Don't care about the explanations? Get to the fix.
I happened to use a nice Laptop from ASUS : the ExpertBook B1. It comes with Windows 11 (as usual) pre-installed. My laptops are usually borrowed from companies I work for and are usually (not too) tightly managed by the IT department.
As a Linux user, I like to be able to boot Ubuntu installed on a comfortable external SSD (Samsung T7 with 1TB)
I could access to UEFI which is not passworded (hmm). So I plugged in my SSD and restarted the PC and entered the BIOS setup. I selected the perfectly detected SSD with ubuntu EFI entry. But, no luck, it returned to BIOS immediately.
Booting without Secure Boot activated was possible. But this is not a suitable situation. It makes Windows 11 not booted without Secure Boot and screws up everything especially Bitlocker (luckily I could backup my Bitlocker key). And I prefer to boot both Linux and Windows with Secure Boot activated.
Without any error messages, I decided to check out installed keys in the UEFI. Ubuntu ESP contains the shimx64.efi first stage bootloader which is signed by Microsoft key. Which allows to properly start the first stage which will then take care of signed subsequent binaries (grub and its modules) and eventually the kernel.
Surprisingly, ASUS installs Canonical key along with Microsoft PCA key. But the Microsoft CA key was not there. This key is the one used to sign shim. I have no idea why Windows can boot, but shim couldn't.
Since my removeable Linux SSD is used on other PCs, I didn't want to make specific changes to BIOS or my ESP.
I had to. But in a very convenient way. Ubuntu provides a dual signed shim version, signed by Canonical (key is on the laptop) and signed by Microsoft CA (the missing one).
I just had to use shimx64.efi.dualsigned to overwrite BOOTX64.efi in /EFI/BOOT directory and overwrite the existing shimx64.efi in /EFI/ubuntu
This can be done for live USB drive as well.
Install shim_signed package from Ubuntu:
# apt install shim-signed
it may generates errors but the interesting files are there. Now mount your bootable device ESP partition on say '/mnt'. You should see:
# cd /mnt # ls EFI # cd EFI # ls BOOT ubuntu # cp /usr/lib/shim/shimx64.efi.dualsigned /mnt/EFI/BOOT/BOOTX64.efi # cp /usr/lib/shim/shimx64.efi.dualsigned /mnt/EFI/ubuntu/shimx64.efi
Verify that shim is dual signed:
# sbverify --list /mnt/EFI/ubuntu/shimx64.efi warning: data remaining[836848 vs 962400]: gaps between PE/COFF sections? signature 1 image signature issuers: - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority image signature certificates: - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1) issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority signature 2 image signature issuers: - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 image signature certificates: - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
Now you can boot your Ubuntu device with Secure Boot activated.