4

This is basically the same question as one from a few days ago. I wanted to just add a comment to that question but couldn't due to lack of reputation.

Verification failed: (0x1A) Security Violation while installing Ubuntu

Basically, I was running Linux Mint 21.1 and just for the heck of it I deleted the install and installed Ubuntu 22.10. After using it a few days there was a problem with suspend I couldn't solve so I was going to reinstall Mint. When I tried though my Mint live usb that had worked in the past wouldn't work, giving the security violation message. At that point I tried both an Ubuntu and Kubuntu 22.04 iso that had also worked in the past. Both failed.

I went back to Ubuntu 22.10 which worked but again with suspend problems. 22.04.2 was released a few days ago so I gave it a try. It worked, except it has the same suspend problems that from research seem to be tied to the new 5.19 kernel.

I'd like to get back to Mint 21.1, a 22.04 derivative, so my question is this: What caused the ISOs that previously worked to fail? (20.04 fails as well). About the same time that all that was going on I also did the monthly Windows updates. Do Microsoft signing keys get updated in firmware?

I verified the integrity of all of these downloads and verified the gpg signatures of the hash files.

Again, apologies for repeating a question and thanks in advance for the help.
John G.

John G.
  • 51

2 Answers2

4

This is a tricky one to solve, but doable.

What happened here is that Canonical updated their UEFI Secure Boot signing key and your system's Secure Boot Advanced Targeting variable. In plain terms, they made it so that newer boot files they release are bootable, and older ones aren't. If you got the update and then try to boot an OS that is still using the older files, it won't work and you get a Security Violation error.

Normally the solution here is to update your installation so that you have newer boot files. In this instance, though, you're trying to install from an ISO that has the older boot files. So you can't update the boot files. You have two choices here.

  1. Disable Secure Boot and leave it that way.
  2. Disable Secure Boot, boot the 22.04.1 ISO, install, update, and then enable Secure Boot again.

Sadly, both solutions require that you disable Secure Boot at least temporarily. If that's not possible, you will have to install Ubuntu from a sufficiently new ISO. You can install Ubuntu 22.04.2, then install the usual linux-generic kernel and remove the linux-generic-hwe-22.04 kernel. The following instructions describe how.

Warning: Do not follow these instructions on a working system - this is just for reverting to the 5.15 kernel on a new installation of Ubuntu 22.04.2.

To install the older kernel, run sudo apt install linux-generic - this will automatically pull in everything that makes up the older kernel. However, the newer one will still be installed. To remove it, do sudo apt remove linux-hwe-22.04 && sudo apt autoremove && sudo apt remove linux-image-$(uname -r) linux-headers-$(uname -r) linux-modules-$(uname -r) linux-modules-extra-$(uname -r). Note that this assumes that you are currently booted into the HWE kernel. Also, this will uninstall the kernel that you are actively booted into, so make good and sure you installed the other one first!!! The system will display a dire warning when you try to do this - if you installed the older linux-generic kernel already, you can safely go ahead and tell it to remove the kernel anyway.

Once you're done with that, run ls /boot to make sure that you still actually have a kernel left - if you don't, you forgot to run sudo apt install linux-generic, in which case you should do that lest your system fail to boot. Once you have a properly installed kernel and the HWE kernel is gone, reboot, then run uname -r to make sure that you're booted into a 5.15 kernel. If so, you're done, and you should continue to get 5.15 kernel updates normally.

ArrayBolt3
  • 7,292
0

Sir, when i have an error like you after install refind in ubuntu 22.04 Click ok and enter, Click Enroll key from disk Go to your EFI/refind/refind_local.cer Click ok and enter And reboot

Andika Programmer
  • 1