44

I'm trying to install Ubuntu 22.04.1 via a USB drive, but when I want to boot the USB drive when the secure boot is enabled, I get the error Verification failed:(0x1A) Security Violation.

screenshot

I need the secure boot to be enabled. Back then, I had no problems doing so. I recently used the command mokutil --reset to clear the machine owner keys because there were a lot of them and I wanted to make things cleaner.

I also tried to add mmx64.efi and grubx64.efi to the trusted files in BIOS, but I got another error (i.e., shim_lock protocol not found). I was not doing anything special related to secure boot to boot my USB drive before (even when I installed my first Linux distro). Why can't I do that now?

Pablo Bianchi
  • 17,371
Ali Safapour
  • 571

4 Answers4

64

If you are using Ventoy, the solution is in the official documentation (also mentioned on this issue).

Press OK, Press any key to perform MOK management, Enroll key from disk, VTOYEFI, ENROLL_THIS_KEY_IN_MOKMANAGER.cer, Continue, Yes, Reboot.

screenshot

From here

MOK (Machine Owner Key) is about securing the boot process by only allowing approved OS components and drivers to run.

Pablo Bianchi
  • 17,371
12

This is an excerpt from this answer that I just wrote.

What happened here is that Canonical updated their UEFI Secure Boot signing key and your system's Secure Boot Advanced Targeting variable. In plain terms, they made it so that newer boot files they release are bootable, and older ones aren't. If you got the update and then try to boot an OS that is still using the older files, it won't work and you get a Security Violation error.

Normally the solution here is to update your installation so that you have newer boot files. In this instance, though, you're trying to install from an ISO that has the older boot files. So you can't update the boot files. You have two choices here.

  • Disable Secure Boot and leave it that way.
  • Disable Secure Boot, boot the 22.04.1 ISO, install, update, and then enable Secure Boot again.

Sadly, both solutions require that you disable Secure Boot at least temporarily.

ArrayBolt3
  • 7,292
3

It's possible that the Ubuntu image you downloaded and wrote to the USB drive is not signed with a key that is trusted by the Secure Boot feature of your computer's bios. This could be because the image is unsigned, or because the key used to sign the image is not in the list of trusted keys in your computer's bios.

You must use a bootloader that is signed with a key that is trusted by bios. This will allow the system to verify the digital signature of the bootloader, and load it without triggering the security violation error.

Marco
  • 219
1

Downloading and booting from the 22.04.2 version solved the problem for me.

Ali Safapour
  • 571