"Security Boot Failed" after Ubuntu updates

Question

I installed Ubuntu 16.04 along with an existing installation of Windows 10 on my laptop (see Installing Ubuntu 16.04.2 alongside Windows 10 on an Acer Travelmate B117).

That was working fine until Ubuntu reminded me of some system updates which I installed. After this, I cannot boot the laptop in Secure Boot mode anymore. When trying to boot, I get a message "Security Boot Failed". There are no more options except switching the laptop off.

When disabling the Secure Boot mode, I see the boot manager again and I still can start Ubuntu, but not Windows.

How can I restore the settings prior to the last system update? Or how can I configure Ubuntu to start in Secure Boot mode again?

The output of the efibootmgr looks like this:

$ sudo efibootmgr -v
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,2001,0004,2002,2003
Boot0000* ubuntu    HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)
Boot0001* Unknown Device:   HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)RC
Boot0002* Grub  PciRoot(0x0)/Pci(0x13,0x0)/Sata(0,0,0)/HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\grubx64.efi)A01 ..
Boot0003* Ubuntu    PciRoot(0x0)/Pci(0x14,0x0)/USB(7,0)/HD(1,MBR,0x4294967243,0x800,0x737f000)/File(\EFI\BOOT\BOOTx64.EFI)A01 ..
Boot0004* Windows Boot Manager  HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...6................
Boot0005* Unknown Device:   FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(c57ad6b7-0515-40a8-9d21-551652854e37)RC...0
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

The BitLocker message that is shown when trying to start Windows in Non-Secure Mode is in German and says something like:

BitLocker Recovery 
Please enter BitLocker Recovery Key: ....
Reason: Secure Boot was disabled, please enable Secure Boot or disable BitLocker

This is the screen I see when switching on my laptop in Secure Mode: Security Boot Failed

This is the efibootmgr output after the efibootmgr -o command suggested by Rod Smith:

$ sudo efibootmgr -v
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,2001,0004,2002,2003
Boot0000* ubuntu    HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)
Boot0001* Unknown Device:   HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)RC
Boot0002* Grub  PciRoot(0x0)/Pci(0x13,0x0)/Sata(0,0,0)/HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\ubuntu\grubx64.efi)A01 ..
Boot0003* Ubuntu    PciRoot(0x0)/Pci(0x14,0x0)/USB(7,0)/HD(1,MBR,0x4294967243,0x800,0x737f000)/File(\EFI\BOOT\BOOTx64.EFI)A01 ..
Boot0004* Windows Boot Manager  HD(1,GPT,33e16123-03a6-4fce-84e8-7d663df31354,0x800,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...6................
Boot0005* Unknown Device:   FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(c57ad6b7-0515-40a8-9d21-551652854e37)RC...0
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

score 2 · Answer 1 · answered Apr 25 '17 at 13:18

You should be able to get the system to boot with Secure Boot active by using the following command in Ubuntu:

sudo efibootmgr -o 0000,0002,2001,0004,2002,2003

This command changes the BootOrder variable (shown in the efibootmgr output you posted), adding Boot0000 (the ubuntu entry, which launches shimx64.efi) to the start of the boot order list. Right now, that entry is not in the boot order list; but Boot0002, which launches grubx64.efi directly, is at the start of the list. This is the source of your Secure Boot problem; Shim is a central part of Ubuntu's Secure Boot support, so bypassing Shim makes it impossible to boot with Secure Boot active. (See this page of mine for more information on Secure Boot.)

As to booting Windows, I'm afraid I can't offer much help. You wrote in your comment:

I can choose Windows in the boot manager, but end up with an error message from BitLocker.

Unfortunately, that's still pretty vague; it's always important to post the exact and complete error message when asking for help. Furthermore, I don't know a lot about BitLocker, so I'd be unlikely to help even if I knew what that message was. It sounds like this is a Windows-specific problem, though -- maybe your (presumably encrypted) Windows partition has been damaged in some way; or maybe BitLocker is relying on software or settings on the EFI System Partition (ESP) that Ubuntu has altered. In any event, I recommend you post the complete error message to a Windows forum for help on this issue. (Take a digital photo and post it, if the message is long enough to merit this approach.)

"Security Boot Failed" after Ubuntu updates

1 Answers1