Ubuntu 20.04 Clean Install on UEFI BIOS with Secure Boot

Video

Dell UEFI BIOS

Lenovo UEFI BIOS

Fixing the FireFox Touchscreen Issue

Black Splash Screen After Software Updates

Create a Bootable USB

The 20.04.1 ISO has had its Grand Unified Bootloader 2 updated and will pass an updated UEFI BIOS with Secure Boot that has been patched to address Security Vulnerability CVE-2020-10713. All older versions of Ubuntu such as 20.04 will be blocked by Secure Boot with Verification Failed: (0x1A) Security Violation.

Create a UEFI Bootable USB on Windows 10

In order to install Ubuntu using a UEFI BIOS

You will need to download the Ubuntu 20.04.1 ISO and need to use Rufus to make the Bootable USB:

Launch Rufus:

Accept the User Account Control Prompt:

Select your USB Flash Drive:

Select, select:

Load your Ubuntu 20.04 ISO:

Change the Partition Scheme to GPT and the File System to FAT32:

Select Start:

Select Write in ISO Mode and select OK:

Select OK to format the USB Flash Drive:

When Finished it will say Ready:

Create a UEFI Bootable USB on Ubuntu

You will need to download the Ubuntu 20.04.1 ISO and then can use the inbuilt utility to make the Bootable USB:

Select Startup Disc Creator:

Select Make Startup Disk:

Select Yes:

Type in your password to authorise this and then select Authenticate:

You should now have your Bootable USB:

Unified Extensive Firmware Interface (UEFI) Setting

Dell Unified Extensive Firmware Interface (UEFI) Settings

Update your UEFI BIOS

All Computers Manufactured in 2012 or later have a Unified Extensive Firmware Interface (UEFI). Make sure your UEFI BIOS is updated to the latest version before attempting to install Ubuntu 20.04 as a number of UEFI BIOS Updates resolve some common Boot Issues. For new Dell systems you can update the BIOS from a USB Flash Drive within the UEFI BIOS Boot Menu. For older models you will have to either update the UEFI BIOS within Windows or use a FreeDOS Bootable USB:

UEFI and Secure Boot

You should install Ubuntu 20.04 with a UEFI BIOS with Secure Boot. The SATA Operation must be AHCI.

Attach your Bootable USB and make sure your Dell PC is powered down. Then power it up and press [F2] to get into the UEFI setup.

Look for Advanced Boot Options and make sure Enable Legacy Option ROMs is Disabled.

Look for Secure Boot and Ensure that it is Enabled:

Next go to Boot Sequence. It should be set to UEFI. Your Ubuntu USB (in my case the SanDisk USB) should display. If you have old versions of Linux they will also display. Uncheck your Bootable USB and highlight any old Linux installations and select Delete Boot Option.

You should now have a single entry, your Ubuntu USB Flash Drive. Select Apply:

Then OK:

Expand System Configuration and go to SATA Operation. The storage controller must be set to AHCI:

The Ubuntu installer doesn't support RAID (Intel Rapid Response Technology) or Intel Optane Memory. If it is enabled the Ubuntu 20.04 installer will halt and tell you to disable Intel RST.

Secure Erase Internal Drives

We can use Dell Data Wipe for a more through wipe of all internal drives than the Format within the Ubuntu install. To do this select the Maintenance Tag and then go to Data Wipe, select Wipe on Next Boot.

Note the Dell Data Wipe does not touch USB Flash Drives or USB External Drives.

Note that only models manufactured in 2016 or later have Dell Data Wipe.

Select OK:

Select No (to proceed):

Then select Exit:

Select Continue:

Select Erase:

Select OK:

Lenovo Unified Extensive Firmware Interface (UEFI) Settings

You should install Ubuntu 20.04 with a UEFI BIOS with Secure Boot. The SATA Operation must be AHCI.

