I have noticed in the boot up sequence for an Incus Ubuntu VM that I am seeing the error “secure boot prohibited by boot policy”. That’s interesting because an ubuntu incus VM launched with:
incus launch images:ubuntu/24.04/desktop --vm Desktop-2404 -c boot.autostart=true -c limits.cpu=2 -c limits.memory=4GiB
is booting EFI and I would not think that secure boot would flag an error.
Yeah, I don’t know what part of the boot process is being blocked by secure boot policy, but clearly the OS does start so the bits that matter are allowed.
I find it odd, particularly because Ubuntu can use secure boot, although I consider it a moot point.
Ubuntu clearly does support secure boot in this case as otherwise your OS wouldn’t have booted at all. It simplify looks like something in the early boot path of Ubuntu tried to load an unsigned binary and got rejected by the firmware, but that wasn’t critical to the boot sequence so the rest still continued just fine.
FWIW, the specific console error I’m seeing is:
BdsDxe: loading Boot0006 "Ubuntu" from HD(1,GPT,792F4B77-7244-4F4D-88E9-E2C2805571B3,0x800,0x32000)/\EFI\ubuntu\shimx64.efi
BdsDxe: starting Boot0006 "Ubuntu" from HD(1,GPT,792F4B77-7244-4F4D-88E9-E2C2805571B3,0x800,0x32000)/\EFI\ubuntu\shimx64.efi
error: prohibited by secure boot policy.
It appears to come from the shim-signed package:
root@outer:~# ls -l /boot/efi/EFI/ubuntu/shimx64.efi
-rwxr-xr-x 1 root root 966664 Feb 22 07:45 /boot/efi/EFI/ubuntu/shimx64.efi
root@outer:~# ls -l /usr/lib/shim/shimx64.efi*
-rw-r--r-- 1 root root 957042 Apr 4 2024 /usr/lib/shim/shimx64.efi
-rw-r--r-- 1 root root 968592 Apr 4 2024 /usr/lib/shim/shimx64.efi.dualsigned
lrwxrwxrwx 1 root root 36 Apr 4 2024 /usr/lib/shim/shimx64.efi.signed -> /etc/alternatives/shimx64.efi.signed
-rw-r--r-- 1 root root 966664 Apr 4 2024 /usr/lib/shim/shimx64.efi.signed.latest
-rw-r--r-- 1 root root 955656 Apr 4 2024 /usr/lib/shim/shimx64.efi.signed.previous
root@outer:~# ls -l /etc/alternatives/shimx64.efi.signed
lrwxrwxrwx 1 root root 39 Apr 4 2024 /etc/alternatives/shimx64.efi.signed -> /usr/lib/shim/shimx64.efi.signed.latest
But the VM does go on to boot successfully.
I tried this out of curiosity and no error was forthcoming?
andrew@Yoda:~$ incus launch images:ubuntu/24.04/desktop --vm Desktop-2404 -c boot.autostart=true -c limits.cpu=2 -c limits.memory=4GiB
Launching Desktop-2404
andrew@Yoda:~$ incus shell Desktop-2404
root@Desktop-2404:~# mokutil --sb
SecureBoot enabled
root@Desktop-2404:~#
The vm spun up and gave me desktop and behaved normally.
Incus version 6.9
V/R
Andrew
You’re missing the console output. Try this:
incus init images:ubuntu/24.04/desktop --vm Desktop-2404 -c limits.cpu=2 -c limits.memory=4GiB
incus start Desktop-2404 --console
With incus 6.0.3 I see:
To detach from the console, press: <ctrl>+a q
BdsDxe: loading Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1)
BdsDxe: starting Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1)
error: prohibited by secure boot policy.
-.mount
etc-machine\x2did.mount
dev-hugepages.mount
... etc
But indeed, it spins up successfully.
If you stop it, and do incus start --console again, the error is slightly different on next boot:
BdsDxe: loading Boot0006 "Ubuntu" from HD(1,GPT,E6AEA711-509B-4F79-B2FE-3ECF0A58893C,0x800,0x32000)/\EFI\ubuntu\shimx64.efi
BdsDxe: starting Boot0006 "Ubuntu" from HD(1,GPT,E6AEA711-509B-4F79-B2FE-3ECF0A58893C,0x800,0x32000)/\EFI\ubuntu\shimx64.efi
error: prohibited by secure boot policy.
-.mount
dev-hugepages.mount
dev-mqueue.mount
... etc
Sadly it’s not possible to see what exactly is “prohibited by secure boot policy”. Whatever it is, it can’t be too important.
Ok, yes I got the same message when I opened the console.
I have messed a little with secure boot in the past when I have had to install custom keys and it is fussy on modules being signed. But I can’t see what’s up. It could be a video driver that’s not actually used. Hard to say with just that message. As you say, it still works. I wouldn’t lose any sweat - secure boot is shown as enabled.
If you google the exact error message then you can find a lot of history/suggestions, but it’s a needle in a haystack for finding the particular solution(s) needed to make this go away. Good luck.