Ubuntu
shim package

Shim now reports "booting in insecure mode" regardless of BIOS setting

Bug #1590668 reported by Broadsworde
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I just installed a nice fresh Ubuntu 16.04 on my Samsung Series 5 Laptop, and noted the new option in the install screens that required a password to disable secure mode booting - I unsuspectingly choose that option, as I wanted to install the 3rd party support options. So then on reboot it takes me through my new secure boot password (random letters) and hey presto I'm now booting insecurely... and get this 2 to 3 second message telling me so (slowing down the boot process). Further research showed me that all the OS needs is for Secure Booting to be turned off in BIOS, so, erm... why didn't they just get the user to do that ahead of time, or at least give a fulsome explanation for those who need to dual-boot.

Anyway, my question: Now that I have this "Booting in insecure mode" message in my boot process, how do I get rid of it. I have of course tried reinstalling a number of times with Secure Boot in BIOS on and off.

I have subsequently found out this is a SHIM issue, which is why I'm posting this bug.

Your assistance would be very much appreciated.

Revision history for this message
Steve Langasek (vorlon) wrote :

> I unsuspectingly choose that option, as I wanted to install the
> 3rd party support options.

If you were presented with this option, it was because you had already selected to install third-party drivers that would require disabling Secure Boot.

> Further research showed me that all the OS needs is for Secure Booting
> to be turned off in BIOS, so, erm... why didn't they just get the user to do
> that ahead of time

Because there is no consistent user interface for disabling Secure Boot in the firmware, making this impossible to provide clear directions for all users to follow.

> Anyway, my question: Now that I have this "Booting in insecure mode" message
> in my boot process, how do I get rid of it. I have of course tried reinstalling a
> number of times with Secure Boot in BIOS on and off.

If you want to re-enable SecureBoot validation within shim, you can do so by running this command, then rebooting to confirm the change:

  sudo mokutil --enable-validation

However, doing so will render any third-party kernel drivers (e.g., nvidia video drivers) inoperable on your system which may result in a degraded experience.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Broadsworde, did the solution proposed by Steve help you?

As mentioned, enabling validation would make any third-party drivers fail to load, rendering any part of your system that depends on them unavailable.

I'm setting this bug as Incomplete so that we will see whether there is a response from you, and otherwise the bug will expire by itself after 60 days without any change.

Changed in shim (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for shim (Ubuntu) because there has been no activity for 60 days.]

Changed in shim (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.