Every time I boot into Zorin OS, I get this message that pops up every single time, which increases the boot speed of my device and makes me question every single time I update this device whether I will be able to boot into it, or if I have lost everything and have to do a reimage.
According to sudo mokutil --sb-state, my device has SecureBoot enabled. And yes, I get that different guides have stated to simply disable SecureBoot to get this warning to go away, but I shouldn't have to compromise security for the ability for my device to not lose an assurance that it will boot.
Disabling this message isn't necessarily what I want, just in case this is indicative of another problem on my device. All I did was a standard Zorin OS installation from the official download page on this site. I've also been made aware that this was an issue that occurred on Ubuntu users' OSs, though even after searching extensively for a solution to this from those communities, I have yet to find a risk-free solution.
Is there a way to resolve the certificate issue being displayed on boot? I am very worried that a future forced daily update will break something before I can do something about it.
Are you dual booting this device with WIndows OS?
Secure Boot is for Windows Only. It is a Microsoft deal and product that is supposed to check software that initiates at boot against a Safe or Block list, compiled and signed by Microsoft.
If you are not dual booting Windows, then Secure Boot is functionally useless and does not apply to your use case.
As to why there can be issues with Ubuntu or other distros:
Microsoft, in the generous spirit of cooperation... Signed off on most Linux Packages in order to ensure that they can init at boot for users who Dual Boot Windows and Linux.
But... they neglected to sign them all...
I Suggested this to Someone before, You can use Boot-Repair. sudo apt install boot-repair boot-repair
This will fix your secure boot and other problems. Also, you can use advance options for sever boot repair if needed.
My device was originally shipped to me with Windows 11; I am not currently using this device for dual-booting. I don't have to select one of multiple options whenever I boot the device.
And if I am using Linux and not Windows, then is there any downside to having SecureBoot disabled from a security perspective?
There is zero downside to disabling Secure Boot if it is not running Windows.
I recommend disabling it, since it is for Windows only and will only interfere and get in the way on Linux.
Then reboot and boot into BIOS / EFI settings. Ensure that Secure Boot is disabled.
Then proceed to normal boot and test.
Just in case you can save yourself the added step of boot repair if it is not needed.
I have disabled SecureBoot in the BIOS, and I have verified it as disabled using sudo mokutil --sb-state. I can't run boot-repair all the way yet because it claims that my NVRAM is locked.
I found a source here that claims that it is possible to sign the modules myself to solve the problem in a way that doesn't require disabling the message. Is this worth attempting?
It isn't. Since you are not booting Windows, Secure Boot is redundant and only can interfere.
No, but if you prefer certainty about it, upon reboot, stab the F12 key and access a one time boot channel, and ensure that you are booting without Secure boot on the Linux Distro listed.
That Utility may say Ubuntu instead of Zorin OS, due to Zorin OS being based on Ubuntu.
I went and rebooted and did the F12 option to verify that Mokutil has SecureBoot disabled there. Now, my device says "Booting in insecure mode" at the top-left, displays nothing but black for 20ish seconds, and then does the same X.509 certificate error messages. Ironically, this actually makes my device boot slower now. Is there a safe way to undo what I did?
I went and reset my BIOS settings to their factory default. I then change the default setting of SecureBoot being on, to it being off. The same long pause and the same certificate errors still persist, unfortunately. Would letting the CMOS battery sit for 5 minutes do anything meaningfully different here?
I think that all I can do here is to either re-enable SecureBoot and the mokutil validation, or to sign the modules myself. Though for signing the modules myself, I am not sure what I am supposed to use as the key in the listed command in that same link.
You certainly have a computer that boots in EFI only on windows.
and the repairman does only as standard
cp /media/ubuntu/1223f434-1ef8-474c-908b-a3ad0e31589c/boot/efi/efi/ubuntu/grubx64.efi /media/ubuntu/1223f434-1ef8-474c-908b-a3ad0e31589c/boot/efi/EFI/Boot/ bootx64.efi
As it also boots in LEGACY, it does not matter
Unless I'm mistaken, you don't have a windows OS, if you haven't planned to install one, it's serious to have windows partitions in NTFS that ubuntu does not perfectly master in case of need for repair . You should reformat them to EXT4 or EXFAT.
So, I should reformat my SSD onto EXFAT so that I can use it best for Linux OSs? And once I do that, do I just do a Zorin installation from a USB as normal?
This is what I get when I run cat /proc/version, if it's relevant: Linux version 5.15.0-48-generic (buildd@lcy02-amd64-043) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #54~20.04.1-Ubuntu SMP Thu Sep 1 16:17:26 UTC 2022
I will have to call it a night and look into this issue tomorrow. I have another laptop that is older and also has Zorin OS that I can use to test some riskier things before I do so on this current device. Thanks, everyone!
When I run sudo lsblk -f, the main drive that I use (based on the 777GB available space on my 1TB SSD) is listed as "ext4" for the FSTYPE. It doesn't have a listed mount point, if that matters.
So, is there anything else that I can do to try to undo this? Would reimaging my main OS solve this issue? I don't have the same certificate issue with an older laptop that I also have running Zorin OS.
