• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Seize the moment! nominate yourself or a tech enthusiast you admire & join the HP Community Experts!
Locked

‎06-26-2025 11:55 AM

HP Recommended
Product: HP OmniBook Ultra 14 inch Laptop Next Gen AI PC 14-fd0000 (A4AD0AV)
Operating System: Ubuntu LTS

Hi,
I can't find an existing solution that works for me, hope anyone can help.

 

I just installed Ubuntu 24.04.2 LTS on my OmniBook Ultra and it only works as long as I keep Secure Boot disabled in the BIOS.

 

As soon as I enable Secure Boot, I am hit with an error message "Selected boot image did not authenticate".

 

I have found suggestions to go into the Secure Boot settings in Bios and check the "Enable MS UEFI CA Key" option.

However, my BIOS (newest version, freshly updated to 01.01.16 Rev.A) does NOT have such an option.

 

Since I would like to enable this recommended security feature, please advise me how to enable the MS UEFI CA Key on my device, or how to otherwise add my Ubuntu Bootloader to the list of trusted boot images.

 

Thanks

2 people had the same question
1 REPLY 1

‎01-22-2026 04:52 AM

HP Recommended

Hello @ab26545 ,

 

Welcome to HP Support Community.

 

The error “Selected boot image did not authenticate” means the UEFI firmware is refusing to boot your Ubuntu bootloader because Secure Boot considers it not trusted. On many HP systems that ship with Windows, Secure Boot trusts only certain keys, and older or third-party keys (like some Linux bootloaders or custom chains) may not be accepted by default.

 

 What does work on most systems

1. Use Ubuntu’s signed shim bootloader

Ubuntu 24.04 includes a UEFI shim signed with Microsoft keys. On many laptops that include the Microsoft UEFI CA in firmware, this lets Secure Boot work without disabling it.

 

However:

  • Some HP devices exclude the Microsoft Third Party UEFI CA key to reduce attack surface — meaning they won’t trust the shim.

  • In those cases, even signed shim won’t authenticate, which is exactly the error you’re seeing.

Possible ways to enable Secure Boot with Ubuntu

Option A — Add Your Keys Manually (Custom Secure Boot)

You can enroll your own Secure Boot keys so the firmware will trust Ubuntu’s bootloader:

 

  1. Generate your own Platform Key (PK), Key Exchange Key (KEK), and db/dbx
    Use tools like sbsigntools, efitools, or Ubuntu’s mokutil to generate keys and sign the Ubuntu bootloader (grubx64.efi).

  2. Enroll them in UEFI

    • In BIOS Secure Boot menu, switch to Custom key mode (if available).

    • Enroll the generated keys manually.

  3. Sign the bootloader

    • Sign grubx64.efi with your created db key.

    • Use efibootmgr to register the new signed boot entry.

  4. Re-enable Secure Boot

This is the Linux-native way to get Secure Boot working with any bootloader, but it’s advanced and the BIOS must allow custom keys. Some HP BIOSes don’t allow it without special options.

⚠️ Option B — Enable HP Sure Start / Clear Secure Boot Keys

On some HP laptops you can:

  • Disable Sure Start Secure Boot Keys Protection

  • Clear existing keys

  • Re-import keys including Microsoft CA and custom keys

…but as you’ve seen, your BIOS may not expose this option.

Option C — Contact HP Support for BIOS Modification

HP support documents indicate that for some affected models, the “Enable MS UEFI CA Key” option can be added at factory or via special firmware. You’d need to contact HP support/representative because it’s not available in consumer BIOS menus.

 

Hope this helps!

I am an HP Employee. Although I am speaking for myself and not for HP.
Click Helpful = Yes to say Thank You.
Question / Concern Answered, Click "Accept as Solution"
Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.