I can reproduce the error. It appears that the secure boot validation has been disabled through MokManager, but shim still insist to enforce it and spew "system is compromised ..." when grub is told to skip shim_lock to honor the setting. The step to reproduce: (Secure Boot Standard Mode in firmware) 1. mokutil --disable-validation 2. reboot 3. Press Down and Enter in shim menu to *Change secure boot state* 4. Enter three password characters. 5. Press y and Enter to confirm *disabling* Secure Boot 6. Press any key to reboot system (reboot) 7. "Bootloader has not verified loaded image. System is compromised, halting" logged on screen when trying to boot linux kernel Also we can observe whether secure boot validation has been disabled via examining the MokSBStateRT variable. cd /sys/firmware/efi/efivars hexdump -C MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 00000000 06 00 00 00 01 |.....| 00000005 "1" means secure boot validation disabled, in other words putting shim in "insecure" mode intentionally to allow booting unsigned image even if secure boot is enabled in firmware. It then looks like shim issue to me ... Gary did you have any idea ? Thanks.