Verification failed 0x1a security violation при установке linux

A solution to rEFInd unable to load using shim when Secure Boot is enabled

Ubuntu 21.10 can load on my computer through secure boot, and the shim version is 15.4. Then refer to the official tutorial, I installed rEFInd v0.13.2 (the latest version when I posted this blog) via PPA in Ubuntu 21.10. However, when I restart the system and load rEFInd, it always fails with the message Verification failed:(0x1A)Security Violation . I’m sure that both refind_local.cer and refind.cer under the EFI/refind/keys/ have been enrolled through MokManager (Although only refind_local.cer is needed through PPA installation).

Cause

From this post, I got that rEFInd currently (v0.13.2) lacks the .sbat section. For shim 15.3 and later versions, SBAT is mandatory, resulting in failure to start rEFInd. The post also indicates that the author of rEFInd is currently studying how to solve the related problems. I hope the later versions can fix this issue.

Solution

  1. Obtain MokManager and the shim efi file signed by Microsoft from Ubuntu launchpad. To achieve this, download shim_15+1552672080.a4a1fbe-0ubuntu2_amd64.deb and shim-signed_1.45+15+1552672080-064ubuntub_bed64.deb.
  2. Unpack the downloaded shim_15+1552672080.a4a1fbe-0ubuntu2_amd64.deb and take out the mmx64.efi file. ( data.tar.xz -> . -> usr/lib/shim/mmx64.efi )
  3. Unpack the download shim-signed_1.45+15+1552672080.a4a1fbe-0ubuntu2_amd64.deb, take out the shimx64.efi.dualsigned file. ( data.tar.xz -> . -> usr/lib/shim/shimx64.efi.dualsigned ) Rename it to shimx64.efi .
  4. Go to download refind-bin-0.13.2.zip. Then create a new folder, and put the two files taken out together with the downloaded zip file into the new folder.
  5. Open terminal in the fore-mentioned folder, then execute the following commands:
unzip refind-bin-0.13.2.zip cd refind-bin-0.13.2 sudo ./refind-install --shim ../shimx64.efi 

If you encounter any confirmation during the installation process, just enter y to confirm.

  1. After restarting, if it prompts Verification failed , refer to step 9 of the official tutorial. Select Enroll key from disk , and then select the ESP disk where you installed rEFInd. Finally, choose the file of path EFI/refind/keys/refind.cer to import.
  2. If you use a non-Ubuntu Linux system on your computer, you can continue to import the cer files corresponding to your distributions in EFI/refind/keys as above. Failure to do so may cause your Linux distribution to be unable to boot via rEFInd.

Источник

Verification failed: (0x1A) Security Violation while installing Ubuntu

screenshot

I’m trying to install Ubuntu 22.04.1 via a USB drive, but when I want to boot the USB drive when the secure boot is enabled, I get the error Verification failed:(0x1A) Security Violation . I need the secure boot to be enabled. Back then, I had no problems doing so. I recently used the command mokutil —reset to clear the machine owner keys because there were a lot of them and I wanted to make things cleaner. I also tried to add mmx64.efi and grubx64.efi to the trusted files in BIOS, but I got another error (i.e., shim_lock protocol not found). I was not doing anything special related to secure boot to boot my USB drive before (even when I installed my first Linux distro). Why can’t I do that now?

Читайте также:  Vmware tools for linux

Try Ubuntu 22.04.2 or Ubuntu 22.10 as they used SHIM 15.9 rather than the recently deprecated version found in 22.04.1 and prior ISOs. This will only impact systems where Secure uEFI boot is enabled, which you appear to want.

4 Answers 4

This is an excerpt from this answer that I just wrote.

What happened here is that Canonical updated their UEFI Secure Boot signing key and your system’s Secure Boot Advanced Targeting variable. In plain terms, they made it so that newer boot files they release are bootable, and older ones aren’t. If you got the update and then try to boot an OS that is still using the older files, it won’t work and you get a Security Violation error.

Normally the solution here is to update your installation so that you have newer boot files. In this instance, though, you’re trying to install from an ISO that has the older boot files. So you can’t update the boot files. You have two choices here.

  • Disable Secure Boot and leave it that way.
  • Disable Secure Boot, boot the 22.04.1 ISO, install, update, and then enable Secure Boot again.

Sadly, both solutions require that you disable Secure Boot at least temporarily.

Источник

boot fails with with ‘Verification failed: (0x1A) Security Violation’

This document (000021080) is provided subject to the disclaimer at the end of this document.

Environment

Situation

Trying to install SLES15 SP4 on systems with an existing OS, with shim version 15.7 or later, and UEFI secure boot enabled in the BIOS, booting fails with an error message ‘Verification failed: (0x1A) Security Violation’ on the console.

