Ubuntu 20.04 Clean Install on UEFI BIOS with Secure Boot

Videos

Dell UEFI BIOS Ubuntu Install

Updating the Dell UEFI BIOS and Firmware in Ubuntu

Lenovo UEFI BIOS Ubuntu Install

Updating the Lenovo UEFI BIOS using a FreeDOS Bootable USB

Fixing the FireFox Touchscreen Scrolling Issue

Fixing the Black Splash Screen After Software Updates

Creating a Windows 10 UEFI Bootable USB in Ubuntu

Linux Vendor Firmware Service

Introduction

Ubuntu is the Linux distribution that has the most mainstream support from chip manufacturers such as Intel, AMD and NVIDIA and OEMs such as Dell and Lenovo. In the vast majority of cases (unless your device is absolutely bleeding edge) all the required drivers will be inbuilt into the Linux Kernel or obtained via Ubuntu Software Updates. Ubuntu is open source software meaning you can download, install and use it without any payment. There are no product keys or activation mechanisms which are commonly found in commercial products such as Windows. If satisfied you can optionally donate to the Ubuntu project to help fund further development. Ubuntu also uses the GNOME3 Desktop Environment which offers the best support for 2 in 1 Touchscreen Devices facilitating auto-rotation using the rotation sensor and a touchscreen keyboard. These are areas that most other Linux Desktop Environments lack in. For a more detailed overview of Linux Distributions see my Linux Guide:

Create a Bootable USB

The 20.04.1 ISO has had its Grand Unified Bootloader 2 updated and will pass an updated UEFI BIOS with Secure Boot that has been patched to address Security Vulnerability CVE-2020-10713. All older versions of Ubuntu such as 20.04 will be blocked by Secure Boot with Verification Failed: (0x1A) Security Violation.

Create a UEFI Bootable USB in Windows 10

You will need to download the Ubuntu 20.04.1 ISO or 20.10 ISO. 20.04.1 is recommended as Ubuntu 20.10 uses GNOME 3.38 which has a bug that breaks auto-rotation functionality for 2 in 1 touchscreen devices.

In Windows 10 use Rufus to make the Bootable USB:

Launch Rufus:

Accept the User Account Control Prompt:

Select your USB Flash Drive:

Select, select:

Load your Ubuntu 20.04 ISO:

Change the Partition Scheme to GPT and the File System to FAT32:

Select Start:

Select Write in ISO Mode and select OK:

Select OK to format the USB Flash Drive:

When Finished it will say Ready:

Create a UEFI Bootable USB in Ubuntu

You will need to download the Ubuntu 20.04.1 or 20.10 ISO and then you can use the inbuilt utility to make the Bootable USB:

Select Startup Disc Creator:

Select Make Startup Disk:

Select Yes:

This application requires elevated permissions to format USB devices. You will see the following Authentication Required screen. This is the Linux equivalent of Windows 10 User Account Control. In Linux you need to input your password and select Authenticate to proceed opposed to just selecting Yes in Windows.

You should now have your Bootable USB:

Unified Extensive Firmware Interface (UEFI) Setting

Dell Unified Extensive Firmware Interface (UEFI) Settings

Update your UEFI BIOS

All Computers Manufactured in 2012 or later have a Unified Extensive Firmware Interface (UEFI). Make sure your UEFI BIOS is updated to the latest version before attempting to install Ubuntu 20.04 as a number of UEFI BIOS Updates resolve some common Boot Issues. For Dell systems manufactured in 2016 or later you can update the UEFI BIOS from a USB Flash Drive within the UEFI BIOS Boot Menu. For UEFI 2012-2015 models or Legacy 2008-2011 models you will have to either update the UEFI BIOS or Legacy BIOS within Windows or use a FreeDOS Bootable USB:

UEFI and Secure Boot

You should install Ubuntu 20.04 with a UEFI BIOS with Secure Boot (requires a computer manufactured in 2012 or later). The SATA Operation must be AHCI (a computer with a single >250 GB SSD is recommended).

Attach your Bootable USB and make sure your Dell PC is powered down. Then power it up and press [F2] to get into the UEFI setup.

Look for Advanced Boot Options and make sure Enable Legacy Option ROMs is Disabled.

