[Acer V5-171] Installer is blocked by UEFI Secure Boot

Bug #1123403 reported by Andrew
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Low
Unassigned
Saucy
High
Unassigned

Bug Description

The release notes for Ubuntu 12.10 claim [1] that UEFI Secure Boot is supported and suggest that I should expect an "it just works" experience on new hardware. However, when I try to boot an Ubuntu 12.10 64-bit bootable USB stick [2] on a brand-new Acer Aspire V5-171, the following message appears:
    2. USB HDD: Memorex TD Classic 003C has been blocked by the current security policy.
    [Ok]

[1]: https://wiki.ubuntu.com/QuantalQuetzal/ReleaseNotes/UbuntuDesktop#QuantalQuetzal.2BAC8-ReleaseNotes.2BAC8-CommonInfrastructure.Secure_Boot
[2]: http://www.ubuntu.com/download/help/create-a-usb-stick-on-windows

WORKAROUND: Enable legacy BIOS boot mode.

---
ApportVersion: 2.10.2-0ubuntu2
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: ubuntu 2977 F.... pulseaudio
CasperVersion: 1.335
DistroRelease: Ubuntu 13.10
LiveMediaBuild: Ubuntu 13.10 "Saucy Salamander" - Alpha amd64 (20130627)
MachineType: Acer V5-171
MarkForUpload: True
Package: linux (not installed)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/casper/vmlinuz.efi file=/cdrom/preseed/username.seed boot=casper quiet splash --
ProcVersionSignature: Ubuntu 3.9.0-7.15-generic 3.9.7
RelatedPackageVersions:
 linux-restricted-modules-3.9.0-7-generic N/A
 linux-backports-modules-3.9.0-7-generic N/A
 linux-firmware 1.109
Tags: saucy
Uname: Linux 3.9.0-7-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
dmi.bios.date: 12/12/2012
dmi.bios.vendor: Acer
dmi.bios.version: V2.09
dmi.board.asset.tag: Type2 - Board Asset Tag
dmi.board.name: Mimic
dmi.board.vendor: Acer
dmi.board.version: Type2 - Board Version
dmi.chassis.type: 10
dmi.chassis.vendor: Acer
dmi.chassis.version: V2.09
dmi.modalias: dmi:bvnAcer:bvrV2.09:bd12/12/2012:svnAcer:pnV5-171:pvrV2.09:rvnAcer:rnMimic:rvrType2-BoardVersion:cvnAcer:ct10:cvrV2.09:
dmi.product.name: V5-171
dmi.product.version: V2.09
dmi.sys.vendor: Acer

Revision history for this message
Andrew (andrewkvalheim) wrote :
Revision history for this message
Andrew (andrewkvalheim) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1123403/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Revision history for this message
Andrew (andrewkvalheim) wrote :

"If you encounter the bug when booting the Live CD (or alternative installer), file the bug against the kernel."

affects: ubuntu → linux (Ubuntu)
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1123403

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Andrew (andrewkvalheim) wrote : Re: Installer is blocked by UEFI Secure Boot

Due to the nature of the issue I have encountered, I am unable to run this command.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v3.8 kernel[0] (Not a kernel in the daily directory) and install both the linux-image and linux-image-extra .deb packages.

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.8-rc7-raring/

Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: kernel-da-key quantal
Revision history for this message
Andrew (andrewkvalheim) wrote :

I'm not quite sure how to test that. Should I modify the Ubuntu 12.10 installation media to use the v3.8 kernel? If so, do I need to do anything special to generate /casper/vmlinuz.efi.signed?

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest 13.04 raring daily build[0]? It would be good to know if this issue is resolved in the latest release.

[0] http://cdimage.ubuntu.com/daily-live/current/

Revision history for this message
Aurélien COUDERC (coucouf) wrote :

Hi, I have the same problem with my Asus R500V (K55VD).

The 20130305 daily live for raring doesn’t boot either.

There was no need to swich to legacy bios for me, just switching secure boot on and off makes the live fail or boot.

Revision history for this message
Aurélien COUDERC (coucouf) wrote :

After doing the installation with secure boot disabled, if I try to enable it again, I get a red message box from the firmare saying :

Secure Boot Violation

Invalid signature detected. Check Secure Boot Policy in Setup

Revision history for this message
Aurélien COUDERC (coucouf) wrote :

For the sake of completeness I've tested the last upstream kernel (currently 3.8.2-raring), but it doesn't change anything.
The secure boot blocks with the "Invalid signature detected" message while loading grub AFAICT, so before loading any particular kernel.

With secure boot disabled both the current 12.10 kernel and 3.8.2-raring boot correctly.

The grub version installed by the 12.10 live installer is the EFI version as expected:
user@machine:~$ dpkg --get-selections | grep grub
grub-common install
grub-efi install
grub-efi-amd64 install
grub-efi-amd64-bin install
grub2-common install

tags: added: kernel-key
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

@Aurelien

Can you post your hardware details? Are you also using an Acer Aspire V5-171 like the original bug reporter?

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

It is possible this is a firmware bug. Do you have a way to see if you can install Windows on this machine, with UEFI enabled?

