6

I already have installed Windows 11 and want to install Ubuntu Server besides. And I want to keep Secure Boot enabled.

It is possible?

If yes, what would happen with Secure Boot if I later installed another distro, not an official Ubuntu flavor. Would the new distro work? Would the installation affect something in Secure Boot and as a result nothing would boot?

karel
  • 122,695
  • 134
  • 305
  • 337
9acca9
  • 63
  • 1
    Ubuntu is QA tested and works in legacy mode, uEFI and Secure-boot uEFI, as do all [Ubuntu flavors](https://ubuntu.com/desktop/flavours} but NO not all non-Ubuntu systems will work with Secure-Boot enabled as they have to arrange/purchase keys (they can provide their own keys that you can load into your firmware too & approve), though many of course will work. – guiverc Dec 10 '24 at 04:19
  • 1
    FYI: Ubuntu Server has five years of supported life; thus if a key is revoked during those five years; new media is supplied; however Ubuntu's flavors only come with three years, so if a key is revoked in years 4-5 (as has happened before in recent LTS years) new media required for Secure-Boot exists on for Ubuntu Desktop/Server & not the flavors .. eg. https://fridge.ubuntu.com/2023/03/23/ubuntu-20-04-6-lts-released/ where you'll note there is NO REFERENCE to any Ubuntu flavors thus flavors of 20.04 won't boot OR install with Secure-Boot enabled anymore. – guiverc Dec 10 '24 at 04:34

1 Answers1

5

Ubuntu is QA (Quality Assurance) tested and works in

  • legacy (CSM) mode,
  • uEFI and
  • Secure-boot uEFI

as do all Ubuntu flavors.

NO not all non-Ubuntu systems will work with Secure-Boot enabled as they have to arrange/purchase keys (they can provide their own keys that you can enroll/load into your firmware too & approve), though many of course will work.

Ubuntu Server has five years of supported life; thus if a key is revoked during those five years; new media is supplied; however Ubuntu's flavors only come with three years, so if a key is revoked in years 4-5 (as has happened before in recent LTS years) you won't have non-revoked media to install or re-install a flavor. For example keys for 20.04 were revoked causing new media to be created for Ubuntu required for Secure-Boot

The Ubuntu team is pleased to announce the release of Ubuntu 20.04.6 LTS (Long-Term Support) for its Desktop and Server products.

Unlike previous point releases, 20.04.6 is a refresh of the amd64 installer media after recent key revocations, re-enabling their usage on Secure Boot enabled systems.

https://fridge.ubuntu.com/2023/03/23/ubuntu-20-04-6-lts-released/

HOWEVER not even Ubuntu flavors provided new media; as the key revocation occurred after the three years of support had ended. You'll note there is no reference to flavors in the announcement link I quote & provided, thus Ubuntu flavors of 20.04 won't boot [ISOs] OR install with Secure-Boot enabled anymore.

guiverc
  • 33,923
  • Ubuntu 20.04 LTS flavors will still install and work; but not with Secure-boot enabled; as packages & setup required for Secure Boot is only setup if Secure Boot is enabled at install time; and flavors only have revoked keys now (updating keys post-install can be done, but the system MAY NOT still boot due to install being made whilst secure-boot was disabled) – guiverc Dec 10 '24 at 04:43
  • In case it's not obvious; flavors provide media up to the .5 point release of the LTS if they've agreed to be LTS (do note: it's wrong to assume all flavors are LTS as they're not; eg. not all were LTS for 18.04! so read announcements and don't just assume) but its optional in regards involvement for subsequent point releases such as the .6 I use as example; with no involvement expected after the three years of flavor LTS. – guiverc Dec 10 '24 at 05:36