Look for Secure Boot and Ensure that it is Enabled:

Next go to Boot Sequence. It should be set to UEFI. Your Ubuntu USB (in my case the SanDisk USB) should display. If you have old versions of Linux they will also display. Uncheck your Bootable USB and highlight any old Linux installations and select Delete Boot Option.

You should now have a single entry, your Ubuntu USB Flash Drive. Select Apply:

Then OK:

Expand System Configuration and go to SATA Operation. The storage controller must be set to AHCI:

The Ubuntu installer doesn't support RAID (Intel Rapid Response Technology) or Intel Optane Memory. If it is enabled the Ubuntu 20.04 installer will halt and tell you to disable Intel RST.

Secure Erase Internal Drives

We can use Dell Data Wipe for a more through wipe of all internal drives than the Format within the Ubuntu install. To do this select the Maintenance Tag and then go to Data Wipe, select Wipe on Next Boot.

Note the Dell Data Wipe does not touch USB Flash Drives or USB External Drives.

Note that only models manufactured in 2016 or later have Dell Data Wipe.

Select OK:

Select No (to proceed):

Then select Exit:

Select Continue:

Select Erase:

Select OK:

Lenovo Unified Extensive Firmware Interface (UEFI) Settings

You should install Ubuntu 20.04 with a UEFI BIOS with Secure Boot (requires a computer manufactured in 2012 or later). The SATA Operation must be AHCI (a computer with a single >250 GB SSD is recommended).

Update your UEFI BIOS

All Computers Manufactured in 2012 or later have a Unified Extensive Firmware Interface (UEFI). Make sure your UEFI BIOS is updated to the latest version before attempting to install Ubuntu 20.04 as a number of UEFI BIOS Updates resolve some common Boot Issues. For Lenovo systems you will have to either update the UEFI BIOS within Windows or use a FreeDOS Bootable USB:

UEFI and Secure Boot

To access the Lenovo UEFI BIOS, power up your Lenovo and press [F1]:

You will be on the Main Tab with System Summary highlighted by default, press [↵] to view the System Summary:

This will give details about the Drives. In my case I have a Samsung M.2 SSD. Press [Esc] to exit the field:

Press [→] to get to the Device Tab, then press [↓] until ATA Drive Setup is selected. Press [↵] to view the options:

Ensure that the SATA Controller is Enabled and Configure SATA as is set to AHCI. Press [Esc] to exit the field:

Press [→] until you highlight the Security Tab and [↓] until you get to Secure Boot and press [↵] to view the settings:

Secure Boot should be Enabled. Press [Esc] to exit the setting:

Press [→] to get to the Startup Tab. The Boot Mode should be UEFI Only and CSM should be Disabled:

Secure Erase Internal Drives

Press [←] until you get to Security tab. Press [↓] and select Hard Disk Password. Although Lenovo call these settings "Hard Disk" they also relate to Solid State Drive.

Press [↓] until you get to (Hard Disk) Drive Password and press [↵]:

In this screen look for Security Erase (HDD) Data. If you do not have this option, your system may be too old to support Data Wipe from the UEFI BIOS and you will have to use a third party utility lke Parted Magic instead.

Press [↓] until you get to Security Erase (HDD) Data.

Unfortunately the Lenovo Data Wipes requires one to setup a temporary Hard Drive Password.

Setting a Drive Password will lock the drive at the drive firmware level and there is some risk doing so. If you set a password and the password is forgotten you will never be able to use the drive again.

Press [↑] until you get to M.2 Drive Password and press [↵].

You have the option to set a User only password or a User + Master Password.

The first is designed for a User Only in which case the user would have full admin access to perform a data wipe.

The latter is designed for a company with a large IT department. The IT department would have the Master password to unlock the device and to perform a data wipe.

Select [User] and press [↵].

Input a basic password in this case I will use the letter a:

Confirm the password:

Select [Continue]:

Press [F10] to save and Exit. Highlight [Yes] and press [↵]:

Your computer will restart:

You will be prompted for your password as your computer begins to reboot. If you have a master password set you can press [F1] to switch to the master user.

In this case, the user password a will be input.

As soon as the user password is input press [F1] to get to the UEFI BIOS Setup. You will be on the Main tab. Press [→] until you get to Security and press [↵]:

Press [↓] until you highlight (Hard) Disk Password and press [↵]:

Then press [↓] until you get to Security Erase (HDD) SSD Data and press [↵]:

Select Erase NVMe Slot 1 Data and press [↵]:

Highlight [Yes] at the confirmation dialog and press [↵]:

Input your User Password and press [↵].

If a user and a master password are set it may only ask for the master password, so you will need to know the master password.

The Secure Erase will be performed and the Drive password will be removed.

Select [Continue] and press [↵]:

It should then have an error stating no Operating System found, this is because your internal drives are blank. You'll need to install Ubuntu 20.04 now:

Booting from a Ubuntu USB

Insert your USB Flash Drive into your Dell and press [F12] while powering up to get to the Boot Menu:

The Boot Mode should be set to UEFI and Secure Boot should be Enabled.

Select your USB Flash Drive and press [↵]:

Insert your USB Flash Drive into your Lenovo and press [F12] while powering up to get to the Boot Menu:

Highlight your USB Flash Drive and select [↵]:

Select Ubuntu:

It will check the USB and load the setup:

Installing Ubuntu

Select Install Ubuntu:

Select your keyboard layout and select Next:

Select your wireless network and select Connect:

Input your wireless password and select Connect:

Select Continue:

Check Install third-party software for graphics and Wi-Fi hardware and additional media formats:

The Ubuntu Boot 20.04 is signed to pass Secure Boot but some of the codecs used and third party graphics drivers are not. You will get limited functionality without these.

The Ubuntu install can enable these and we can still use Secure Boot. To do this the Ubuntu setup which will create a boot entry that include the media codecs and any applicable third party drivers for your hardware and prompt you to create a Machine Owner Key (MOK).

During the first Boot of the Ubuntu install the UEFI BIOS will inform you that there is a new Boot Entry but will only allow it to Boot if you authorise the Boot with the Machine Owner Key. This is a single instance verification, after it is initialised the UEFI BIOS will remember the Boot entry and automatically Boot.

Select Continue:

Select Erase Disk and Install Ubuntu. You can optionally select Advanced Features.

To encrypt the Drive. In this case I won't use any advanced features and select None and then OK:

Select Install Now:

Select Continue:

Select your time-zone:

Input your name, username and password. Note your username has to be all lower case. Select Continue:

The install will proceed:

Select Restart Now:

When this screen shows. Press [↵] and then remove the installation media… If you remove the installation media before pressing [↵] an error will display which you can close.

Machine Owner Key (MOK)

When Ubuntu tries to Boot with the third party codecs it will be blocked by the UEFI BIOS. Select Enroll MOK:

Select Continue:

Select Yes to Enroll the key(s):

Input the password (note on my systems there is no indication on the screen for character input) and then press [↵]:

Then select Reboot:

First Time Boot

Ubuntu should then Boot:

You will be presented with options to sign in with online accounts:

To sign up to Live Patch. Note you will still get security updates without signing up to this:

You can optionally send system feedback to Canonical to help improve the Ubuntu Operating System:

You can optionally enable Location Services (needed if you are to use location based services and things like maps):

Select Done:

You have now installed Ubuntu.

Software Updater

To the top select Activities, then select All Applications at the bottom and launch Software Updater:

Select Install Now:

An Authentication Prompt will display which is equivalent to the Windows 10 User Account Control. A Linux Authentication Prompt requires the user to input their password and select Authenticate opposed to just selecting Yes in Windows. This will run the software update as a super user.

Select Restart Now to finish installing the updates:

You should then see your OEM logo as your computer reboots:

Then the OEM logo with Ubuntu at the bottom:

And then be taken into the login screen:

Fixing the Black Splash Screen Issue after Software Updates

On some Dell systems (for example my XPS 13 9365) you may get stuck at the Dell Ubuntu Splash Screen with the white spinner. The white spinner will rotate but nothing else will happen.

To get around this power off the system by holding down the power button for 30 seconds. This will power down your system.

