Ubuntu
ubiquity package

Secure Boot initialization UI needs improvements

Bug #1826026 reported by Tom Reynolds
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubiquity (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

During the past days, questions about Secure Boot initialization repeated on IRC.

This is what this screen looks like on 16.04 (I don't have an 18.04 or 19.04 screen available, but the users' questions seem to suggest it still looks similar):

https://i.stack.imgur.com/cCTiK.png

Two questions were asked primarily:
* Is this the same password I need to (enter BIOS / login to Ubuntu)?
* Do I need to remember this password?

While there is a "Learn more..." link there which probably leads to more information about how the password is used (unfortunately I do not know what this brings up), I believe this screen creates a serious issue for those users who decide to initialize Secure Boot by setting a password. Many will not keep the passphrase they enter there, will try to remember it but forget it since (except for the next boot) they are not prompted to enter it again until they forget.

In my opinion, this screen should at least say something like "this password is saved into your firmware and you must store it in a secure place where you will find it in years from now". You may want to go as far as recommending to print or write it on a paper and store that securely.

Years ago, few wanted to use Secure Boot, but things are changing and not ensuring that users know what password they wrote to their Firmware equates to breaking part of its functionality. (Having users set a password without ensuring their good understanding of what it will be used for also violates secure software UX engineering principles.)

It should also be encouraged to type in a passphrase rather than password at this point.

See original description
Revision history for this message
Tom Reynolds (tomreyn) wrote :
Tom Reynolds (tomreyn)
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I also suggest the the consequences of *not* knowing this password are described somewhere. I saw this screen, put in a password, and eventually hit 'cancel', but mmx64.efi was loaded on next boot anyway. I don't know if I can remember the password I put in here and don't know if I might need to destroy a filesystem in the future.

Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubiquity (Ubuntu):
status: New → Confirmed
Revision history for this message
Erich Eickmeyer (eeickmeyer) wrote :

There is a lot of ambiguity as to what this password actually does. In my experience, it simply sets the MOK key password for the MOK key installation on the next reboot. That said, Ubiquity does not expressly state exactly what this password does, so some clarification on this is definitely essential.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.