Installing Ubuntu 20.04 on Lenovo X1 Carbon (6th gen) with UEFI Secure Boot

Posted on by

Installing Ubuntu 20.04 on a Lenovo X1 Carbon (6th gen) with UEFI Secure boot can be a relatively painless process (If you are using one of the default install options).

When the Ubuntu 20.04 install DVD ISO image detects that your computer booted using UEFI (Secure Boot) it will ask you to provide a password that you can use to install the Ubuntu signed secure boot version of the grub bootloader and authorize it to your BIOS.

After the first reboot, the X1 BIOS brings up a window where instead of booting, you need to move down one menu option and view the new certificate, and then accept/install it. At this point it will ask you to type the password you earlier provided to Ubuntu, and if you are able to do so, it will accept the Ubuntu installed grub bootloader as valid and boot with it.   [If you DON’T do this, but try and just boot immediately, it obviously won’t work, and the easiest thing to do is re-do the entire install process, although I’m sure there is some magic you can type with efi tools to give yourself another chance….]

Full Disk Encryption

Installing an encrypted root/swap partition using LVM on a dual boot (with Windows 10) still requires that you manually set a few things up. See my earlier post with Ubuntu 16.04:

Installing an Encrypted Partition with LVM dual boot on Ubuntu 16.04

Surprisingly, not much has changed from 16.04 to 20.04. The instructions would have worked perfectly if I wasn’t using a UEFI secure boot computer.   But, when installing using a secure boot system, in addition to the   “root” “swap” and “boot” partitions, you also need to tell the Ubuntu installer the location of your systems (pre-existing from the windows install) EFI partition which it will mount under /boot/efi.

You do this by selecting the existing EFI partition (likely to be the first partition on your drive), pressing the “change” button near the + and – buttons, and then indicating that it should be used as the efi partition from the drop down menu. (It does not actually mention /boot/efi in that menu, but it will mount it at that mount point when booting.)

The key item that you still need to do is make sure that the updated /etc/crypttab file (including the UUID of the device that needs to be decrypted for booting) is properly added to the initramfs   before you reboot.

The Ubuntu install DVD ISO image should already have these installed, but if you you can run this command

apt install lvm2 cryptsetup-initramfs

before regenerating the initramfs for all of the installed kernels:

update-initramfs -c -k all

Don’t worry, if for some reason the crypttab file didn’t get installed into the initramfs or you can’t get the chrooted environment to work, it IS still possible to manually type

cryptsetup luksOpen <your_disk_partition>   <disk_partition_crypt>

from inside the initramfs busybox environment   (and then exit) to boot the first time, and then run the update-initramfs command from inside your working install once it is booted. (You did write down the partition names, right? They may look like /dev/sda4 and sda4_crypt if you are on a “regular” drive, or   /dev/nvme0n1p6 and nvme0n1p6_crypt if you are using one a M.2 SSDs)

You may not need to re-install grub (the default Ubuntu installer probably did it correctly for you) but if you do, you should use the following command to make sure you are using the “efi” package of grub (as opposed to grub-pc for legacy BIOS systems):

apt-get install --reinstall grub-efi

Before you issue the

grub-install

command (that adds Ubuntu bootloader into /boot/efi and sets up the proper NVRAM settings for it) or the

update-grub

command that updates it based upon your current disk partitions.

The following are the online resources I found most useful:

General overview for how UFEI works, how to determine if you are in UFEI mode, etc…
https://help.ubuntu.com/community/UEFI

If you are just wanting to do a “vanilla” install without the encrypted disk systems, etc… this is a good guide for how the “default” install should go: https://www.itzgeek.com/post/how-to-install-ubuntu-20-04-lts

This resource is for Debian, but the grub part applies quite well to Ubuntu, and gives good ideas on how to fix/re-install grub:   https://wiki.debian.org/GrubEFIReinstall#Reinstalling_grub-efi_on_your_hard_drive

This page had some useful hints about ways to recover from a non-booting LVM setup:
https://feeding.cloud.geek.nz/posts/recovering-from-unbootable-ubuntu-encrypted-lvm-root-partition/

 

 

 

Related posts:

  1. Installing an Encrypted Partition with LVM dual boot on Ubuntu 16.04
  2. Fixing a GRUB Bootloader (What to do when your computer won’t boot!)
  3. HOWTO: Full Disk encryption on Ubuntu 10.04

Leave a Reply

Your email address will not be published. Required fields are marked *