[Bug 1809274] [NEW] Secure boot MOK password requested for every kernel update even when booting in insecure mode

spm2011 1809274 at bugs.launchpad.net
Thu Dec 20 16:03:25 UTC 2018 

Public bug reported:

To reproduce:
 - Disable kernel secure boot (booting in insecure mode). System secure boot still enabled
 - Update kernel with update-manager

On every kernel update, a dialog appears asking me to enter a MOK secure boot password for temporarily disabling secure boot.
See screenshot

When I reboot, the MOK config screen appears, but I can just ignore it and it boots fine, since secure boot is already disabled in the kernel.
Which makes me wonder why it even needs to ask me to enter a secure boot password every time I update the kernel.

Expected: only ask for a secure boot password on update if it actually
needs to disable kernel secure boot, and kernel secure boot is not
already disabled.

Note that the output of mokutil --sb-state
SecureBoot enabled

However, kernel secure boot is disabled and the system GRUB bootloader
prints a message "Booting in insecure mode" on startup

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-headers-generic 4.15.0.43.45
ProcVersionSignature: User Name 4.15.0-42.45-generic 4.15.18
Uname: Linux 4.15.0-42-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
AudioDevicesInUse:
 USER        PID ACCESS COMMAND
 /dev/snd/controlC1:  ubuntu     1672 F.... pulseaudio
 /dev/snd/controlC0:  ubuntu     1672 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Thu Dec 20 10:49:48 2018
EcryptfsInUse: Yes
HibernationDevice: RESUME=none
InstallationDate: Installed on 2018-09-12 (98 days ago)
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)
MachineType: Dell Inc. Latitude 3340
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-42-generic root=UUID=1c6a1916-ac97-4bdf-8f15-14d986e621a2 ro
RelatedPackageVersions:
 linux-restricted-modules-4.15.0-42-generic N/A
 linux-backports-modules-4.15.0-42-generic  N/A
 linux-firmware                             1.173.2
SourcePackage: linux
UpgradeStatus: Upgraded to bionic on 2018-09-28 (82 days ago)
dmi.bios.date: 07/09/2018
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A17
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA17:bd07/09/2018:svnDellInc.:pnLatitude3340:pvr00:rvnDellInc.:rn:rvr:cvnDellInc.:ct9:cvr:
dmi.product.name: Latitude 3340
dmi.product.version: 00
dmi.sys.vendor: Dell Inc.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: mokutil (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: update-manager (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug bionic

** Attachment added: "secure_boot_ask.png"
   https://bugs.launchpad.net/bugs/1809274/+attachment/5223816/+files/secure_boot_ask.png

** Attachment removed: "WifiSyslog.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223831/+files/WifiSyslog.txt

** Attachment removed: "AlsaInfo.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223817/+files/AlsaInfo.txt

** Attachment removed: "CRDA.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223818/+files/CRDA.txt

** Attachment removed: "ProcCpuinfo.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223824/+files/ProcCpuinfo.txt

** Attachment removed: "Lspci.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223822/+files/Lspci.txt

** Attachment removed: "Lsusb.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223823/+files/Lsusb.txt

** Attachment removed: "IwConfig.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223821/+files/IwConfig.txt

** Attachment removed: "CurrentDmesg.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223819/+files/CurrentDmesg.txt

** Attachment removed: "UdevDb.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223830/+files/UdevDb.txt

** Attachment removed: "RfKill.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223829/+files/RfKill.txt

** Attachment removed: "PulseList.txt"
   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+attachment/5223828/+files/PulseList.txt

** Also affects: mokutil (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: update-manager (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mokutil in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/1809274

Title:
  Secure boot MOK password requested for every kernel update even when
  booting in insecure mode

Status in linux package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  New
Status in update-manager package in Ubuntu:
  New

Bug description:
  To reproduce:
   - Disable kernel secure boot (booting in insecure mode). System secure boot still enabled
   - Update kernel with update-manager

  On every kernel update, a dialog appears asking me to enter a MOK secure boot password for temporarily disabling secure boot.
  See screenshot

  When I reboot, the MOK config screen appears, but I can just ignore it and it boots fine, since secure boot is already disabled in the kernel.
  Which makes me wonder why it even needs to ask me to enter a secure boot password every time I update the kernel.

  Expected: only ask for a secure boot password on update if it actually
  needs to disable kernel secure boot, and kernel secure boot is not
  already disabled.

  Note that the output of mokutil --sb-state
  SecureBoot enabled

  However, kernel secure boot is disabled and the system GRUB bootloader
  prints a message "Booting in insecure mode" on startup

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: linux-headers-generic 4.15.0.43.45
  ProcVersionSignature: User Name 4.15.0-42.45-generic 4.15.18
  Uname: Linux 4.15.0-42-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  ubuntu     1672 F.... pulseaudio
   /dev/snd/controlC0:  ubuntu     1672 F.... pulseaudio
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Dec 20 10:49:48 2018
  EcryptfsInUse: Yes
  HibernationDevice: RESUME=none
  InstallationDate: Installed on 2018-09-12 (98 days ago)
  InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)
  MachineType: Dell Inc. Latitude 3340
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-42-generic root=UUID=1c6a1916-ac97-4bdf-8f15-14d986e621a2 ro
  RelatedPackageVersions:
   linux-restricted-modules-4.15.0-42-generic N/A
   linux-backports-modules-4.15.0-42-generic  N/A
   linux-firmware                             1.173.2
  SourcePackage: linux
  UpgradeStatus: Upgraded to bionic on 2018-09-28 (82 days ago)
  dmi.bios.date: 07/09/2018
  dmi.bios.vendor: Dell Inc.
  dmi.bios.version: A17
  dmi.board.vendor: Dell Inc.
  dmi.chassis.type: 9
  dmi.chassis.vendor: Dell Inc.
  dmi.modalias: dmi:bvnDellInc.:bvrA17:bd07/09/2018:svnDellInc.:pnLatitude3340:pvr00:rvnDellInc.:rn:rvr:cvnDellInc.:ct9:cvr:
  dmi.product.name: Latitude 3340
  dmi.product.version: 00
  dmi.sys.vendor: Dell Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1809274/+subscriptions

More information about the foundations-bugs mailing list