On the linux machines with enabled Secure Boot you can catch something like this:

---------------------Secure Boot Violation---------------------
|Invalid signature detected. Check Secure Boot Policy in Setup|
|-------------------------------------------------------------|
|                          [  OK  ]                           |
---------------------------------------------------------------

There can be different reasons for this to happen. But if it occurs right after bootloader re-build (e.x after Kernel upgrades), most likely your UEFI boot order messed up.

Solution⌗

Check your boot order by:

efibootmgr -v

Assuming that you want to boot right into OS e.x Ubuntu, wrong sequence can look like:

BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0003,0002,0000,0001
Boot0000* ubuntu
Boot0001* CDROM
Boot0002* NIC
Boot0003* ubuntu

In this example Ubuntu tries to boot within unsigned bootloader (which is obviously not gonna work). Let’s change it from grubx64.efi to shimx64.efi, So sequence become: 0000, 0003, 0001, 0002.

We can set it directly in BIOS/UEFI or with efibootmgr:

efibootmgr -o 0000,0003,0001,0002

Reboot the machine to test changes.

Links⌗

• How UEFI Secure Boot works on Ubuntu
• MAN efibootmgr