Broken UEFI Boot , How to securely proceed?
I want to address some misconceptions in your question before proceeding to a more direct answer to your main point. Please bear with me....
The default grub/boot partition that the computer checks first at start up points directly at booting Windows now
On an EFI-based computer, boot loaders are stored as ordinary files on the EFI System Partition (ESP). The computer knows which file(s) to launch when it starts because of entries stored in NVRAM, which identify the partition(s) and file(s) to run. There is no such thing as a "default... boot partition" under EFI; that's the way BIOS boots, not EFI.
I used boot repair during initial installation and selected the option to have the other partitions 1st sector point to the grub/boot partition.
Under EFI, "boot sectors" don't exist -- or to be more precise, boot code is not stored in the first sectors of disks or partitions. It's all handled through files and referenced by entries in NVRAM.
When I selected the root partition, I got a notification from the BIOS that it was not secure.
You didn't select a partition; you selected a boot loader file. From your description, my guess is that you selected EFI/ubuntu/grubx64.efi
on your ESP. This begins to get to the problem, but I'll get back to that point....
I went into the BIOS
You don't have a BIOS; you have an EFI. I know that many people, and even manufacturers, refer to EFIs as BIOSes, but this just leads to confusion because it encourages people to drag in BIOS assumptions about the boot process, as you've done.
I thought that disabling secure boot and trying to load Ubuntu may be a mistake. Afterall, whats the point of UEFI if its disabled the second something messes with a perfectly fine and functioning signed boot loader?
Don't confuse EFI (or UEFI, which is just EFI 2.x) and Secure Boot. Secure Boot is just one optional feature of UEFI. EFI, in turn is a replacement for BIOS. Many EFIs (and even UEFIs) lack Secure Boot support -- but Secure Boot requires UEFI.
I'm sort of at a loss as to what the correct way to securely proceed is. Is there a way to restore Ubuntu without booting insecurely? Suggestions?
To support Secure Boot, Ubuntu uses a program called Shim. In Ubuntu, it has a filename of shimx64.efi
. Shim is hard-coded to launch GRUB (grubx64.efi
), which can then call on Shim to authenticate Linux kernels.
Note that earlier I wrote that you probably launched grubx64.efi
. This will work fine with Secure Boot disabled; but if you enable Secure Boot, chances are grubx64.efi
won't match the default Secure Boot requirements, so it will fail. shimx64.efi
, OTOH, is signed by Microsoft (whose keys are present in just about all computers) and so will work. This is the key (pun not desired, but it's best word) to the solution: Reconfigure your system to boot via Shim. You can do this in Ubuntu using the efibootmgr
utility. First, view your available options by using sudo efibootmgr -v
:
$ sudo efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0007,0003,2003,0001,2001,2002
Boot0000* ubuntu HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\ubuntu\shimx64.efi)
Boot0001* Lenovo Recovery System HD(3,276800,1f4000,de3b7563-97f5-48c6-ab7f-2f5d6d57c644)File(\EFI\Microsoft\Boot\LrsBootMgr.efi)RC
Boot0002* EFI Network 0 for IPv4 (08-9E-01-FF-CA-4D) ACPI(a0341d0,0)PCI(1c,0)PCI(0,0)MAC(089e01ffca4d,0)IPv4(0.0.0.0:0<->0.0.0.0:0,0, 0RC
Boot0003* ubuntu HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\ubuntu\grubx64.efi)RC
Boot0004* EFI Network 0 for IPv6 (08-9E-01-FF-CA-4D) ACPI(a0341d0,0)PCI(1c,0)PCI(0,0)MAC(089e01ffca4d,0)030d3c000000000000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000RC
Boot0007* Windows Boot Manager HD(2,1f4800,82000,5f6b4992-fcfe-4a2c-9e67-98b0a30dfe7d)File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
This is just an example, and yours is likely to be different in significant ways. Note, however, that there are two ubuntu
entries, one of which refers to shimx64.efi
and the other of which refers to grubx64.efi
. Chances are you're booting via the grubx64.efi
entry, as shown on the BootCurrent
line. The grubx64.efi
entry is probably first on the BootOrder
line, too. To change this, you must create a new BootOrder
by using the -o
option to efibootmgr
, as in:
sudo efibootmgr -o 0000,0007
You can add other options, too, which the computer will use should the first two fail. Of course, you should specify the numbers associated with your Shim and GRUB entries, not 0000,0007
(unless those happen to be the numbers). Note also that I've specified the Shim entry first with the GRUB entry as a fallback in case that one fails; in theory, specifying only the Shim entry should work fine. It's best to include your current BootCurrent
value as a second (or later) option, since you know it works with Secure Boot disabled. That way, if you make a mistake or if your Shim binary is broken, you should still be able to disable Secure Boot and get back to your working system by using the computer's built-in boot manager or by adjusting the boot order in some other way.
Once you've done this, reboot into your firmware and re-enable Secure Boot. It should work fine from that point on.