If you install Ubuntu on a computer with secure-boot enabled, then it will probably boot. And maybe that’s all you want.
If so, you probably won’t be concerned about what I am describing here.
However, secure-boot is supposed to verify many of the steps in the boot path. And that’s where I see Ubuntu as broken.
I’m basing this on tests that I have done on Ubuntu-17.04 and Ubuntu-gnome-17.04.
First a brief summary of the problems that I am seeing:
- Ubuntu will boot without checking a signature on the kernel.
- Under some circumstances, Ubuntu will complain about a bad signature, and refuse to boot, even though secure-boot has been disabled.
I have already reviewed Ubuntu-17.04. However, the Ubuntu folk (i.e. Canonical) had already announced that, starting with 18.04, they would switch their mainline version from the Unity desktop to the Gnome desktop. So I decided to also test out the 17.04 version of Ubuntu with Gnome desktop.
I installed Ubuntu-gnome in an already existing encrypted LVM. The machine that I used actually has two hard drives, with an encrypted LVM on each drive. So this was a different LVM from the one that I used for the mainline Ubuntu (with unity). Currently, both versions of Ubuntu are installed on that machine.
Ubuntu 17.04 was announced a few days ago. I had already decided that I would install it, and do a little testing. So, once I saw the announcement, I started a download.
To download, I followed the links from the announcement to the download page. From there, I selected the torrent download. I was using the “vivaldi” browser, and it gave me several options with the torrent link. I chose the option to open the file. And that started the download with “ktorrent”.
I also downloaded “SHA256SUMS.desktop” and “SHA256SUMS.desktop.gpg”. Next, I checked the gpg signature with
gpg --verify SHA256SUMS.desktop.gpg SHA256SUMS.desktop
which showed that I had a good download of the checksum file. After the torrent download had completed, I checked its validity with
sha256sum -c SHA256SUMS.desktop
That reported that the downloaded iso file was ok. It also reported that some files did not exist. I ignored that. It was just that the checksum file had checksums for other isos that I had not downloaded.
Ubuntu 16.04, in several different varieties, came out last week. So I decided to give the kubuntu variant a try. I planned to install in an existing LVM. I knew, from previous experience, that this could be tricky. And, to make it more tricky, I wanted “/boot” to be inside that encrypted LVM.
It didn’t quite work out. I am successfully booting it using the grub2-efi from opensuse. I was unable to get the grub-efi from kubuntu to work.
I planned to install this to replace an experimental Tumbleweed. I had originally set that up a year ago, to test using opensuse with “/boot” part of the encrypted LVM. That test is now well past, and the opensuse bugs have been fixed. So that disk space was free for kubuntu.