Ubuntu
shim package

Invalid Signature detected -- must uncheck secure boot

Bug #1641793 reported by TedM
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

This occurred after a fresh install of 16.04 on an Acer Desktop. At the start only Windows would boot -- no Grub2 screen appeared. I made a number of attempts following "https://help.ubuntu.com/community/UEFI" Nothing worked and they suggested trying "http://askubuntu.com/questions/221835/installing-ubuntu-on-a-pre-installed-windows-10-with-uefi"
I executed a suggested command "bcdedit /set {bootmgr} path \EFI\ubuntu\grubx64.efi"
This gave the Grub2 menu but only in unsecure boot mode.
The same document says to send a bug report if an invalid signature is detected. I am doing that. However in doing so i note that the bug report is sent to "shim". But the instructions said to set the path to "grub64.efi" and not "shimx64.efi" which was also available in the /boot/EFI folder.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: shim 0.8-0ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Nov 14 20:47:37 2016
Dependencies:

EFIBootMgr:
 BootCurrent: 0001
 Timeout: 2 seconds
 BootOrder: 0001,0000
 Boot0000 ubuntu VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
 Boot0001* Windows Boot Manager HD(1,GPT,a30e4f73-c41a-4d41-8b33-8bc3beb73cc0,0x800,0x32000)/File(\EFI\ubuntu\grubx64.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...}................
InstallationDate: Installed on 2016-11-12 (3 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
SourcePackage: shim
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
TedM (btmcpher) wrote :
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Indeed, this is wrong. grub is not an image we get signed with the Microsoft keys, and so is not going to be recognized as a valid signature by firmware unless you re-sign it yourself and add the key you used to the firmware.

With things as they are, it doesn't look like you'd be able to successfully boot Windows anyway (since you'd likely be missing extra options normally passed to the Windows Boot Manager). What I see here is that the ubuntu entry exists (so it should be possible to pick what to boot via F12 or some other keyboard shortcut appropriate to your system), but it's been mangled by the firmware. There isn't much we can do if firmware breaks the boot entries, except tricking it into doing the right thing by putting files in a different location.

The correct file to use as a BootEntry binary is shimx64.efi, not grubx64.efi. You may try the same bcdedit command with that file.

Otherwise, please try to fix Windows using the recovery options if you can (repair boot, etc. as per the AskUbuntu question or Windows documentation). From that point, you would be able to reinstall Ubuntu or boot from an Ubuntu CD/USB and reinstall grub, which will create the right boot entry (which is what Boot0000 should be in this bug's description).

Changed in shim (Ubuntu):
status: New → Incomplete
Revision history for this message
TedM (btmcpher) wrote :

Thanks for your explanation. I am satisfied with the way my system works now. I get the grub menu and can start either Ubuntu or Windows. I do not have the secure boot, but I never had it in previous systems. Is there really any advantage of having secure boot?

When I press F12, the Bios shows entries for other drives, such as my USB flash drive with Ubuntu. For the hard drive, it only shows one entry labelled "Windows Boot Manager". This is the same before when it was always booting Windows, and also now when it starts Grub.

I assume that others will have the same problem with only starting windows, and some of them could work around the problems with the command:
"bcdedit /set {bootmgr} path \EFI\ubuntu\shimx64.efi"
I plan to add an entry to the Forum listing this as a possible solution for the case where a machine will only boot Windows.

As you suggested, I could try the same command with shimx64.efi. However my system is working and I tend to leave a working system alone. If you wish to learn more, I am willing to do further tests. Otherwise, I suggest that this bug could be listed as closed.

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1641793] [NEW] Invalid Signature detected -- must uncheck secure boot

On Tue, Nov 15, 2016 at 02:20:11AM -0000, TedM wrote:

> I executed a suggested command "bcdedit /set {bootmgr} path \EFI\ubuntu\grubx64.efi"

As noted, this is a bad suggestion. I have proposed an edit to the
askubuntu.com answer to fix this.

On Mon, Nov 21, 2016 at 10:01:46PM -0000, TedM wrote:
> Thanks for your explanation. I am satisfied with the way my system
> works now. I get the grub menu and can start either Ubuntu or Windows.
> I do not have the secure boot, but I never had it in previous systems.
> Is there really any advantage of having secure boot?

It protects your firmware from malware attacks launched from under the OS.
I certainly recommend using Secure Boot whenever feasible.

Revision history for this message
TedM (btmcpher) wrote :

Thanks for your suggestion. I backed up everything first; and executed the command
"bcdedit /set {bootmgr} path \EFI\ubuntu\shimx64.efi"
I set the bios to use secure boot and everything works. I get the grub2 menu and can choose to start either Ubuntu or Windows.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for shim (Ubuntu) because there has been no activity for 60 days.]

Changed in shim (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.