Dasharo
Ubuntu 24.04 secure boot fails: `bad shim signature`
Component
Dasharo firmware
Device
NovaCustom V54 14th Gen
Dasharo version
v0.9.1-rc1
Dasharo Tools Suite version
No response
Test case ID
SBO002.001
Brief summary
Ubuntu fails to secure boot
How reproducible
100% on my machine
How to reproduce
In setup:
- reset secureboot keys to default
- save and reset
- boot to ubuntu
Expected behavior
Ubuntu succeeds to boot
Actual behavior
Grub works fine, selecting ubuntu results in:
error: bad shim signature.
error: you need to load kernel first.
Press any key to continue
Screenshots
No response
Additional context
No response
Solutions you've tried
I have NOT tried reinstalling ubuntu so that may be a good first thing to check
We manually migrate from 6.8 kernel that Ubuntu ships with to a 6.9 kernel, which I assume results in some signature mismatch. Secure booting the 6.8 kernel (can be selected from advanced options in grub) works seamlessly, so I'd classify this as non-issue?
We manually migrate from 6.8 kernel that Ubuntu ships with to a 6.9 kernel, which I assume results in some signature mismatch. Secure booting the 6.8 kernel (can be selected from advanced options in grub) works seamlessly, so I'd classify this as non-issue?
I don't really understand why to migrate from 6.8 to 6.9. We haven't got any issues with the default kernel that Ubuntu 24.04 supplies.
@wessel-novacustom I believe it was related to integrated graphics issues on 6.8, maybe Ubuntu fixed it in a later release, we'll check again
On V560TND v0.9.1-rc3 there is no issue with secure boot on Ubuntu, even kernel 6.8
ubuntu@ubuntu-V560TND:~$ sudo dmesg | grep -i secure
[ 0.000000] secureboot: Secure boot enabled
[ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[ 0.005267] secureboot: Secure boot enabled
[ 0.570959] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
[ 0.570978] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2017): 242ade75ac4a15e50d50c84b0d45ff3eae707a03'
[ 0.570993] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (ESM 2018): 365188c1d374d6b07c3c8f240f8ef722433d6a8b'
[ 0.571008] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2019): c0746fd6c5da3ae827864651ad66ae47fe24b3e8'
[ 0.571024] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v1): a8d54bbb3825cfb94fa13c9f8a594a195c107b8d'
[ 0.571038] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v2): 4cf046892d6fd3c9a5b03f98d845f90851dc6a8c'
[ 0.571054] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v3): 100437bb6de6e469b581e61cd66bce3ef4ed53af'
[ 0.571069] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9'
[ 0.797549] sdhci: Secure Digital Host Controller Interface driver
[ 2.805307] Bluetooth: hci0: Secure boot is enabled
ubuntu@ubuntu-V560TND:~$ uname -r
6.8.0-41-generic
ubuntu@ubuntu-V560TND:~$
Immediately after updating to kernel 6.9 secure boot fails in the same way:
error: bad shim signature.
error: you need to load kernel first.
Press any key to continue
The issue is the same on V540TND with v0.9.1-rc5. Loading kernel 6.9 fails:
error: bad shim signature.
error: you need to load kernel first.
Press any key to continue
The default kernel 6.8 boots fine, but it is unusable due to issues with suspension.
yeah the 6.9 kernel is unsigned, so secure boot refuses to boot it.
We need to scrap the 6.9 kernel installation step altogether. I'm pretty sure I mentioned it previously, but we need to find a different fix for the suspend issue.
Closing as OS misconfiguration issue. Ubuntu 24.10 comes with 6.11 so no custom kernels are needed anymore