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
tags: removed: kernel-key
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Andrew (andrewkvalheim) wrote : AlsaInfo.txt

apport information

tags: added: apport-collected saucy
description: updated
Revision history for this message
Andrew (andrewkvalheim) wrote : BootDmesg.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : CRDA.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : CurrentDmesg.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : IwConfig.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : Lspci.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : Lsusb.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : ProcEnviron.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : ProcInterrupts.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : ProcModules.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : PulseList.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : RfKill.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : UdevDb.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : UdevLog.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : WifiSyslog.txt

apport information

Revision history for this message
Andrew (andrewkvalheim) wrote : Re: Installer is blocked by UEFI Secure Boot

I've just confirmed that this problem still happens in the saucy daily build, and that disabling secure boot [1] is a viable workaround. I don't have any Windows installation media to test.

  [1]: http://community.acer.com/t5/Notebooks-Netbooks/How-do-I-disable-secure-boot-on-an-Aspire-V5-171/td-p/44003

Changed in linux (Ubuntu):
status: Expired → Incomplete
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
tags: added: kernel-key
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

There have been some recent secure boot changes. Can you test today's image and post back if this bug is fixed or not?

tags: removed: kernel-key
Revision history for this message
Mickael Istria (mistria) wrote :

I just tested a recent nightly build from http://cdimage.ubuntu.com/daily-live/current/ on a Asus EeePC 1015e with Windows 8 pre-installed.
I had to disable Secure Boot from UEFI (as shows here http://img2.uplood.fr/free/shic_188.jpg ) and it worked.

Revision history for this message
Nick B. (futurepilot) wrote :

I have an Asus 1015e but my UEFI settings look slightly different than that and I still can't get it to boot a live USB stick using the 9-2 daily image. It still hangs at a blank screen even with secure boot disabled as described in #1200986

Revision history for this message
Mickael Istria (mistria) wrote :

FYI, I used image from Aug 27th.
Are you sure SecureBoot is disabled?

Revision history for this message
Joseph Salisbury (jsalisbury) wrote : Please test latest development kernel (3.11.0-7.14)

Given the number of bugs that the Kernel Team receives during any development cycle it is impossible for us to review them all. Therefore, we occasionally resort to using automated bots to request further testing. This is such a request.

We are approaching release and would like to confirm if this bug is still present. Please test again with the latest development kernel and indicate in the bug if this issue still exists or not.

You can update to the latest development kernel by simply running the following commands in a terminal window:

    sudo apt-get update
    sudo apt-get dist-upgrade

If the bug still exists, change the bug status from Incomplete to Confirmed. If the bug no longer exists, change the bug status from Incomplete to Fix Released.

Thank you for your help, we really do appreciate it.

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
tags: added: kernel-request-3.11.0-7.14
Revision history for this message
Andrew (andrewkvalheim) wrote : Re: Installer is blocked by UEFI Secure Boot

I've confirmed that the 64-bit saucy daily build from 2013-09-20 fails to boot with this message:

    1. USB HDD: SanDisk has been blocked by the current security policy.
    [Ok]

Retrying with secure boot disabled allows it to boot without error.

Changed in linux (Ubuntu Saucy):
status: Incomplete → Confirmed
Revision history for this message
Christopher M. Peñalver (penalvch) wrote :

Andrew, as per http://us.acer.com/ac/en/US/content/drivers an update is available for your BIOS (2.17). If you update to this following https://help.ubuntu.com/community/BiosUpdate , does it change anything? If it doesn't, could you please both specify what happened, and provide the output of the following terminal command:
sudo dmidecode -s bios-version && sudo dmidecode -s bios-release-date

Please note your current BIOS is already in the Bug Description, so posting this on the old BIOS would not be helpful.

For more on BIOS updates and linux, please see https://help.ubuntu.com/community/ReportingBugs#Bug_reporting_etiquette .

Thank you for your understanding.

description: updated
tags: added: bios-outdated-2.17 bot-stop-nagging
removed: kernel-request-3.11.0-7.14
Changed in linux (Ubuntu):
importance: High → Low
status: Confirmed → Incomplete
summary: - Installer is blocked by UEFI Secure Boot
+ [Acer V5-171] Installer is blocked by UEFI Secure Boot
Revision history for this message
Nils Sabelstrom (nilssab) wrote :

I can confirm successful booting using a Acer v5-171 with bios version 2.21
tested media is 14.04 liveUSB and installed ubuntu 14.04

All with secure boot enabled.

If you update to V2.21, this needs to be done from win8 and the EFI/ubuntu folder was removed for me, so please make sure to back up your boot files and copy them back using a liveCD after upgrading.

Revision history for this message
Nils Sabelstrom (nilssab) wrote :

I just noticed that while secureboot works for ubuntu from grub-efi, grub-efi cannot boot a windows bootloader with secureboot enabled. Which affects people that dual boot AND want to have secureboot enabled.

Is this a bug or a feature?

Revision history for this message
Joseph Salisbury (jsalisbury) wrote : Closing unsupported series nomination.

This bug was nominated against a series that is no longer supported, ie saucy. The bug task representing the saucy nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Saucy):
status: Confirmed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers