Shim now reports "booting in insecure mode" regardless of BIOS setting
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
I just installed a nice fresh Ubuntu 16.04 on my Samsung Series 5 Laptop, and noted the new option in the install screens that required a password to disable secure mode booting - I unsuspectingly choose that option, as I wanted to install the 3rd party support options. So then on reboot it takes me through my new secure boot password (random letters) and hey presto I'm now booting insecurely... and get this 2 to 3 second message telling me so (slowing down the boot process). Further research showed me that all the OS needs is for Secure Booting to be turned off in BIOS, so, erm... why didn't they just get the user to do that ahead of time, or at least give a fulsome explanation for those who need to dual-boot.
Anyway, my question: Now that I have this "Booting in insecure mode" message in my boot process, how do I get rid of it. I have of course tried reinstalling a number of times with Secure Boot in BIOS on and off.
I have subsequently found out this is a SHIM issue, which is why I'm posting this bug.
Your assistance would be very much appreciated.
> I unsuspectingly choose that option, as I wanted to install the
> 3rd party support options.
If you were presented with this option, it was because you had already selected to install third-party drivers that would require disabling Secure Boot.
> Further research showed me that all the OS needs is for Secure Booting
> to be turned off in BIOS, so, erm... why didn't they just get the user to do
> that ahead of time
Because there is no consistent user interface for disabling Secure Boot in the firmware, making this impossible to provide clear directions for all users to follow.
> Anyway, my question: Now that I have this "Booting in insecure mode" message
> in my boot process, how do I get rid of it. I have of course tried reinstalling a
> number of times with Secure Boot in BIOS on and off.
If you want to re-enable SecureBoot validation within shim, you can do so by running this command, then rebooting to confirm the change:
sudo mokutil --enable-validation
However, doing so will render any third-party kernel drivers (e.g., nvidia video drivers) inoperable on your system which may result in a degraded experience.