeds, then it's a bug in
usb-creator.

Thanks for the warning. I was aware of that I have two disks (One HDD, and one 24 GB SSD) but most probably I'd forget that and format the 24 GB SSD (/dev/sdb).

So, my USB stick was /dev/sdc and I used dd command (btw, you made a mistake while giving the command, there shouldn't be a space in "of =/dev/sdN").

However, NOTHING CHANGED :( Same result. So there's nothing wrong with usb-creator, and what now? Do you think trying 13.10 would change the situation?

I want to clear something, when I try to boot Ubuntu installation via USB/DVD in SecureBoot, computer doesn't give any error output, it is able to show me the UEFI boot menu (Install Ubuntu, Try Ubuntu, Check Disk for Errors, etc.) but when I select any of them, it just waits in black screen without any error message.

So, I installed Ubuntu SecureBoot disabled, and then after enabling SecureBoot and trying to boot Ubuntu I received "Secure Boot Violation: Invalid signature detected. Check Secure Boot Policy in Setup".

So, while trying to install, computer doesn't give any error outputs, but it just doesn't continue.

Also, sometimes during boot the fan starts working very loudly and the only way to stop is turn off the computer. It happens only when I'm using Ubuntu, and I'm about to give up using Ubuntu. I had been using it happily with my old computer but with this one it seems as if they tried a lot for disabling users to use another OS! Computer works very silently (nearly unheardable) when I'm in Windows 8 but when I open Ubuntu, it works with some hearable noise. Now I see that while booting Ubuntu, I receive an error before Ubuntu logo appears:

[ 17.827875] nouveau E [ DRM] Pointer to TMDS table invalid

I have Nvidia graphics card, so this "nouevau" is related to that as far as I know but, in case it helps...

On Thu, Jul 18, 2013 at 03:16:29PM -0000, Şâkir Aşçı wrote:
> I want to clear something, when I try to boot Ubuntu installation via
> USB/DVD in SecureBoot, computer doesn't give any error output, it is
> able to show me the UEFI boot menu (Install Ubuntu, Try Ubuntu, Check
> Disk for Errors, etc.) but when I select any of them, it just waits in
> black screen without any error message.

Oh! that's something different, then. We may be looking at a bug anywhere
between shim, grub, the kernel, or the installer.

> So, I installed Ubuntu SecureBoot disabled, and then after enabling
> SecureBoot and trying to boot Ubuntu I received "Secure Boot Violation:
> Invalid signature detected. Check Secure Boot Policy in Setup".

Right, that's because currently when you install on a system without Secure
Boot enabled, the signed bootloader is not installed. This is related to
bug #1184297, which we're working on resolving.

In the meantime, after installation you can do the following:

 sudo apt-get install grub-efi-amd64-signed shim-signed
 sudo grub-install --uefi-secure-boot

After running those two commands, you can reboot, re-enable SecureBoot in
the firmware, and try to boot the *installed* Ubuntu under SecureBoot. It
shouldn't give you a security error - though it might still fail with the
same issue you saw when trying to install.

Please let me know whether this lets you successfully boot the system; that
will help us narrow down the real cause of this install-time bug.

> In the meantime, after installation you can do the following:
>
> sudo apt-get install grub-efi-amd64-signed shim-signed
> sudo grub-install --uefi-secure-boot

I want to continue with these commands but won't they install Ubuntu bootloader (GRUB) as default and overwrite Windows 8's UEFI/MBR (or whatever it's called)?

When I purchased computer it came without any installation media, so if I lose entry to Windows, I'll not be able to fix it (I'm not sure whether there's a way without a Windows DVD and the fact that they don't give one is really awful). I am afraid of not being able to start Ubuntu, and in addition not being able to reach Windows 8. So, that was the reason for not installing Ubuntu's GRUB on /dev/sda. Can you suggest me another way which doesn't erase Windows' bootloader?

And also, thank you for all the help!

Update: I just tried Ubuntu 13.10 Daily with USB (writing again using dd command), and there is no change in the result. If I enable Secure Boot, it hangs in black screen after choosing Try Ubuntu, Install Ubuntu, Check Disk for Errors.

On Fri, Jul 19, 2013 at 12:36:58AM -0000, Şâkir Aşçı wrote:
> > In the meantime, after installation you can do the following:

> > sudo apt-get install grub-efi-amd64-signed shim-signed
> > sudo grub-install --uefi-secure-boot

> I want to continue with these commands but won't they install Ubuntu
> bootloader (GRUB) as default and overwrite Windows 8's UEFI/MBR (or
> whatever it's called)?

No, it won't. It will only update the files on the partition mounted at
/boot/efi, and update the "Ubuntu" boot entry in the firmware. It will not
overwrite any of the Windows files, and it will not change the default boot
entry in the firmware.

Eureka! After applying commands and turning on Secure Boot, Ubuntu booted successfully. So, is the problem in the installer?

(And as another note regarding 13.10:

As I said the same problem exists with Saucy when I try to boot with Secure Boot enabled, but there is more: after disabling Secure Boot, again I couldn't boot to Ubuntu! If I boot with Secure Boot, it hangs just after selecting "Try Ubuntu" but with Secure Boot disabled, after selecting "Try Ubuntu" I saw the Ubuntu screen with 5 dots and then it hanged in black screen. As it's in the beta stage, maybe it's too early to judge, but seems like there are other problems with 13.10 too.)

My laptop is ASUS S550C with Windows 8 pre-installed.
- Prepared partitions using Windows' own disk management utility. deleting D and shrinking C.
- I prepared a Ubuntu 13.04 (64 bit) ISO to boot with a USB.
- I Disabled Fast Boot. and disabled FastStartup.
- I used multiple media USB and DVD trying 13.4 and 12.10
every time when I reach the try Ubuntu install menu every choice leads to black screen.
just like the other bug reporter
"when I try to boot Ubuntu installation via USB/DVD in SecureBoot, computer doesn't give any error output, it is able to show me the UEFI boot menu (Install Ubuntu, Try Ubuntu, Check Disk for Errors, etc.) but when I select any of them, it just waits in black screen without any error message."
I only figured out it was a secure boot issue when I followed some advice to try Grub commands.
At that point I got a secure boot doesn't allow loading module error.
so I disabled SecureBoot.
Ubuntu installs fine. Restarts fine.
Grub window item leads to error message about device map not found and efi path incorrect
if I turn on SecureBoot. Windows loads immediately and Ubuntu is ignored.
So I checked and confirmed efi grub was installed.
I followed your advice and did
> sudo apt-get install grub-efi-amd64-signed shim-signed
> sudo grub-install --uefi-secure-boot
Now if I disable SecureBoot Ubuntu works and I still get the windows error form grub
If I enable SecureBoot I actually get a grub selection menu. Which is progress I suppose.
But now if I choose any Ubuntu item I get a purple screen vs. a black one I was getting from the installation media.
And Windows 8 still won't run from Grub same device map efi path error? help.

I have run boot repair recommended repair option
now I cannot run either Ubuntu or Windows 8 even from bios menus as long as secure-boot is enabled.
With secure-boot off though. Grub can load both Ubuntu and Windows 8.
So mixed bag I suppose.
I will try to update my bios.
but other than that I'm done. Unless I can find help.
here are my configuration printouts by boot repair before and after repair.
before: http://paste.ubuntu.com/6051387/
after: http://paste.ubuntu.com/6054993/

there are a lot more items in the boot menu. It can't be right. But I'll live with it

> So, is the problem in the installer?

Yes, it's a problem in the 13.04 installer that installing with Secure Boot disabled will not install the packages needed to keep Ubuntu booting if Secure Boot is turned on. This bug has been fixed for 13.10 (and 12.04.3).

> As I said the same problem exists with Saucy when I try to boot with Secure Boot
> enabled, but there is more: after disabling Secure Boot, again I couldn't boot to
> Ubuntu! If I boot with Secure Boot, it hangs just after selecting "Try Ubuntu" but
> with Secure Boot disabled, after selecting "Try Ubuntu" I saw the Ubuntu screen
> with 5 dots and then it hanged in black screen. As it's in the beta stage, maybe it's
> too early to judge, but seems like there are other problems with 13.10 too.)

If you see the "Try Ubuntu" option, then you've successfully loaded both shim and grub; and if you get the five dots, you've made it to the kernel and initramfs. So that's a separate issue from the original SecureBoot question. If you can reproduce it with the current 13.10 images please file a separate bug report for it. Best to file the bug report against the 'ubiquity' package initially.

Rereading the original problem in light of current information, the problem all comes down to the issue I mention above, that before 13.10 the installer would not install shim if the system was not booted under Secure Boot. If you had installed with Secure Boot enabled, shim would have been set up as bootx64.efi; and because shim is signed by the Microsoft key, it would be bootable both from the Microsoft bootloader and from UEFI. However, since shim was *not* installed, you were trying to boot grub directly from the Microsoft bootloader. The Microsoft bootloader is known to enforce Microsoft key signatures, even if Secure Boot is disabled in firmware and *even if other keys are registered in the firmware*. So this will never work without shim. It is also not how the Ubuntu installer sets up the bootloader: the Ubuntu installer will correctly register its own boot entry with the firmware using efibootmgr. You would not have hit this problem if you had not second-guessed the installer. Anyway, with the latest version of the installer we avoid this problem.

It sounds like there may still be some problems booting Ubuntu on your system, particularly booting the installer. But those problems are unrelated to the Secure Boot support itself, and should be tracked in a separate bug. So I'm going to mark this bug as resolved.

Nayef A,

> At that point I got a secure boot doesn't allow loading module error.

That is also unrelated to this bug report. Please file a separate bug against the grub2 package, with specific information about what commands you were running that produced this error.