Note older ThunderBolt TB docks seem to be incompatible with the Ubuntu 20.04 Boot such as the TB-16. These should be dis-attached from the system. The dock will work once Ubuntu has booted. The dock likely needs a firmware update from Dell (but the TB-16 is discontinued and Dell had many issues with it and don't list it as Ubuntu compatible so there may not be any firmware updates for it).

When you first power up the Dell you will see a Dell splash logo. Press the [Esc] key. You will see a blue progress bar display.

If you see the black screen with the spinner you have either been too slow to press [Esc] or have pressed [Esc] twice you will have exited the GNU Bootloader. In either case you will need to hold down the power button for 30 s and try again.

The GNU GRUB screen will display.

Press [↓] and highlight Advance Options for Ubuntu then press [↵]:

Press [↓] and select the latest Kernel (Recovery Mode) then press [↵]:

You will see a black screen with some writing. The first line should state:

EFI stub: UEFI Secure Boot is Enabled.

It will then Start Recovery Mode:

Press the [↓] and highlight the dpkg which will check for broken packages and pending packages to be installed and press [↵]:

Select Yes and press [↵]:

Then type in [y] and press [↵]:

Press [↵] to finish the dkpg:

Now press [↓] and highlight grub which will update the bootloader. Press [↵]:

Press [↵] to finish updating the bootloader:

Once this is done select resume and press [↵]:

Then select ok and press [↵]:

Your system should boot normally. Check the Software Updater again.

If you still get stuck at the Dell Ubuntu Splash Screen with the white spinner. Return to the Recovery Menu. Then press [↓] until you get to root, which will launch the root shell prompt. Then press [↵]:

Type in

sudo su

To run all commands as the root user.

A list of commands for NVIDIA graphics card in particular are given in the article below:

To exit the root shell prompt press down [Ctrl] + [ d ].

Once this is done select resume and press [↵]:

Then select ok and press [↵]:

Your system should boot normally. Check the Software Updater again.

Additional Drivers

In the case of my OptiPlex 7040, ThinkStation P320, Latitude 7350 and XPS 13 9365 all necessary system drivers were inbuilt. The auto-rotation sensor of the Latitude 7350 and XPS 13 9365 worked when undocked as a tablet.

Additional drivers such as graphics drivers for NVIDIA graphics cards should be installed automatically. They can be checked with Additional Drivers:

In the case of the ThinkCenter P320 the latest NVIDIA driver is automatically installed for the graphics card:

Optimising for Touch Input

To optimise for Touchscreen select show applications:

Then scroll down until you get to Settings:

To the left hand side, select Screen Display:

Enable Fractional Scaling and set to 125-200 % depending on what you feel is appropriate your touchscreen resolution.

Select Keep Changes:

Also go to Universal Access and swipe, Always Show Universal Access:

To the top right, the Universal Access setting will display. You can enable the Touchscreen Keyboard:

This will automatically open if you are in a field with text entry:

The rotation sensor should be installed by default on most 2 in 1 systems and autorotation should be enabled by default. For example as seen on the XPS 13 9365:

XPS 13 9365 – Ubuntu 20.04 Laptop Mode
XPS 13 9365 – Ubuntu 20.04 Tablet Mode
XPS 13 9365 – Ubuntu 20.04 Tent Mode

Resolving the FireFox Touchscreen Scrolling Issue

Unfortunately the preinstalled browser FireFox is configured only for keyboard and mouse use and is awful with a touchscreen user interface. This ruins the Ubuntu Out of Box Experience of Ubuntu 20.04 on Touchscreen.

In essence it has a major issue with scrolling, highlighting text opposed to scrolling:

Enabling the xinput2 setting in your user profile will resolve the issue. Open a terminal and type in:

echo export MOZ_USE_XINPUT2=1 | sudo tee /etc/profile.d/use-xinput2.sh

Because you are using a command which contains sudo which is an abbreviation for "super user do" you will need to provide your password. This is the command line equivalent to the Authentication Prompt which is equivalent to the Windows 10 User Account Control Prompt.

To apply the changes you will need to log out and then log back in.

Installing Chromium via the Software Store

In my opinion the Chromium Browser (the open source project both Google Chrome and Microsoft Edge are based upon) gives a vastly superior touchscreen experience and overall experience to FireFox. Chromium can be installed from the Software Store. Select Ubuntu software:

Select the search button:

Type in Chromium. The Ubuntu Snapd Chromium package will display.

