USB wont pass UEFI

[sailingbikeruk]

I am trying to install Mint as a Dual Boot with windows 11. I have created a CD and it boots successfully on my Dell XPS from a one time boot menu but on my main desktop whenever I boot from the USB it fails the UEFI checks.

I am sent to the MOK manager where I get the following options:

• continue to boot - fails
  Install a key from disk - this lets me choose a .efi file but then fails because ikts not a .cer file - it goes back to the menu.I cant find any keys to import in the image.
  install a key from hash - haven't tried this not sure what hash to use

I did go into the BIOS and tried to configure a custom secure boot in which I imported all values from EFI variables on the USB, this claims to have been completed and certainly when I try a second time it says the vaules already exist, but I still get the same propblem, it boots into MOK manager and won't start Linux live USB.

Whilst in the BIOS I did notice that there are two "certs" in the deny list one from canonical and one from Debian, I don't know if these are old ones that have been revoked or there is something amiss here.

• MB is an MSI B450-A Pro Max (MS-7B86)
  CPU is an AMD Ruzen 7 3700x

If I explore the EFI partition I can only see two folders

• Microsoft
  Boot

The latter appears to have changed when I first attempted the install earlier this week.

Any pointers or advice, Iv not played with UEFI? BTW diosable Secure Boot is NOT an option, I need windows 11 working properly.

[AndyMH]

Win11 will boot and run without secure boot enabled??

[sailingbikeruk]

From what I’ve read, there is a registry hack you can employ, but it is reported to prevent updates being downloaded/installed.

Given my work, I can’t risk not being fully patched. Windows is my day job, Linux is simply for personal development (it may become more, but the trouble I’m having getting it installed is rapidly putting me off!).

I wanted to try and move to Linux as a daily desktop and run windows in a VM, but I might have to continue the other way round. I’ve downloaded another Ubuntu based distro to see if that gives different results.

[AndyMH]

Suspect you will get the same with another 'buntu. Don't use win11, in fact rarely run win (I have win7 & win10 in VMs). A quick google didn't suggest problems with win11 and no secure boot (there was some FUD from MS). But I don't rely on win for my livelihood (now retired) and when I started with linux I dual booted. When I had the confidence, I switched to running win in a VM and, back then, I was using it in a work environment. There are others here more au fait with mint and secure boot, hopefully they will respond.

[Reddog1]

In your situation, install VirtualBox on W11 and then install linux in VirtualBox and run it as a vm guest machine with the W11 as host. I'd recommend Xfce because it runs well with only 1 or 2 procs and 4GB of allotted ram. VB won't be messing with your windows partitoning (the vm partition is 'virtual', not real--though it does take up hd space), and you will avoid any driver issues because the VB drivers are virtual overlays of the windows system drivers. The downside (or maybe the upside for your situation) is that you must boot your W11 system, open VB and then boot your Mint system. You can switch between the two with the click of the mouse. If you have problems installing VirtualBox, and the linux VM, there is a section of this forum that can help you out. My experience with linux virtual machines is that they run just as they would installed on iron, as long as the system processor and memory is sufficient to handle the load. I rarely go on the internet with anything other than a VM, and I'm typing this in a vm, right now.

[sailingbikeruk]

Thanks for the advice on virtualbox, I’ve been doing this for years, the dual boot was supposed to be the next step making full use of the available hardware including the GPU.

[sailingbikeruk]

Suspect you will get the same with another 'buntu. Don't use win11, in fact rarely run win (I have win7 & win10 in VMs). A quick google didn't suggest problems with win11 and no secure boot (there was some FUD from MS). But I don't rely on win for my livelihood (now retired) and when I started with linux I dual booted. When I had the confidence, I switched to running win in a VM and, back then, I was using it in a work environment. There are others here more au fait with mint and secure boot, hopefully they will respond.

Strangely, Ubuntu loads absolutely fine … so does Kali. It’s just Mint that doesn’t… the same usb works fine on my laptop though. Guess I’ll be installing Ubuntu.

[deck_luck]

Which version of Linux Mint are you attempting to boot? Likewise, which Ubuntu version successfully boots?

On a late model HP laptop, I have a working Linux Mint 20.3 and Windows11 in a dual boot configuration using secure boot.

...
Whilst in the BIOS I did notice that there are two "certs" in the deny list one from canonical and one from Debian, I don't know if these are old ones that have been revoked or there is something amiss here.
...

