How to fix laptop broken by Ubuntu

I wrote this thread, because I cannot install Ubuntu (I have Lenovo laptop damaged by Ubuntu, when I start LiveCD with Ubuntu) and I need to fix UEFI on it.

I have read this instruction:
I can download deb and unpack it. Can anybody tell me, where can I copy files from these debs?

Sorry for writing post here, but topic is more related to OpenSuSE, because using Windows 10 or OpenSuSE Tumbleweed is the only option to repair my computer.

As with other kernels, kernel (vmlinuz-x.y.z) should go under /boot, modules under /lib/modules and you need to create initrd running mkinitrd. You do not really need to add it to boot menu, you can simply edit any available menu and replace kernel/initrd versions.

Thanks for your help, but that doesn’t solve my problem.

Grub2 complains about bad signature of Ubuntu kernel.
I think, I should:

  • Disable signature checking (How Can I do this?)
  • Sign Ubuntu kernel with OpenSuSE key or add Ubuntu key to my motherboard

Second solution probably isn’t available, because I cannot wrote new key to motherboard (I cannot change anything) and I probably cannot sign Ubuntu kernel with OpenSuSE key (that’s only action, OpenSuSE team can do).

So right question is probably: how to disable (using Yast or by command line) signature checking in grub2?

Disable secure boot in the UEFI/BIOS

Thanks for your advice, but I cannot write configuration to my motherboard :wink: .

Show output of “efibootmgr -v”

Disable signature checking (How Can I do this?)

Use “linux” instead of “linuxefi” to load kernel (and “initrd” instead of “intirdefi”).

Sign Ubuntu kernel with OpenSuSE key

You can’t - you (or anyone of us) do not have SUSE key. If you could do it, there would be no sense in checking signature in the first place. If you can run shim (depending on how your EFI boot manager is configured) you may be able to enroll hash of kenel if EFI variables are stored in different EPROM.

BootCurrent: 0004
Timeout: 0 seconds
BootOrder: 0004,0003,2003,0000,2001,2002
Boot0000* Lenovo Recovery System        HD(7,GPT,5ecfa734-3d1a-4801-9d54-1a28f319f370,0x3a192000,0x1f4000)/File(\EFI\Microsoft\Boot\LrsBootMgr.efi)RC
Boot0001* EFI Network 0 for IPv4 (1C-39-47-36-34-16)    PciRoot(0x0)/Pci(0x1c,0x2)/Pci(0x0,0x0)/MAC(1c3947363416,0)/IPv4(<->,0,0)RC
Boot0002* EFI Network 0 for IPv6 (1C-39-47-36-34-16)    PciRoot(0x0)/Pci(0x1c,0x2)/Pci(0x0,0x0)/MAC(1c3947363416,0)/IPv6(::]:<->::]:,0,0)RC
Boot0003* Windows Boot Manager  HD(1,GPT,df1fe269-13f4-43f3-87d2-0bd7e8a65b7a,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.}....................
Boot0004* opensuse-secureboot   HD(1,GPT,df1fe269-13f4-43f3-87d2-0bd7e8a65b7a,0x800,0x82000)/File(\EFI\opensuse\shim.efi)
Boot2001* EFI USB Device        RC
Boot2003* EFI Network   RC

I’m not UEFI/EFI and encryption expert, but I think I have only public keys to check signature, but private keys have only OpenSuSE Team.

I suggest to try the most simple thing first - try editing menu entry and replacing “linuxefi” with “linux” and “initrdefi” with 'initrd". Does it boot?

Assuming that you are able to boot openSUSE, then I suggest adding the Ubuntu key (really, the Canonical key) to MokManager.

First you will need to get the Canonical key. Easiest way is to boot the Ubuntu installer on a UEFI box (it does not need to be the same box). Then use “mokutil --export” to export the canonical key to a file.

Then copy that file into the EFI partition in your computer – copy to “/boot/efi”. And then use “mokutil --import key (filename)” with openSUSE. It should complete the import when you next boot into openSUSE.

This is system where changing any BIOS settings is not possible because EPROM where they are stored is read-only. With high probability EFI variable store is read-only as well. If storing variable is possible, you do not even need certificate - as I mentioned you can simply enroll hash of binary, this will be enough.

Disregard sentence I was not UEFI expert etc…

I’m trying to run kernel with init ram disk by omit efi suffix. Nothing happens. Screen only blinks. When I added sleep 10 to the end of editor window, no important message appears and grub returns to editor window.

I have found this page:

And this:

Tomorrow, I will read both of pages. Or - if you can, inform me how to restart my computer in EFI shell mode. Thanks.

If you are running with Secure Boot enabled it is likely not possible - your EFI boot menu does not offer it, and using external binary requires this binary to be signed.

Did you try whether you can enroll anything as suggested by Neil to “approve” Ubuntu kernel?

Otherwise I would try post to opensuse-kernel mailing list; may be developers can build signed kernel based on Ubuntu one (or with the same patch).

Hmm … what could work - you should be able to load Ubuntu shim (which is signed by Microsoft); this shim should embed Ubuntu certificate; so you should be able to load Ubuntu signed grub and kernel after that.

Another option is to try network boot to load Ubuntu signed shim and grub. Although I’m not sure whether shim supports network (I expect yes as long as it only uses simple filesystem protocol).

I don’t know, how to enroll/introduce (Do I understand enroll correctly as word with the same meaning as introduce? English is not my native language). Can you give me some hint how to enroll via terminal or GUI tools? I think you, guys, suggest me to introduce new key to my motherboard’s memory. helps. Enroll means write into .

I discovered I have installed mokutil, but I cannot found file with der extension on my /boot.

Mokutil have option import-hash, so I need to hash kernel file or something else?

Sorry for writing new post instead of editing previous, but there’s no option to edit previous post.

I do:

cd /boot
mokutil --import-hash ./vmlinuz-4.15.0-041500rc6-generic

No message appears, so I reboot my computer and signature of Ubuntu’s kernel is still not know.

Maybe use

mokutil --disable-validation

From MAN: „Disable the validation process in shim”. So does disabling it and using grub version without signature setting should be good way to repair my laptop?

Sorry for writing too many posts, but I see mockutil --import-hash works partially, but mockutil --disable-validation showing some errors. Is there any chance to sign Ubuntu kernel with my own key and add it to the motherboard?

No, it does not compute hash itself; you need to provide compatible hash as option to --import-hash. One possibility to obtain hash is to use “pesign --hash -i vmlinuz”. Also you need to provide mokutil with password that is used to confirm action at boot time. If mokutil is successful, after reboot you should see MokManager GUI. If you do not see it, something went wrong.

But mokutil works by updating EFI variable. If your settings are read-only, quite probably that EFI variables are read-only too. In this case enrolling anything is simply not possible and launching Ubuntu shim may be the only option (short of building kernel with openSUSE signature).

Is there any chance to sign Ubuntu kernel with my own key and add it to the motherboard?

See above. Try creating certificate and enrolling it using mokutil. If it works, signing kernel should be possible.

Thanks for replying.

Is there no possibility to install boot loader signed by MS, which could load any other bootloader? I remember Linux Foundation created own bootloader.