Post install Secure Boot Setup Ubuntu 24.04
Secure Boot Setup Ubuntu 24.04
While Ubuntu’s installer fully supports Secure Boot configuration during installation, your system’s BIOS/UEFI settings can sometimes interfere with or prevent proper setup. This is particularly common with manufacturer-specific BIOS implementations that may have additional security features or non-standard Secure Boot configurations. Some common scenarios you might encounter include:
BIOS settings that override the Ubuntu installer’s Secure Boot configuration Pre-existing keys that conflict with Ubuntu’s signing keys Manufacturer-specific security features that need to be configured before enabling Secure Boot Custom boot order settings that may prevent proper verification
This post will walk through the process of properly enabling and configuring Secure Boot on Ubuntu, whether you’re setting it up post-installation or troubleshooting a failed initial configuration.
What is Secure Boot?
Secure Boot is a security feature of modern UEFI firmware that ensures your system boots using only software trusted by the original equipment manufacturer (OEM) or machine owner. It creates a chain of trust from the firmware through the boot loader and ultimately to the operating system. When your computer starts up with Secure Boot enabled, the firmware checks the signature of each piece of boot software, including UEFI drivers (also known as “option ROMs”), EFI applications, and your operating system’s bootloader. If the signatures are valid, the system boots, and the firmware gives control to the operating system.
For Linux distributions like Ubuntu, the process involves an additional component called “shim” - a small bootloader signed by Microsoft’s key that is trusted by most hardware vendors. Shim then uses Ubuntu’s own keys to verify GRUB, establishing a secure chain while allowing Ubuntu to maintain control over its own boot process. This verification chain is crucial for:
Preventing malware from compromising your system before it boots Ensuring kernel modules and drivers are signed and trusted Protecting against rootkits and other boot-level attacks Maintaining system integrity from power-on to operating system load
Ubuntu Secure Boot Setup
Shim Bootloader The shim bootloader is a small application signed by Microsoft’s UEFI CA key that most hardware vendors trust. When your system boots, the UEFI firmware validates shim using Microsoft’s key. This solves the challenge of getting Linux distributions to work with Secure Boot without requiring every hardware vendor to trust Ubuntu directly. Shim serves two critical functions:
It provides a trusted foundation that hardware vendors accept It implements the MOK system that gives you control over your system’s trust chain
Machine Owner Key (MOK) The MOK system provides flexibility in managing your own secure boot keys without compromising security. It allows you:
Register additional keys for custom kernel modules or drivers Replace existing keys if needed Manage a separate keystore from the UEFI firmware’s built-in keys
Key replacement scenarios:
Some enterprise environments require replacing Ubuntu’s default MOK with organization-specific keys Custom kernel builds need their own signing keys registered Certain hardware configurations might require specific driver signing keys
The MOK system includes two important utilities:
mokutil: Command-line tool for managing MOK keys MOK manager: UEFI application that runs at boot to implement key changes
Enabling Post Install
While Ubuntu allows you to enable Secure Boot during installation, you might need to set it up post-installation due to specific hardware configurations or troubleshooting needs. On several machines I have been presented with a message claiming that Secure Boot is not enabled even when I believed it was. I have also opted to disable SecureBoot in the past when I believed there were issues related to it.
If you’re setting up Secure Boot post-installation, follow these steps:
1. Check Current Status
First, verify both Secure Boot and your boot mode:
# Check Secure Boot status
mokutil --sb-state
# > SecureBoot enabled
# Verify you're booting in UEFI mode
[ -d /sys/firmware/efi ] && echo "UEFI" || echo "BIOS"
# > UEFI
If you are not need to examine your boot order is configured and confirm that your bios is configured to boot in UEFI mode.
2. Install Required Components
Ensure you have the necessary packages for UEFI Secure Boot:
sudo apt update
sudo apt install shim-signed grub-efi-amd64-signed
3. Verify UEFI Boot Entry
Check if Ubuntu’s UEFI boot entry is properly configured:
efibootmgr -v
# > efibootmgr -v
# > BootCurrent: 0000
# > Timeout: 0 seconds
# > BootOrder: 0000,0001,
# > Boot0000* Ubuntu HD( ... )/File(\EFI\ubuntu\shimx64.efi)
The command shows use the current boot record used for the current boot, the configured boot order, and the boot entries. Later when we restart the machine we can confirm that we boot into the correct boot entry.
