I'm unable to boot Ubuntu 18.04.2 LTS or its Live USB after enrolling MOK. Here are the steps that led to this situation.
- Clean install of Ubuntu 18.04.2 LTS on Dell Precision T7910 workstation. No other OS installed on this machine.
- The OS installed using a UEFI LiveUSB. Secure Boot ON.
- Installed nvidia-430 proprietary driver for an Nvidia Titan-X graphics card. Installation prompted me for a password to enroll with MOK. When rebooting, MOK Management screen asked for the password to enroll the key. I successfully enrolled the key. I've rebooted the system several times since. Everything worked fine.
- Had a motherboard failure. Replaced with a new motherboard. System booted fine after resetting the Dell Service Tag. Rebooted a couple of times with Secure Boot ON. No problems.
- Replaced the Nvidia graphics card with an AMD card. Default driver in Ubuntu worked fine. But I wanted to use the latest driver. Downloaded the driver from AMD website. Installation prompted me to set a password to enroll the key with MOK. Rebooted the machine. Enrolled the key with MOK using the same password. Upon rebooting, I'm now faced with the following error following which, the machine shuts off.
Unable to trigger tcg2 final events table: Invalid Parameter
Something has gone seriously wrong: import_mok_state() failed
: Invalid Parameter
Booting from Ubuntu's LiveUSB installer shows the same error message followed by machine shutdown. I get this error message regardless of whether Secure Boot is set to ON or OFF.
I can successfully boot the LiveUSB in legacy mode. But then I can't use the efibootmgr utility (see the 2nd answer here) to fix the loaders in the EFI partition. In order to use the efibootmgr utility, I need to boot in UEFI mode. But attempting to boot Ubuntu Live USB in UEFI mode results in the error message above and system shutdown.
I found another related thread here. However, since I can't boot from the LiveUSB in UEFI mode, I can't perform any EFI operations.
I was able to boot system rescue cd with Secure Boot ON. I deleted all partitions on the boot disk. Tried to reinstall Ubuntu from LiveUSB but faced with the same error message. I successfully installed Windows 10 which booted fine in secure mode. Next, I deleted all partitions again and decided to take a closer look at all the BIOS settings.
Turned on TPM. And now I can boot from the LiveUSB in Secure Boot mode. But if I turn off TPM, it reverts to the earlier error message. With TPM on, I reinstalled the OS from the LiveUSB. Chose to install additional video drivers which asked me to set a password for enrolling keys with Mok. Upon reboot, Mok Manager showed up and asked me for the password to enroll keys. I complied and now I can boot Ubuntu from the boot disk (as long as TPM is set to ON).
Questions:
- Why does TPM need to be ON for secure boot to work fine? It wasn't
ON the first time I installed ubuntu and secure boot was working fine. - Now that I am able to secure boot to the OS, are there things I could do to make secure boot work without TPM?
Best Answer
After a lot of searching, I found the following here:
So it appears that proprietary Nvidia and AMD display drivers want to store their keys in the TPM.
TPM has two mode settings that are confusing - Active and Enabled. They mean different things. Active shows up as "TPM on" checkbox on my Dell Precision workstation. In this state, some functions of TPM are available. These include key storage and lookup. "Enabled" means that the TPM is fully functional; it can be used for things such as encrypting disks. This explains why TPM must be "on" or "active" for Ubuntu to boot (especially with proprietary display drivers) but it's not necessary to "enable" the TPM for Secure Boot.
With this understanding, I then used this article to remove old and unnecessary keys.