Update your UEFI BIOS

All Computers Manufactured in 2012 or later have a Unified Extensive Firmware Interface (UEFI). Make sure your UEFI BIOS is updated to the latest version before attempting to install Ubuntu 20.04 as a number of UEFI BIOS Updates resolve some common Boot Issues. For Lenovo systems you will have to either update the UEFI BIOS within Windows or use a FreeDOS Bootable USB:

UEFI and Secure Boot

To access the Lenovo UEFI BIOS, power up your Lenovo and press [F1]:

You will be on the Main Tab with System Summary highlighted by default, press [↵] to view the System Summary:

This will give details about the Drives. In my case I have a Samsung M.2 SSD. Press [Esc] to exit the field:

Press [→] to get to the Device Tab, then press [↓] until ATA Drive Setup is selected. Press [↵] to view the options:

Ensure that the SATA Controller is Enabled and Configure SATA as is set to AHCI. Press [Esc] to exit the field:

Press [→] until you highlight the Security Tab and [↓] until you get to Secure Boot and press [↵] to view the settings:

Secure Boot should be Enabled. Press [Esc] to exit the setting:

Press [→] to get to the Startup Tab. The Boot Mode should be UEFI Only and CSM should be Disabled:

Secure Erase Internal Drives

Press [←] until you get to Security tab. Press [↓] and select Hard Disk Password. Although Lenovo call these settings "Hard Disk" they also relate to Solid State Drive.

Press [↓] until you get to (Hard Disk) Drive Password and press [↵]:

In this screen look for Security Erase (HDD) Data. If you do not have this option, your system may be too old to support Data Wipe from the UEFI BIOS and you will have to use a third party utility lke Parted Magic instead.

Press [↓] until you get to Security Erase (HDD) Data.

Unfortunately the Lenovo Data Wipes requires one to setup a temporary Hard Drive Password.

Setting a Drive Password will lock the drive at the drive firmware level and there is some risk doing so. If you set a password and the password is forgotten you will never be able to use the drive again.

Press [↑] until you get to M.2 Drive Password and press [↵].

You have the option to set a User only password or a User + Master Password.

The first is designed for a User Only in which case the user would have full admin access to perform a data wipe.

The latter is designed for a company with a large IT department. The IT department would have the Master password to unlock the device and to perform a data wipe.

Select [User] and press [↵].

Input a basic password in this case I will use the letter a:

Confirm the password:

Select [Continue]:

Press [F10] to save and Exit. Highlight [Yes] and press [↵]:

Your computer will restart:

You will be prompted for your password as your computer begins to reboot. If you have a master password set you can press [F1] to switch to the master user.

In this case, the user password a will be input.

As soon as the user password is input press [F1] to get to the UEFI BIOS Setup. You will be on the Main tab. Press [→] until you get to Security and press [↵]:

Press [↓] until you highlight (Hard) Disk Password and press [↵]:

Then press [↓] until you get to Security Erase (HDD) SSD Data and press [↵]:

Select Erase NVMe Slot 1 Data and press [↵]:

Highlight [Yes] at the confirmation dialog and press [↵]:

Input your User Password and press [↵].

If a user and a master password are set it may only ask for the master password, so you will need to know the master password.

The Secure Erase will be performed and the Drive password will be removed.

Select [Continue] and press [↵]:

It should then have an error stating no Operating System found, this is because your internal drives are blank. You'll need to install Ubuntu 20.04 now:

Booting from a Ubuntu USB

Insert your USB Flash Drive into your Dell and press [F12] while powering up to get to the Boot Menu:

The Boot Mode should be set to UEFI and Secure Boot should be Enabled.

Select your USB Flash Drive and press [↵]:

Insert your USB Flash Drive into your Lenovo and press [F12] while powering up to get to the Boot Menu:

Highlight your USB Flash Drive and select [↵]:

Select Ubuntu:

It will check the USB and load the setup:

Installing Ubuntu

Select Install Ubuntu:

Select your keyboard layout and select Next:

Select your wireless network and select Connect:

Input your wireless password and select Connect:

Select Continue:

Check Install third-party software for graphics and Wi-Fi hardware and additional media formats:

The Ubuntu Boot 20.04 is signed to pass Secure Boot but some of the codecs used and third party graphics drivers are not. You will get limited functionality without these.

