Installing Ubuntu on ASUS ExpertBooks - overcoming UEFI issues

ASUS ExpertBooks are popular enterprise laptops with a well-priced combination of hardware and solid build quality. However, installing Ubuntu on these laptops can be challenging due to UEFI issues. In this blog post, I am documenting the challenges and the steps to overcome these issues and successfully install Ubuntu on ASUS ExpertBooks.

Whilst UEFI is arguably useful, the choices made by ASUS in their BIOS settings are problematic. Whilst I have no knowledge of the exact reasons for these choices, they seem to be overly restrictive and limiting for advanced users. Enforcing the device to boot only from the UEFI firmware can be problematic for advanced users who want to dual-boot or install other operating systems.

Having an option in the BIOS to “Disable” Secure Boot Control, but not just ignoring it, seems more like an arsehole move than a concern about security. It’s important to note that disabling Secure Boot Control does not compromise the security of the system, as it only affects the ability to boot from non-UEFI firmware.

And it also seems pretty dumb move by Canonical to not ship the the Ubuntu ISO with the dual-signed shim by default causing these issues with these hardware configuration. This is causing a lot of unnecessary frustration for users who want to install Ubuntu on these laptops.

My setup is as follows:

• ASUS ExpertBook P1
• BIOS Version: 306

To be able to install Ubuntu on this laptop, you can forget all the BIOS settings as all the relevant BIOS features are disabled by default. You have to fix the UEFI shim on the USB boot drive.

To be able to modify the UEFI shim on the USB boot drive, you need to firstly create the USB drive with an editable file system. Using tools like Balena Etcher or the inbuild disk writer (dd) creates an ISO9660 filesystem, which is read-only. To create a USB drive with an editable file system, the easiest way is to use the Startup Disk Creator (usb-creator-gtk).

sudo apt install usb-creator-gtk

Once the USB drive is created, you can modify the UEFI shim by following these steps:

1. Mount the USB drive:

sudo mkdir /mnt/usb
sudo mount /dev/sdX2 /mnt/usb

2. Copy the shim file to the USB drive:

sudo cp /usr/lib/shim/shim.efi /mnt/usb/EFI/BOOT/bootx64.efi

3. Unmount the USB drive:

sudo umount /mnt/usb

Now you can boot from the USB drive and install Ubuntu on your ASUS ExpertBook.

However, thanks to Canonical’s decision to not ship the Ubuntu ISO with the dual-signed shim by default, you will not be able to boot from the USB drive without modifying the shim file. To do this, you can follow the steps outlined above to modify the shim file on the USB drive.

# Create mount points
sudo mkdir -p /mnt /mnt/boot /mnt/boot/efi

# Unlock LUKS encrypted root
sudo cryptsetup luksOpen /dev/nvme0n1p3 cryptroot

# Activate LVM inside the LUKS container
sudo vgscan
sudo vgchange -ay

# Mount root, /boot, and EFI
sudo mount /dev/mapper/ubuntu--vg-root /mnt
sudo mount /dev/nvme0n1p2 /mnt/boot
sudo mount /dev/nvme0n1p1 /mnt/boot/efi

# Replace dual-signed shim
sudo cp /usr/lib/shim/shimx64.efi.dualsigned /mnt/boot/efi/EFI/ubuntu/shimx64.efi
sudo cp /usr/lib/shim/shimx64.efi.dualsigned /mnt/boot/efi/EFI/BOOT/BOOTX64.EFI

You should now be able to boot the notebook and have a working Ubuntu installation running. It should not be that hard!!! One can only hope that at least Canonical will fix this issue with the dual-signed shim in the future.

Shame on ASUS for crippling their own hardware with proprietary firmware hiding important options and preventing users from booting anything other than signed by Microsoft.

Thank you

A thanks goes to Oliver Swift for his guide that was most helpful troubleshooting UEFI issues: https://oliverswift.github.io/B1502CBA/ - as there is zero documentation from ASUS.

• Ubuntu
• Uefi
• Asus
• Expertbook