Broken UEFI Boot , How to securely proceed?

windows-10 dual-boot grub2 uefi 14.04

I want to address some misconceptions in your question before proceeding to a more direct answer to your main point. Please bear with me....

The default grub/boot partition that the computer checks first at start up points directly at booting Windows now

On an EFI-based computer, boot loaders are stored as ordinary files on the EFI System Partition (ESP). The computer knows which file(s) to launch when it starts because of entries stored in NVRAM, which identify the partition(s) and file(s) to run. There is no such thing as a "default... boot partition" under EFI; that's the way BIOS boots, not EFI.

I used boot repair during initial installation and selected the option to have the other partitions 1st sector point to the grub/boot partition.

Under EFI, "boot sectors" don't exist -- or to be more precise, boot code is not stored in the first sectors of disks or partitions. It's all handled through files and referenced by entries in NVRAM.

When I selected the root partition, I got a notification from the BIOS that it was not secure.

You didn't select a partition; you selected a boot loader file. From your description, my guess is that you selected EFI/ubuntu/grubx64.efi on your ESP. This begins to get to the problem, but I'll get back to that point....

I went into the BIOS

You don't have a BIOS; you have an EFI. I know that many people, and even manufacturers, refer to EFIs as BIOSes, but this just leads to confusion because it encourages people to drag in BIOS assumptions about the boot process, as you've done.

I thought that disabling secure boot and trying to load Ubuntu may be a mistake. Afterall, whats the point of UEFI if its disabled the second something messes with a perfectly fine and functioning signed boot loader?

Don't confuse EFI (or UEFI, which is just EFI 2.x) and Secure Boot. Secure Boot is just one optional feature of UEFI. EFI, in turn is a replacement for BIOS. Many EFIs (and even UEFIs) lack Secure Boot support -- but Secure Boot requires UEFI.

I'm sort of at a loss as to what the correct way to securely proceed is. Is there a way to restore Ubuntu without booting insecurely? Suggestions?

To support Secure Boot, Ubuntu uses a program called Shim. In Ubuntu, it has a filename of shimx64.efi. Shim is hard-coded to launch GRUB (grubx64.efi), which can then call on Shim to authenticate Linux kernels.

Note that earlier I wrote that you probably launched grubx64.efi. This will work fine with Secure Boot disabled; but if you enable Secure Boot, chances are grubx64.efi won't match the default Secure Boot requirements, so it will fail. shimx64.efi, OTOH, is signed by Microsoft (whose keys are present in just about all computers) and so will work. This is the key (pun not desired, but it's best word) to the solution: Reconfigure your system to boot via Shim. You can do this in Ubuntu using the efibootmgr utility. First, view your available options by using sudo efibootmgr -v:

$ sudo efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0007,0003,2003,0001,2001,2002
Boot0000* ubuntu    HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\ubuntu\shimx64.efi)
Boot0001* Lenovo Recovery System    HD(3,276800,1f4000,de3b7563-97f5-48c6-ab7f-2f5d6d57c644)File(\EFI\Microsoft\Boot\LrsBootMgr.efi)RC
Boot0002* EFI Network 0 for IPv4 (08-9E-01-FF-CA-4D)    ACPI(a0341d0,0)PCI(1c,0)PCI(0,0)MAC(089e01ffca4d,0)IPv4(0.0.0.0:0<->0.0.0.0:0,0, 0RC
Boot0003* ubuntu    HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\ubuntu\grubx64.efi)RC
Boot0004* EFI Network 0 for IPv6 (08-9E-01-FF-CA-4D)    ACPI(a0341d0,0)PCI(1c,0)PCI(0,0)MAC(089e01ffca4d,0)030d3c000000000000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000RC
Boot0007* Windows Boot Manager  HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................

This is just an example, and yours is likely to be different in significant ways. Note, however, that there are two ubuntu entries, one of which refers to shimx64.efi and the other of which refers to grubx64.efi. Chances are you're booting via the grubx64.efi entry, as shown on the BootCurrent line. The grubx64.efi entry is probably first on the BootOrder line, too. To change this, you must create a new BootOrder by using the -o option to efibootmgr, as in:

sudo efibootmgr -o 0000,0007

You can add other options, too, which the computer will use should the first two fail. Of course, you should specify the numbers associated with your Shim and GRUB entries, not 0000,0007 (unless those happen to be the numbers). Note also that I've specified the Shim entry first with the GRUB entry as a fallback in case that one fails; in theory, specifying only the Shim entry should work fine. It's best to include your current BootCurrent value as a second (or later) option, since you know it works with Secure Boot disabled. That way, if you make a mistake or if your Shim binary is broken, you should still be able to disable Secure Boot and get back to your working system by using the computer's built-in boot manager or by adjusting the boot order in some other way.

Once you've done this, reboot into your firmware and re-enable Secure Boot. It should work fine from that point on.

Related

Intel Wireless 7260 card doesn't connect to WiFi sometimes
How can I play simulteanously two different audio using headphones for one and internal speakers for the other?
GNU Octave Command Window not working
How to remove unwanted performance overlay in CS:GO?
Light Bow Gun Special Ammo Types
Where do I find my Player ID for the Pokémon Trainer Club?
Does infravision do anything useful?
How to level up at Endgame on Final Fantasy VII
What is the console command to join a team in CS 1.6?
How can I deal with daedra?
How can I get the gameplay videos from Xbox One?
Does Rocket League on Switch have control issues?