The Ubuntu install can enable these and we can still use Secure Boot. To do this the Ubuntu setup which will create a boot entry that include the media codecs and any applicable third party drivers for your hardware and prompt you to create a Machine Owner Key (MOK).

During the first Boot of the Ubuntu install the UEFI BIOS will inform you that there is a new Boot Entry but will only allow it to Boot if you authorise the Boot with the Machine Owner Key. This is a single instance verification, after it is initialised the UEFI BIOS will remember the Boot entry and automatically Boot.

Select Continue:

Select Erase Disk and Install Ubuntu. You can optionally select Advanced Features.

To encrypt the Drive. In this case I won't use any advanced features and select None and then OK:

Select Install Now:

Select Continue:

Select your time-zone:

Input your name, username and password. Note your username has to be all lower case. Select Continue:

The install will proceed:

Select Restart Now:

When this screen shows. Press [↵] and then remove the installation media… If you remove the installation media before pressing [↵] an error will display which you can close.

Machine Owner Key (MOK)

When Ubuntu tries to Boot with the third party codecs it will be blocked by the UEFI BIOS. Select Enroll MOK:

Select Continue:

Select Yes to Enroll the key(s):

Input the password (note on my systems there is no indication on the screen for character input) and then press [↵]:

Then select Reboot:

First Time Boot

Ubuntu should then Boot:

You will be presented with options to sign in with online accounts:

To sign up to Live Patch. Note you will still get security updates without signing up to this:

You can optionally send system feedback to Canonical to help improve the Ubuntu Operating System:

You can optionally enable Location Services (needed if you are to use location based services and things like maps):

Select Done:

You have now installed Ubuntu.

Software Updater

To the top select Activities, then select All Applications at the bottom and launch Software Updater:

Select Install Now:

Input your password and authenticate the software updates:

Select Restart Now to finish installing the updates:

You should then see your OEM logo as your computer reboots:

Then the OEM logo with Ubuntu at the bottom:

And then be taken into the login screen:

Black Splash Screen after Software Updates

On some Dell systems (for example my XPS 13 9365) you may get stuck at the Dell Ubuntu Splash Screen with the white spinner. The white spinner will rotate but nothing else will happen.

To get around this power off the system by holding down the power button for 30 seconds. This will power down your system.

Note older ThunderBolt TB docks seem to be incompatible with the Ubuntu 20.04 Boot such as the TB-16. These should be dis-attached from the system. The dock will work once Ubuntu has booted. The dock likely needs a firmware update from Dell (but the TB-16 is discontinued and Dell had many issues with it and don't list it as Ubuntu compatible so there may not be any firmware updates for it).

When you first power up the Dell you will see a Dell splash logo. Press the [Esc] key. You will see a blue progress bar display.

If you see the black screen with the spinner you have either been too slow to press [Esc] or have pressed [Esc] twice you will have exited the GNU Bootloader. In either case you will need to hold down the power button for 30 s and try again.

The GNU GRUB screen will display.

Press [↓] and highlight Advance Options for Ubuntu then press [↵]:

Press [↓] and select the latest Kernel (Recovery Mode) then press [↵]:

You will see a black screen with some writing. The first line should state:

EFI stub: UEFI Secure Boot is Enabled.

It will then Start Recovery Mode:

Press the [↓] and highlight the dpkg which will check for broken packages and pending packages to be installed and press [↵]:

Select Yes and press [↵]:

Then type in [y] and press [↵]:

Press [↵] to finish the dkpg:

Now press [↓] and highlight grub which will update the bootloader. Press [↵]:

Press [↵] to finish updating the bootloader:

Once this is done select resume and press [↵]:

Then select ok and press [↵]:

Your system should boot normally. Check the Software Updater again.

