[Bug 2146958] [NEW] --uefi-secure-boot not respected

Tadaen Sylvermane 2146958 at bugs.launchpad.net
Tue Mar 31 20:04:38 UTC 2026 

Public bug reported:

Doing debootstrap installations I've found when chrooted into the
install running grub-install --efi-directory=/boot/efi --bootloader-
id=Ubuntu --target=x86_64-efi --uefi-secure-boot that the final arg is
not followed. Upon loading the new install it has an "invalid key" (
message may be different on other motherboards ).

I can fix this by disabling secure boot, reloading. then installing grub
again, this time with the --uefi-secure-boot flag first, or at the least
not last. I am reporting this from the development resolute but this is
a problem I've run into over the last couple years. Just figured I was
doing it wrong. Finally tracked down what appears to be the cause.

There are no error messages of any kind.

grub2:
  Installed: (none)
  Candidate: 2.14-2ubuntu2
  Version table:
     2.14-2ubuntu2 500
        500 http://us.archive.ubuntu.com/ubuntu resolute/universe amd64 Packages

# System Details Report
---

## Report details
- **Date generated:**                              2026-03-31 13:02:19

## Hardware Information:
- **Hardware Model:**                              Gigabyte Technology Co., Ltd. B550M K
- **Memory:**                                      32.0 GiB
- **Processor:**                                   AMD Ryzen™ 7 5800XT × 16
- **Graphics:**                                    AMD Radeon™ RX 570 Series
- **Disk Capacity:**                               1.0 TB

## Software Information:
- **Firmware Version:**                            F6h
- **OS Name:**                                     Ubuntu Resolute Raccoon (development branch)
- **OS Build:**                                    (null)
- **OS Type:**                                     64-bit
- **GNOME Version:**                               50
- **Windowing System:**                            Wayland
- **Kernel Version:**                              Linux 7.0.0-10-generic

ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: grub-efi-amd64-signed 1.215+2.14-2ubuntu1
ProcVersionSignature: Ubuntu 7.0.0-10.10-generic 7.0.0-rc4
Uname: Linux 7.0.0-10-generic x86_64
ApportVersion: 2.33.1-0ubuntu7
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Tue Mar 31 12:58:34 2026
SourcePackage: grub2-signed
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: grub2-signed (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug resolute wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2146958

Title:
  --uefi-secure-boot not respected

Status in grub2-signed package in Ubuntu:
  New

Bug description:
  Doing debootstrap installations I've found when chrooted into the
  install running grub-install --efi-directory=/boot/efi --bootloader-
  id=Ubuntu --target=x86_64-efi --uefi-secure-boot that the final arg is
  not followed. Upon loading the new install it has an "invalid key" (
  message may be different on other motherboards ).

  I can fix this by disabling secure boot, reloading. then installing
  grub again, this time with the --uefi-secure-boot flag first, or at
  the least not last. I am reporting this from the development resolute
  but this is a problem I've run into over the last couple years. Just
  figured I was doing it wrong. Finally tracked down what appears to be
  the cause.

  There are no error messages of any kind.

  grub2:
    Installed: (none)
    Candidate: 2.14-2ubuntu2
    Version table:
       2.14-2ubuntu2 500
          500 http://us.archive.ubuntu.com/ubuntu resolute/universe amd64 Packages

  # System Details Report
  ---

  ## Report details
  - **Date generated:**                              2026-03-31 13:02:19

  ## Hardware Information:
  - **Hardware Model:**                              Gigabyte Technology Co., Ltd. B550M K
  - **Memory:**                                      32.0 GiB
  - **Processor:**                                   AMD Ryzen™ 7 5800XT × 16
  - **Graphics:**                                    AMD Radeon™ RX 570 Series
  - **Disk Capacity:**                               1.0 TB

  ## Software Information:
  - **Firmware Version:**                            F6h
  - **OS Name:**                                     Ubuntu Resolute Raccoon (development branch)
  - **OS Build:**                                    (null)
  - **OS Type:**                                     64-bit
  - **GNOME Version:**                               50
  - **Windowing System:**                            Wayland
  - **Kernel Version:**                              Linux 7.0.0-10-generic

  ProblemType: Bug
  DistroRelease: Ubuntu 26.04
  Package: grub-efi-amd64-signed 1.215+2.14-2ubuntu1
  ProcVersionSignature: Ubuntu 7.0.0-10.10-generic 7.0.0-rc4
  Uname: Linux 7.0.0-10-generic x86_64
  ApportVersion: 2.33.1-0ubuntu7
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Tue Mar 31 12:58:34 2026
  SourcePackage: grub2-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/2146958/+subscriptions

More information about the foundations-bugs mailing list