If not enrolling keys before MOK timeout, Ubuntu lists proprietary drivers as enabled when they are not
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mokutil (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
| nvidia-graphics-drivers-418 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Summary
===========
When installing 19.04 on a device with secure boot enabled, there is an option to install 3rd party drivers that requires to input a password that will be asked again when rebooting to be able to enroll the keys.
The screen to enroll the keys has a 10 seconds timeout. If the user misses this, the device boots without enrolling the keys, therefore all the installed packages (such as nvidia dkms drivers) are unable to execute. This results in a device where "Additional Drivers" states that nvidia proprietary drivers are in use when they are actually not.
Steps to reproduce
===========
0. Pre-requisites: a device that requires proprietary drivers (typically, a laptop with a nvidia discrete GPU)
1. Make sure the device has secure boot enabled and start 19.04 installation on it
2. Select "Install 3rd party drivers" and input a password
3. When the install finishes, reboots
4. When the MOK screen appears (blue screen), wait until it times out (10 seconds)
5. Log in Ubuntu and go to the "Additional Drivers" tab of "Software & Updates" program
Expected result
===========
5. Device is using default open source driver (nouveau in the case of nvidia GPU)
Actual result
===========
5. "Additional drivers" tab states that "This device is using the recommended driver" and the proprietary metapackage is checked (nvidia-driver-418 in my case). nvidia-settings is also available, but it lacks all the usual features and only has a PRIME Profile option to select nvidia or Intel. No matter which is selected, "glxinfo | grep renderer" returns Intel GPU.
In the logs, we can see things like:
Apr 24 15:28:52 u-Precision-5530 kernel: [ 1.512992] PKCS#7 signature not signed with a trusted key
...
Apr 24 15:28:59 u-Precision-5530 nvidia-
Apr 24 15:28:59 u-Precision-5530 nvidia-
...
Apr 24 15:29:07 u-Precision-5530 gdm3[1251]: modprobe: ERROR: could not insert 'nvidia': Operation not permitted
Apr 24 15:29:07 u-Precision-5530 kernel: [ 26.225723] PKCS#7 signature not signed with a trusted key
Apr 24 15:29:07 u-Precision-5530 gdm3[1251]: modprobe: ERROR: could not insert 'nvidia': Operation not permitted
Workaround
===========
1. Go back to the "Additional Drivers" tab, select the nouveau driver, click Apply
2. Restart the device, return to Software & Updates' "Additional Drivers" tab, select the nvidia proprietary driver, click Apply
2. When required, input a password that's gonna be required to enroll the keys
3. Restart the device, and this time enroll the keys in the blue MOK screen and continue boot
This time:
$ glxinfo | grep renderer
OpenGL renderer string: Quadro P1000/PCIe/SSE2
and nvidia-settings displays all the info and parameters related to the nvidia GPU.
ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: mokutil 0.3.0+153871043
ProcVersionSign
Uname: Linux 5.0.0-13-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Wed Apr 24 16:15:07 2019
InstallationDate: Installed on 2019-04-24 (0 days ago)
InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
SourcePackage: mokutil
UpgradeStatus: No upgrade log present (probably fresh install)
| Pierre Equoy (pieq) wrote | #1 |
| Pierre Equoy (pieq) wrote | #3 |
| tags: | added: ce-qa-concern |
| summary: |
- device status in a weird state if not enrolling keys before MOK timeout + If not enrolling keys before MOK timeout, Ubuntu lists proprietary + drivers as enabled when they are not |
