[Bug 1809274] [NEW] Secure boot MOK password requested for every kernel update even when booting in insecure mode

spm2011 Thu, 20 Dec 2018 08:21:15 -0800

Public bug reported:

To reproduce:
 - Disable kernel secure boot (booting in insecure mode). System secure boot 
still enabled
 - Update kernel with update-manager


On every kernel update, a dialog appears asking me to enter a MOK secure boot 
password for temporarily disabling secure boot.
See screenshot

When I reboot, the MOK config screen appears, but I can just ignore it and it 
boots fine, since secure boot is already disabled in the kernel.
Which makes me wonder why it even needs to ask me to enter a secure boot 
password every time I update the kernel.

Expected: only ask for a secure boot password on update if it actually
needs to disable kernel secure boot, and kernel secure boot is not
already disabled.

Note that the output of mokutil --sb-state
SecureBoot enabled

However, kernel secure boot is disabled and the system GRUB bootloader
prints a message "Booting in insecure mode" on startup

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-headers-generic 4.15.0.43.45
ProcVersionSignature: User Name 4.15.0-42.45-generic 4.15.18
Uname: Linux 4.15.0-42-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
AudioDevicesInUse:
 USER        PID ACCESS COMMAND
 /dev/snd/controlC1:  ubuntu     1672 F.... pulseaudio
 /dev/snd/controlC0:  ubuntu     1672 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Thu Dec 20 10:49:48 2018
EcryptfsInUse: Yes
HibernationDevice: RESUME=none
InstallationDate: Installed on 2018-09-12 (98 days ago)
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)
MachineType: Dell Inc. Latitude 3340
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-42-generic 
root=UUID=1c6a1916-ac97-4bdf-8f15-14d986e621a2 ro
RelatedPackageVersions:
 linux-restricted-modules-4.15.0-42-generic N/A
 linux-backports-modules-4.15.0-42-generic  N/A
 linux-firmware                             1.173.2
SourcePackage: linux
UpgradeStatus: Upgraded to bionic on 2018-09-28 (82 days ago)
dmi.bios.date: 07/09/2018
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A17
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: 
dmi:bvnDellInc.:bvrA17:bd07/09/2018:svnDellInc.:pnLatitude3340:pvr00:rvnDellInc.:rn:rvr:cvnDellInc.:ct9:cvr:
dmi.product.name: Latitude 3340
dmi.product.version: 00
dmi.sys.vendor: Dell Inc.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: mokutil (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: update-manager (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug bionic

** Attachment added: "secure_boot_ask.png"
   
https://bugs.launchpad.net/bugs/1809274/+attachment/5223816/+files/secure_boot_ask.png

** Attachment removed: "WifiSyslog.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223831/+files/WifiSyslog.txt

** Attachment removed: "AlsaInfo.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223817/+files/AlsaInfo.txt

** Attachment removed: "CRDA.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223818/+files/CRDA.txt

** Attachment removed: "ProcCpuinfo.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223824/+files/ProcCpuinfo.txt

** Attachment removed: "Lspci.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223822/+files/Lspci.txt

** Attachment removed: "Lsusb.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223823/+files/Lsusb.txt

** Attachment removed: "IwConfig.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223821/+files/IwConfig.txt

** Attachment removed: "CurrentDmesg.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223819/+files/CurrentDmesg.txt

** Attachment removed: "UdevDb.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223830/+files/UdevDb.txt

** Attachment removed: "RfKill.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223829/+files/RfKill.txt

** Attachment removed: "PulseList.txt"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223828/+files/PulseList.txt

** Also affects: mokutil (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: update-manager (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1809274

Title:
  Secure boot MOK password requested for every kernel update even when
  booting in insecure mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1809274] [NEW] Secure boot MOK password requested for every kernel update even when booting in insecure mode

Reply via email to