If you still get stuck at the Dell Ubuntu Splash Screen with the white spinner. Return to the Recovery Menu. Then press [↓] until you get to root, which will launch the root shell prompt. Then press [↵]:

Type in

sudo su

To run all commands as the root user.

A list of commands for NVIDIA graphics card in particular are given in the article below:

To exit the root shell prompt press down [Ctrl] + [ d ].

Once this is done select resume and press [↵]:

Then select ok and press [↵]:

Your system should boot normally. Check the Software Updater again.

Additional Drivers

In the case of my OptiPlex 7040, ThinkStation P320, Latitude 7350 and XPS 13 9365 all necessary system drivers were inbuilt. The auto-rotation sensor of the Latitude 7350 and XPS 13 9365 worked when undocked as a tablet.

Additional drivers such as graphics drivers for NVIDIA graphics cards should be installed automatically. They can be checked with Additional Drivers:

In the case of the ThinkCenter P320 the latest NVIDIA driver is automatically installed for the graphics card:

Optimising for Touch Input

To optimise for Touchscreen select show applications:

Then scroll down until you get to Settings:

To the left hand side, select Screen Display:

Enable Fractional Scaling and set to 125-200 % depending on what you feel is appropriate your touchscreen resolution.

Select Keep Changes:

Also go to Universal Access and swipe, Always Show Universal Access:

To the top right, the Universal Access setting will display. You can enable the Touchscreen Keyboard:

This will automatically open if you are in a field with text entry:

The rotation sensor should be installed by default on most 2 in 1 systems and autorotation should be enabled by default. For example as seen on the XPS 13 9365:

XPS 13 9365 – Ubuntu 20.04 Laptop Mode
XPS 13 9365 – Ubuntu 20.04 Tablet Mode
XPS 13 9365 – Ubuntu 20.04 Tent Mode

Resolving the FireFox Touchscreen Issue

Unfortunately the preinstalled browser FireFox is awful with touchscreen and ruins the Ubuntu Out of Box Experience on Touchscreen. It in essence has a major issue with scrolling, highlighting text opposed to scrolling:

It appears the main issue is that it is configured by default to use dreadful touchscreen settings. Enabling the xinput2 setting in your user profile will resolve the issue. Open a terminal and typein:

echo export MOZ_USE_XINPUT2=1 | sudo tee /etc/profile.d/use-xinput2.sh

Because you are using sudo, super user do you will need to provide your password. Then log out and log back in.

Installing Chromium

Chromium can be installed from the Software Store. Select Ubuntu software:

Select the search button:

Type in Chromium:

Select Install:

Input your password to authorise the install:

You now have Chromium:

You can right click icons on the side panel and remove the unwanted ones. Or you can alternatively swipe them off the side panel:

The Activities window will show all opened applications and folders:

All opened applications will also display on the side panel and an orange dot will be beside them indicating they have one instance opened. Two orange dots will display beside them, if you have more windows opened.

We can right click the items we want to pin to the side panel and pin them or drag them to the side panel:

These settings work well with the Dell Latitude 7350 13 2 in 1 convertible system in both laptop and tablet mode:

How to Reinstall Windows

From time to time there have been questions asking how to reinstall Windows and there have been numerous issues due to the fact that the install.wim within the Windows 10 direct download link ISO often exceeds 4.0 GB and therefore cannot fit on a FAT32 Bootable USB (some utilities will truncate the file making corrupt installation media and others will change the file system to NTFS so the file can fit getting rejected by Secure Boot).

My Windows 10 guide has been updated with instructions on properly splitting the install.wim into <4.0 GB chunks allowing one to make a FAT32 Formatted UEFI Windows 10 Bootable USB on Ubuntu 20.04 which will pass a UEFI BIOS with Secure Boot Enabled:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.