Secure boot MOK password requested for every kernel update even when booting in insecure mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned | ||
mokutil (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
update-manager (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
To reproduce:
- Disable kernel secure boot (booting in insecure mode). System secure boot still enabled
- Update kernel with update-manager
On every kernel update, a dialog appears asking me to enter a MOK secure boot password for temporarily disabling secure boot.
See screenshot
When I reboot, the MOK config screen appears, but I can just ignore it and it boots fine, since secure boot is already disabled in the kernel.
Which makes me wonder why it even needs to ask me to enter a secure boot password every time I update the kernel.
Expected: only ask for a secure boot password on update if it actually needs to disable kernel secure boot, and kernel secure boot is not already disabled.
Note that the output of mokutil --sb-state
SecureBoot enabled
However, kernel secure boot is disabled and the system GRUB bootloader prints a message "Booting in insecure mode" on startup
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-headers-
ProcVersionSign
Uname: Linux 4.15.0-42-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
/dev/snd/
CurrentDesktop: ubuntu:GNOME
Date: Thu Dec 20 10:49:48 2018
EcryptfsInUse: Yes
HibernationDevice: RESUME=none
InstallationDate: Installed on 2018-09-12 (98 days ago)
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)
MachineType: Dell Inc. Latitude 3340
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=
RelatedPackageV
linux-
linux-
linux-firmware 1.173.2
SourcePackage: linux
UpgradeStatus: Upgraded to bionic on 2018-09-28 (82 days ago)
dmi.bios.date: 07/09/2018
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A17
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.
dmi.product.name: Latitude 3340
dmi.product.
dmi.sys.vendor: Dell Inc.
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1809274
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.