This Snap package will install all the perquisites for Chromium and then Chromium itself as well as applying auto-updates to the Chromium browser.

Select Install:

Installation requires authentication (this is the general user interface equivalent of sudo and Linux equivalent of a Windows User Account Control Prompt). Input your password to authorise the install:

You now have Chromium:

You can right click icons on the side panel and remove the unwanted ones. Or you can alternatively swipe them off the side panel:

The Activities window will show all opened applications and folders:

All opened applications will also display on the side panel and an orange dot will be beside them indicating they have one instance opened. Two orange dots will display beside them, if you have more windows opened.

We can right click the items we want to pin to the side panel and pin them or drag them to the side panel:

These settings work well with the Dell XPS 13 9365 2 in 1 convertible system in laptop, tent and tablet mode:

Installing Chromium via the Terminal

It is worthwhile to take the time to understand the procedure of software installation via the terminal as some third-party software installation guides will require you to use the commands particularly for more specialised software. Many new Linux users unfortunately just blindly input commands opposed to taking a moment to understand them.

There are a few commonly used software packages in Ubuntu such as snap, apt and apt-get. Snap is a newer package manager designed to make it easier to install software perquisites and then the software itself. The apt package manager is available in more Linux distributions. I will use the installation of Chromium to explore the concepts behind these package managers.

Snap

To get details about snap type in the following command:

snap help

This will give you a brief description.

Here you see the form:

snap <command> [option]

The <command> used was help

To get a full description type in:

snap help --all

Here help is the <command> used and –all is the [option] specified.

If the option begins with a double dash — it is an option flag and if the option begins with a single dash – it is part of an option selection. A flag is a Boolean which means it can either have the value True or False. When not called it is set to False (detailed help doesn't display). When called it is set to True and so detailed help displays.

An option selection allows for multiple options to be used for more complicated commands.

The most commonly used commands are used for software installation and software removal. The snap store will always look for the latest mainstream versions of the Snap packages and there is no need to refresh it like the apt or apt-get package managers.

To install the "chromium" software use (replace "chromium" with the name of your software:

sudo snap install chromium

The command begins with sudo an abbreviation for super user do (the Linux equivalent to run as administrator in Windows). The first line in a terminal session beginning with sudo will prompt for authentication and the user must input their password.

Once the password is input the software will install:

To remove the "chromium" software use:

sudo snap remove chromium

Once again the command begins with sudo.

Removal of the software usually leaves behind some configuration files which may be reused if the software is reinstalled. Sometimes the settings in the configuration files can be problematic and the flag purge can be added to remove both the software and remove (or purge) the software's configuration. Use the command:

sudo snap remove --purge chromium

Some other software packages may include a series of prompts "are you sure you want to remove …?" and the option -y may be included to automatically select yes to each of these prompts.

sudo snap remove --purge -y chromium

Advanced Package Tool (APT)

The Advanced Package Tool (APT) is commonly used to install software. To see a list of available commands open up a terminal windows and type in:

apt

When using apt it is recommended to first of all check for updates to apt itself to refresh the versions of software the advanced package tool references. This is done by using the command:

sudo apt-get update

The command begins with sudo an abbreviation for super user do (the Linux equivalent to run as administrator in Windows). The first line in a terminal session beginning with sudo will prompt for authentication and the user must input their password.

To install the "chromium-browser" software (replace "chromium browser" with the name of your software) use:

sudo apt install chromium-browser

The apt command line will install the same Chromium snap package that is installed using the snap command or Ubuntu software store (i.e. in this case is an alias to the command sudo snap install chromium).

To remove software using apt use:

sudo apt remove chromium-browser

This is an alias to the command sudo snap remove chromium. Removal of the software leaves behind some configuration files which may be reused if the software is reinstalled. Sometimes the settings in the configuration files can be problematic and the flag purge can be added to remove both the software and remove (or purge) the software's configuration. Use the command:

sudo apt remove --purge chromium-browser

This is an alias to the command sudo snap remove –purge chromium.

