Ubuntu
linux package

Secure boot MOK password requested for every kernel update even when booting in insecure mode

Bug #1809274 reported by Wes
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Incomplete
Undecided
Unassigned
mokutil (Ubuntu)
Confirmed
Undecided
Unassigned
update-manager (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

To reproduce:
 - Disable kernel secure boot (booting in insecure mode). System secure boot still enabled
 - Update kernel with update-manager

On every kernel update, a dialog appears asking me to enter a MOK secure boot password for temporarily disabling secure boot.
See screenshot

When I reboot, the MOK config screen appears, but I can just ignore it and it boots fine, since secure boot is already disabled in the kernel.
Which makes me wonder why it even needs to ask me to enter a secure boot password every time I update the kernel.

Expected: only ask for a secure boot password on update if it actually needs to disable kernel secure boot, and kernel secure boot is not already disabled.

Note that the output of mokutil --sb-state
SecureBoot enabled

However, kernel secure boot is disabled and the system GRUB bootloader prints a message "Booting in insecure mode" on startup

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-headers-generic 4.15.0.43.45
ProcVersionSignature: User Name 4.15.0-42.45-generic 4.15.18
Uname: Linux 4.15.0-42-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC1: ubuntu 1672 F.... pulseaudio
 /dev/snd/controlC0: ubuntu 1672 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Thu Dec 20 10:49:48 2018
EcryptfsInUse: Yes
HibernationDevice: RESUME=none
InstallationDate: Installed on 2018-09-12 (98 days ago)
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)
MachineType: Dell Inc. Latitude 3340
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-42-generic root=UUID=1c6a1916-ac97-4bdf-8f15-14d986e621a2 ro
RelatedPackageVersions:
 linux-restricted-modules-4.15.0-42-generic N/A
 linux-backports-modules-4.15.0-42-generic N/A
 linux-firmware 1.173.2
SourcePackage: linux
UpgradeStatus: Upgraded to bionic on 2018-09-28 (82 days ago)
dmi.bios.date: 07/09/2018
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A17
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA17:bd07/09/2018:svnDellInc.:pnLatitude3340:pvr00:rvnDellInc.:rn:rvr:cvnDellInc.:ct9:cvr:
dmi.product.name: Latitude 3340
dmi.product.version: 00
dmi.sys.vendor: Dell Inc.

Revision history for this message
Wes (wesinator) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1809274

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mokutil (Ubuntu):
status: New → Confirmed
Changed in update-manager (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.