Ubuntu 24.04.2 dual boot with secure boot - invalid signature

Question

I'm trying to install Ubuntu 24.04.2 LTS (downloaded from https://releases.ubuntu.com/24.04.2/ubuntu-24.04.2-desktop-amd64.iso) next to already installed Windows 11, with Secure Boot enabled. I used Balena Etcher to write the image to USB disk. Unfortunately the installer from USB disk cannot boot as it complains about "Invalid signature detected. Check Secure Boot Policy".

Windows 11 claims Secure Boot is enabled correctly, the computer (MSI Prestige A16 AI+ A3HMG) has all required keys (from Microsoft) provisioned. I have access to these keys (e.g. using Powershell command https://learn.microsoft.com/en-us/powershell/module/secureboot/get-securebootuefi?view=windowsserver2025-ps, they can also be exported to a file in BIOS).

As far as I understand https://wiki.ubuntu.com/UEFI/SecureBoot, USB disk should boot a shim signed by Microsoft, which in turn embeds Canonical keys, so the Ubuntu image can be booted.

In order to investigate it, how can I verify the signature of the bootloader from the USB disk to check if it's valid using Secure Boot keys provisioned on my computer? How can I read the signature of the shim in USB disk and verify it against provisioned keys?

Answer 1

It appeared that Microsoft UEFI CA 2011 was not stored in db database (removed by one optional Windows 11 update), so I restored both db/dbx databases to factory defaults in BIOS. In order to enter BIOS on MSI Prestige A16 AI+ A3HMG it requires Del to be pressed at the start and then Left Alt + Copilot key (aka Right Ctrl) + Right Shift + F2 (without Fn key) to enter advanced mode. In Security > Secure Boot > Advanced key management it's possible to restore db/dbx to factory defaults (pk and kek databases are fine). Moreover, I needed to enable "Allow third party Microsoft certificates" in BIOS and it started to boot Ubuntu from USB.

P.S. I highly recommend reading Dual-Boot with Windows 11 and BitLocker on how to set up dual boot with disk encryption and secure boot enabled.

P.S2. Some links that proved to be useful for learning on Secure boot and debugging signature of binaries:

• https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
• https://superuser.com/questions/1401903/efi-sig-list-converter-or-viewer
• https://www.rodsbooks.com/efi-bootloaders/secureboot.html#verifying
• https://unix.stackexchange.com/questions/753526/verifying-a-signature-of-an-efi-binary
• https://www.suse.com/c/extract-the-signers-certificate-and-verify-the-signature-of-a-linux-kernel-image/
• https://github.com/rhboot/pesign
• https://unix.stackexchange.com/questions/636263/how-to-verify-signed-uefi-binaries
• https://superuser.com/questions/1560481/how-to-secure-boot-efi-images-signed-with-an-installed-custom-key