The option -y can sometimes be added to an uninstall which will automatically mean yes is selected if the terminal prompts you about removal of a file.

sudo apt remove --purge -y chromium-browser

Some other software packages may include a series of prompts "are you sure you want to remove …?" and the option -y may be included to automatically select yes to each of these prompts.

This acts an alias to the command sudo snap remove –purge -y chromium

Advanced Package Tool Get (APT-Get)

apt was made to simplify the install procedure of apt-get. The simplification is a few characters less in the terminal and also the information supplied back to the user when using the command may be more concise. This essentially means that for a software package where both command are available apt should in general be used in preference of apt-get.

To find out more details about apt-get open up a terminal and type in:

apt-get

Once again the most commonly used commands are to check for updates to apt-get itself:

sudo apt-get update

To install software:

sudo apt-get install chromium-browser

And to remove software:

sudo apt-get remove chromium-browser

The –purge flag and -y option may be added to this command in the same manner as demonstrated above with apt.

Third Party Repositories

The Chromium Snap and Chromium-Browser (apt and apt-get which redirects to the Chromium Snap) software installed above is available in the official software repository. This repository will be referenced by default when installing software.

There has been some resistance to the snap packages by some Linux users and developers of other Linux distributions. They do not like the fact that the snap install auto-updates the Chromium browser and see this as the introduction for instability opposed to a security feature. Moreover they do not like the fact that the command sudo apt install chromium browser acts an an alias to sudo snap install chromium.

Instead of using the Ubuntu software repository we can use a third party developers Personal Package Archive (PPA) to install Chromium. The PPA is normally in the form of developer/project. We will use the developer system76 and the project pop (POP OS! is a modified Ubuntu distribution). This project contains Chromium as a native apt package opposed to an alias for the snap package:

sudo add-apt-repository ppa:system76/pop

Then the command:

sudo apt update

Will check for updates to the official repository in addition to updates from the third-party repository.

To install Chromium from the pop repository use:

sudo apt install chromium

The Chromium browser installed using this method will be outdated compared to the snap installed version.

Third party software repositories are listed within the Other Software tab of software and updates:

If you want to remove a third-party ppa, it is first recommended to remove the third party software.

To uninstall the apt version of chromium use:

sudo apt remove chromium

To remove the ppa you need to add the flag –remove.

sudo add-apt-repository --remove ppa:system76/popos

UEFI BIOS Settings for Thunderbolt Dell Dock Compatibility

Ubuntu seems to have issues with Dell Thunderbolt Docks during Boot.

On my XPS 13 9365 with a TB16 or WD19TB the system hung during Boot when the Laptop Lid was open unless paradoxically Always Allow Dell Docks was Disabled and the Thunderbolt Security was set to No Security.

To change these setting, power up your Dell Laptop and press [F2] to enter the UEFI BIOS Setup:

This image has an empty alt attribute; its file name is Untitled-195-1.jpg

Select Dell Type-C Dock Configuration and change to the following:

Select USB/Thunderbolt Configuration and change to the following:

When the Laptop Lid was closed, Ubuntu seemed to Boot but only return a Black Screen. i.e. no display was output. Likely a newer Firmware Update is required for these Thunderbolt Docks.

Booting the laptop without the Dock and then plugging the Dock it seems to work.

Linux Vendor Firmware Service

For newer systems you may be able to use the Linux Vendor Firmware Service to keep your UEFI BIOS and Firmware up to date. For more details see:

Creating a Windows 10 UEFI Bootable USB in Ubuntu

From time to time there have been questions asking how to reinstall Windows and there have been numerous issues due to the fact that the install.wim within the Windows 10 direct download link ISO often exceeds 4.0 GB and therefore cannot fit on a FAT32 Bootable USB (some utilities will truncate the file making corrupt installation media and others will change the file system to NTFS so the file can fit getting rejected by Secure Boot).

I have created an up to date guide with instructions on either creating a UEFI Bootable USB that passes Secure Boot or a Legacy BIOS Bootable USB.

2 thoughts on “Ubuntu 20.04 Clean Install on UEFI BIOS with Secure Boot

  1. The installation of Ubuntu 20.04 in the Latitude 7350 2 in 1 worked? Out of the box?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.