The Canonical and Debian blacklist entries are suspicious.

won't start Linux live USB.

What is the error message (invalid certificate)?

EDIT: After rereading the original post, the Canonical and Debian blacklist topic was revised.

[sailingbikeruk]

Which version of Linux Mint are you attempting to boot? Likewise, which Ubuntu version successfully boots?

Mint = 21.1 downloaded about three weeks ago.
Ubuntu = 22.04 LTS downloaded the day of the original post

What is the error message (invalid certificate)?

Originally, before I made any changes in the BIOS it read thus:

Code: Select all

Loading Linux 5.15.0-56-generic
Error: bad shim signature.
Loading initial ram disk …
Error: you need to load the kernel first.

Press any key to continue

I no longer see that, it takes me straight to MOK Manager and I get this -

Code: Select all

Verification Failed: (0x1A) Security Violation

You then get a menu to continue to boot or import a key or hash, neither appear to work. I didn't capture the final boot error once you’ve passed this menu, I’ll try again today and update the post.

EDIT:
So I tried again and caught the last error it simple says:

Code: Select all

Failed to load image: Security Policy Violation
start_image() returned Security Policy Violation

[sailingbikeruk]

On a late model HP laptop, I have a working Linux Mint 20.3 and Windows11 in a dual boot configuration using secure boot.

I managed to live boot on my work Dell XPS… I can’t install it there because “work” but at least it boots. I’ve also installed it on my 2012 MBP alongside MacOS, it’s just this one desktop machine that’s playing up.

Clearly a local issue, but I don’t know enough about how UEFI, MOK and shims work to resolve it without help.

[sailingbikeruk]

Whilst answering the question from @deck_luck I had an epiphany that I hadn't tried another version of Mint.

This morning I downloaded Mint 20.3 and this has installed without issue, even the NVIDIA GTX10150i is working with the three monitors. It has to be an issue with the 21.1 image, or at least the secure boot for that image.

When I booted 20.3 after installation it asked me to "enroll the key" then asked me for a password that I had set during boot, I don't recall doing this before, but I do wonder if I've registered something for 21.1 in a previous attempt and that's affected the installation process.

Anyway, I am sat here typing this update in Firefox on a fully installed Linux Mint 20.3 install running on my NVMe partition with all three monitors working.

I'll stick to this for now and maybe see if I can troubleshoot UEFI or do an in-place upgrade at some point in the future

[deck_luck]

...
This morning I downloaded Mint 20.3 and this has installed without issue, even the NVIDIA GTX10150i is working with the three monitors. It has to be an issue with the 21.1 image, or at least the secure boot for that image.

When I booted 20.3 after installation it asked me to "enroll the key" then asked me for a password that I had set during boot, I don't recall doing this before, but I do wonder if I've registered something for 21.1 in a previous attempt and that's affected the installation process.
...

It seems to be a very common Linux Mint Forum user error to overlook the very important part concerning the MOK enroll the key step. I have read many threads indicating the user did not know what to do and never enroll the key(s). Without the proper key(s) enrollment, secure boot cannot properly function. I am happy for you getting LM20.3 up and going. Cool beans!

I personally try to hold back a major rev like LM21 and instead use a more mature previous major version with multiple updates LM20.3. Most new major releases are riddle with bugs, and I prefer a more stable version that has already been through the user world reported bugs. For a daily driver, I think this is a more prudent approach.

[Etienne9]

I issue exactly same problem for live USB written with MintStick (try on 2 computers)
LM 21.1 Xfce shows directly "Verification failed: (0x1A) Security Violation"
Ubuntu 22.04.2 std Gnome edition pass without error.
Seems something is not signed or nor correctly signed in the ISO.

[SMG]

I issue exactly same problem for live USB written with MintStick (try on 2 computers)
LM 21.1 Xfce shows directly "Verification failed: (0x1A) Security Violation"
Ubuntu 22.04.2 std Gnome edition pass without error.
Seems something is not signed or nor correctly signed in the ISO.

There is already a topic on this exact message Verification failed: (0x1A) Security Violation while installing Linux Mint 21.1.

Microsoft recently changed the certs so older ISOs do not have the new certs. If you run Ubuntu 22.02.01, it will also fail. The LM21.1 ISO was made in December before Microsoft made their changes.

If you can temporarily disable secure boot and then install LM21.1 and then run all the updates, you can re-enable secure boot and it will work.