Secure Boot Violation

User discussion and information resource forum for BootIt Bare Metal and BootIt UEFI
bDerek
Posts: 14
Joined: Sat Sep 27, 2014 7:14 pm

Secure Boot Violation

Post by bDerek »

I have an Asus z170A motherboard which I boot up in secure mode. I have installed a Windows 10 and Ubuntu v20.04 operating systems, both installed on a GPT drive with a EFI directory. Either operating systems can be selected from the Bios boot screen and both OSs boot up in secure mode perfectly well.

I have made an Image for Linux, Image for UEFI, and BootIT UEFI usb sticks using makedisk.exe. I select "Partition - GPT UEFI System Partition" to format the usb sticks when installing the Image for UEFI and for Linux and for BootIT UEFI and the installs proceed well. I am using BootIT UEFI v1.20 and the included Image for UEFI. The Image for Linux is v3.?? a very recent version.

My problem, when I use any one of these usb sticks and try to secure boot from them from the bios I get a red screen that says "Secure Boot Violation". I've never encountered that on this PC before. I would very much like to install BootIt UEFI. Any advice as I'm at a loss? Thanks.

Derek
Brian K
Posts: 2214
Joined: Fri Aug 12, 2011 1:11 am
Location: NSW, Australia

Re: Secure Boot Violation

Post by Brian K »

bDerek,

I saw the same issue. It's due to the most recent Ubuntu update. I'll be out for a few hours so in the meantime disable Secure Boot in the BIOS, install BIU and setup your Boot Menu.

I'll let you know how I fixed the issue.
Brian K
Posts: 2214
Joined: Fri Aug 12, 2011 1:11 am
Location: NSW, Australia

Re: Secure Boot Violation

Post by Brian K »

Do you have a backup image of the Linux partition prior to the latest updates?
bDerek
Posts: 14
Joined: Sat Sep 27, 2014 7:14 pm

Re: Secure Boot Violation

Post by bDerek »

I do. Would you know what recent Ubuntu update is causing an issue? Ubuntu is my main system and for security reasons I do like to keep that right up to date, so conceivably I could go back and then update except for the one? troubling update package.
Brian K
Posts: 2214
Joined: Fri Aug 12, 2011 1:11 am
Location: NSW, Australia

Re: Secure Boot Violation

Post by Brian K »

Derek,

I've done this half a dozen times and it's consistent. It is due to these 3 updates...

secureboot-db
shim
shim-signed

I use Mint20 but the updates should be the same for Ubuntu. To fix it...

Disable Secure Boot in the UEFI BIOS.
Boot IFL and restore your Ubuntu image from a few weeks ago.
Get into the BIOS again and enable Secure Boot. In addition I had to "Restore Factory Keys". Enabling Secure Boot wasn't enough.

If you don't restore the old Linux image the Secure Boot Violation error will be seen again after you next boot Linux.

I've run the Linux update without the above 3 entries and all is OK.
bDerek
Posts: 14
Joined: Sat Sep 27, 2014 7:14 pm

Re: Secure Boot Violation

Post by bDerek »

Thank-you for the quick reply. By "Restore Factory Keys" do you mean some option from within the Bios. For my Asus motherboard I have the option to "Install Default Secure Boot Keys". Is that the same as what you referenced?
Brian K
Posts: 2214
Joined: Fri Aug 12, 2011 1:11 am
Location: NSW, Australia

Re: Secure Boot Violation

Post by Brian K »

bDerek wrote:
>P. For my Asus motherboard I have the
> option to "Install Default Secure Boot Keys". Is that the same
> as what you referenced?

Derek, I think so. Try it.
bDerek
Posts: 14
Joined: Sat Sep 27, 2014 7:14 pm

Re: Secure Boot Violation

Post by bDerek »

OK I followed your instructions in the 1:02 am post. Got BIU to install. Ubuntu and Windows booted up from menu selections in BIU. Still using current Ubuntu install. Turned off the computer. Turned on again, BIU booted up and could again select operating systems from BIU. All seems to be working.

Now, rebooted and turned on Secure Boot, reloaded keys. Rebooted and when BIU started up it threw the red screen of "Secure Boot Violation". Ouch.

I even tried, removing all traces of the ubuntu files in my EFI to see if Ubuntu was interfering in the install or boot up of BIU. Didn't make any difference still got red screen when trying to install BIU again. That was to be expected as the secure boot process compares the microsoft signed keys in the bios firmware to the keys in whatever application that is booting up - so if booting from the hard disk it will look for that application in EFI and if from a usb (like during an install) it will look at the keys on that usb.

Maybe this is obvious (it wasn't to me), it would seem to me that the Terabyte products BIU and Image for UEFI are UEFI compliant but they are NOT secure boot compliant - presumably they do not have Microsoft signed keys. They are great products but not if one wishes to use secure boot protections.

Thanks for your help.

Derek
Brian K
Posts: 2214
Joined: Fri Aug 12, 2011 1:11 am
Location: NSW, Australia

Re: Secure Boot Violation

Post by Brian K »

Derek,

I'm unclear whether you restored an Ubuntu image at least a few weeks old. Prior to the Secure Boot updates.
Brian K
Posts: 2214
Joined: Fri Aug 12, 2011 1:11 am
Location: NSW, Australia

Re: Secure Boot Violation

Post by Brian K »

Post Reply