Resolution

Use the SLES15 SP4 latest Quarterly Update (QU3) ISO with a newer grub2/mokutil version to install SLES15 SP4 when the issue occurs.
The «SLE-15-SP4-Full-x86_64-QU3-Media1.iso» is available for download in the SUSE Customer Center (Products, Installation Media)

Cause

The behavior is expected.
Shim version 15.7 or later blocks grub versions which have their .sbat section set to 1.
The scenario may occur when a security vulnerability is discovered.

Читайте также:  Посмотреть dns сервера linux

For more information, please refer to UEFI shim bootloader secure boot life-cycle improvements [https://github.com/rhboot/shim/blob/main/SBAT.md ]

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented «AS IS» WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021080
  • Creation Date: 19-May-2023
  • Modified Date:19-May-2023
    • SUSE Linux Enterprise Server

    For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

    Источник

    Saved searches

    Use saved searches to filter your results more quickly

    You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

    Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

    By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

    Already on GitHub? Sign in to your account

    ERROR: Verification failed:(0x1A)Security Violation & #175

    ERROR: Verification failed:(0x1A)Security Violation & #175

    Comments

    Five PCs in my team use wubi to automatically install xubuntu and get error warnings:

    1.ERROR: Verification failed: (0x1A) Security Violation.

    2,
    Go back to the menu and resume partitioning?
    No EFI System Partition was found. This system will likely not be able to boot successfully, and the installation process may fail.
    Please go back and add an EFI System Partition, or continue at your own risk.

    what is the reason? How to solve these problems?

    Wubi version: Wubi for Ubuntu 19.04 (rev. 336)
    xubuntu version: xubuntu-18.04.2-desktop-amd64.iso

    The text was updated successfully, but these errors were encountered:

    Five PCs in my team use wubi to automatically install xubuntu and get error warnings:

    1.ERROR: Verification failed: (0x1A) Security Violation.

    What kind of PCs do you use (model, UEFI firmware/BIOS version) ? Is Secure Boot enabled ?

    2,
    Go back to the menu and resume partitioning?
    No EFI System Partition was found. This system will likely not be able to boot successfully, and the installation process may fail.
    Please go back and add an EFI System Partition, or continue at your own risk.

    see release notes(known issues)
    But issue should not affect Xubuntu 18.04.2 from xubuntu-18.04.2-desktop-amd64.iso. Are you sure that you install Xubuntu 18.04.2 with Wubi for Ubuntu 19.04 (rev. 336) ? Automatic download is Xubuntu 19.04 for wubi1904r336.exe .

    Wubi1904r336.exe automatically downloads xubuntu 19.04, and the use result is the same as the fault prompt.

    I just had this issue with Zorin OS onto an HP Stream. I solved my mystery with no help of the internet so I thought I’d post my solution somewhere.

    I turned Secure Boot off. Disable it. It loaded with no issues after that.

    @oodorii Thank you for sharing your solution.

    It is a general solution if a boot loader does not support Secure Boot. If a boot loader supports Secure Boot, you can also try to import the key which was used to sign the boot loader for Secure Boot. For Wubiuefi, see MoKManager

    So that issue should be already solved for Wubiuefi.

    @qixuchang If it is not solved, I need more information. Besides the Secure Boot issue, you also reported an issue which has been known since 18.10. That issue depends on the used ISO only. Currently, there are reports for the Ubuntu ISO of 18.10, 19.04 and 19.10. Maybe, some other ISOs are also affected e.g. Xubuntu ISO for 18.04.2. But there has ever been a workaround. Does the workaround e.g. from here (user confirmation («Continue») is necessary for new questions) solves the issue ?

    @hakuna-m My bios mode is uefi and secure boot state is off. But I am getting this error number 2 mentioned in the main question. What should I do?
    Do I need to create some kind of efi partition or like that? Like in the hdd I am installing ubuntu into, I need to create a small partition for EFI? mentioning that already created a partition of 30 gbs for installing ubuntu which is just a primary partition. And so do I need to create another EFI partition?

    Using Windows 10 and trying to install ubuntu 18.04.3 LTS with your WUBI ubuntu 18.04.2

    And this is one of the known problems. But can’t seem to find the solutions of the known problems in the release notes. Can you please help?

    And this is one of the known problems. But can’t seem to find the solutions of the known problems in the release notes. Can you please help?

    As I wrote above the workaround for the known issue is to skip user confirmations by selecting «Continue».

    Does the workaround e.g. from here (user confirmation («Continue») is necessary for new questions) solves the issue ?

    Источник

Оцените статью
Adblock
detector