Migrating Ubuntu-20.04 boot disk from old laptop to new laptop with secure-boot enabled

I have an laptop running 20.04 (no secure-boot, title it old). I wanted to move the boot disk to a new laptop (titled new) which has secure-boot enabled. I do not want to disable secure boot on new, because I have windows installed on new with requirements to keep secure boot enabled.

To test whether this was possible for new, I plugged my original install live-media (the xubuntu 18.04 live boot image from 2019 on USB, used to install old), and tried to boot new off it. This succeeded perfectly.

Next I took the boot disk from old, plugged it into new, selected the disk as boot media, and got to the grub console. This is where I got stuck with the following error message:

Loading Linux 5.4.0-70-generic ...
error: bad shim signature.
Loading initial ramdisk ...
error: you need to load the kernel first.

Press any key to continue...

I booted old to compare the kernel on the boot media vs the kernel on disk:

samveen@samveen-X230:~$ sudo sbverify --list /media/temp/casper/vmlinuz 
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing
   issuer:  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
samveen@samveen-X230:/media/temp/casper$ sudo sbverify --list /boot/vmlinuz-5.4.0-70-generic 
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2017)
   issuer:  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority

Both are signed and valid, so I checked on the bootloader chain (shim and grub):

samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/shimx64.efi 
warning: data remaining[834920 vs 960472]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/grubx64.efi 
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
   issuer:  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
samveen@samveen-X230:~$ sudo sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi 
warning: data remaining[742792 vs 860824]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
   issuer:  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority

That’s all valid, with the Canonical Ltd. Master CA being able to validate everything.

What am I missing here which is causing the failure to boot?

Asked By: Samveen

||

After investigating a lot more, I found that the certificate used to sign the kernel I was booting was in the Secure Boot Forbidden Signature Database (dbx) (Canonical Ltd. Secure Boot Signing (2017)).

To fix the issue, I had to update to the latest image-generic kernel which was linux-image-5.4.0-172-generic (signed by latest CA) instead of the outdated linux-image-5.4.0-70-generic that I was using.

A couple of other issues with missing drivers were fixed by replacing the image-generic kernel series with the Hardware Enablement kernel series linux-generic-hwe-20.04. More details at https://wiki.ubuntu.com/Kernel/LTSEnablementStack

DKMS modules signing was already implemented, even on old(even though it was unused) , with the machine owner key already created when I first installed the OS (xubuntu 18.04 on old, in 2019). I just needed to enroll my MOK into the Shim by following the process as documented in https://wiki.ubuntu.com/UEFI/SecureBoot . Edit: I needed this only to load upstream VirtualBox kernel modules built by DKMS, else this step wasn’t required.

Side note: I had installed Xubuntu 18.04 on old in 2019, and then went through the dist-upgrade process to 20.04 in early 2021. The secure boot setup as created at install was valid on new in 2024 (5 years after install) even after dist-upgrade to 20.04. That’s quite some planning for future-proofing by Ubuntu. Even though I am unhappy with how 22.04 is structured and am planning on shifting to upstream Debian eventually, 20.04 with hwe kernel series is a good bet for even the recent laptops.

Answered By: Samveen
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.