You should see an entry for Ubuntu that points to the shim “shimx64.efi” executable. If it’s missing or incorrect we can create it with a command like this:
sudo efibootmgr --create --disk /dev/sda --part 1 --label "Ubuntu" --loader "\EFI\ubuntu\shimx64.efi"
You should update the disk and partition values to match your system’s configuration.
At this point, many systems will work with Secure Boot after a reboot. Try enabling Secure Boot in your UEFI settings and rebooting.
4. MOK (Machine Owner Key) Setup - When Needed
If you need to load unsigned kernel modules or use third-party drivers, you’ll need to set up MOK. Common scenarios include:
- NVIDIA proprietary drivers
- VirtualBox kernel modules
- Custom compiled drivers
- DisplayLink USB display drivers
Setting Up MOK
- Generate a new MOK key pair (if needed):
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=Your Name/"
- Register the key with MOK:
sudo mokutil --import MOK.der
You’ll be prompted to create a one-time password. Remember this password - you’ll need it during the next boot.
DKMS Driver Example: DisplayLink
Let’s use DisplayLink as a practical example of handling third-party drivers with Secure Boot:
- First, install the DisplayLink driver through DKMS:
sudo apt install dkms
# https://www.synaptics.com/products/displaylink-graphics/downloads/ubuntu
sudo apt install ./Downloads/synaptics-repository-keyring.deb
sudo apt update
sudo dpkg -i displaylink-driver
- Sign the module:
sudo kmodsign sha512 {storage path}/MOK.priv {storage path}/MOK.der /lib/modules/$(uname -r)/updates/dkms/evdi.ko
Completing the Setup
- Reboot your system. You’ll see the MOK management screen
- Select “Enroll MOK”
- Choose “Continue”
- Enter the password you created earlier
- Select “Yes” to enroll the key
- Allow the system to reboot
Verification
After reboot, verify Secure Boot is enabled:
mokutil --sb-state
Review the boot order:
efibootmgr -v
And check that your modules are properly signed:
modinfo evdi | grep -i signature
Let me write a section about this specific Lenovo UEFI/BIOS issue that can silently interfere with Secure Boot.
Boot Order Lock on Lenovo Systems
Lenovo systems have a UEFI/BIOS setting called “Boot Order Lock” that can silently interfere with Secure Boot configuration. When enabled, this setting prevents permanent changes to the boot order, even though commands like efibootmgr appear to work successfully.
Here’s what happens:
- You run
efibootmgrto modify the boot order - The command executes successfully and shows your changes
- After reboot, the boot order reverts to its previous state
- If the locked boot order points to an invalid or non-secure boot path, it bypasses Secure Boot entirely
Fixing the Issue
- Enter UEFI/BIOS setup (usually F1 during boot on Lenovo systems)
- Navigate to the Security or Boot section
- Find “Boot Order Lock” or similar setting
- Disable this setting
- Save and exit
Now you can properly set your boot order:
# Check current boot order
efibootmgr -v
# Set correct boot order (adjust numbers based on your output)
sudo efibootmgr -o 0,1,2
# or create a new entry - example:
sudo efibootmgr --create --disk /dev/sda --part 1 --label "Ubuntu" --loader "\EFI\ubuntu\shimx64.efi"
After reboot, verify the changes persisted:
efibootmgr -v
If your boot order keeps reverting even after disabling Boot Order Lock, double-check for similar settings like:
- “Secure Boot Order Lock”
- “Security Boot Order Lock”
- “Secure Boot Configuration Lock”
These names vary across different Lenovo models and UEFI versions.
Conclusion
Setting up Secure Boot on Ubuntu 24 can be straightforward if you understand the key touchpoints that need verification:
- UEFI boot mode is active
- Manufacturer-specific BIOS settings like Boot Order Lock aren’t interfering
- The shim bootloader is properly installed and configured
- Your boot order is correctly set and persistent
For many users, the process might only require enabling Secure Boot in their BIOS settings. Others might need additional steps with MOK signing for third-party drivers, but the process remains manageable when approached systematically.
Coming Up Next: Secure Boot with LUKS Encryption In our next post, I will explore combining Secure Boot with LUKS full-disk encryption. This powerful combination provides both boot-time security and data protection.
I plan to expand this guide with more specific examples and troubleshooting steps for common Secure Boot issues. If you have a specific scenario you’d like me to cover, please let me know in the comments.
