Ubuntu – Is re-enabling Secure Boot in UEFI secure

16.04bootgrub2secure-bootuefi

A while ago, I had to disable Secure Boot in UEFI in order to install a third-party driver.

Now that this third-party driver isn't required anymore (due to kernel updates), I have uninstalled it.

Having removed that unsigned driver, I thought it might be a good idea now to enable Secure Boot again. Is it? Or could malware have caused damage in the meantime, e.g. adding new Secure Boot keys, so that Secure Boot is not "secure" anymore after it has been disabled once?

Best Answer

Yes, you can safely re-enable Secure Boot. It is very unlikely that something has been damaged.
Afterwards change the default boot loader from grubx64.efi to shimx64.efi in BIOS | UEFI.
Otherwise Ubuntu tries to boot with the unsigned boot loader - which of course does not work.
Alternatively you can do it before changing the Secure Boot settings with built-in efibootmgr:

To list the currently active boot loader files - execute this command : sudo efibootmgr -v
Change the boot order by running sudo efibootmgr -o XXXX,YYYY (X,Y = entry number)
In case shimx64.efi is not listed, you can add it by executing (X = disk | Y = EFI partition) :
sudo efibootmgr -c -w -d /dev/sdXY -p 1 -L "ubuntu" -l '\EFI\ubuntu\shimx64.efi

Related Solutions

Ubuntu – How to understand Ubuntu UEFI Secure Boot install

Probably start here: help.ubuntu.com/community/UEFI

UEFI (~EFI) is a firmware interface that is widespread on recent computers, especially those more recent than 2010. It is intended to replace the traditional BIOS firmware interface that is prevalent on earlier machines. This page provides information about installing and booting Ubuntu using EFI, as well as about switching between EFI mode and legacy BIOS mode using Ubuntu.

UPDATE:

Ubuntu 12.10 is intended to be able to be used with Secure Boot.

Softpedia (Sep-2012) >> Canonical Unveils Plans for Ubuntu 12.10 Secure Boot

Canonical, through Jon Melamut, announced on September 20th that they will plan to implement support for Secure Boot in the upcoming Ubuntu 12.10 (Quantal Quetzal) operating system.

Therefore, after a discussion with Free Software Foundation, Canonical decided to drop the EFILinux bootloader implementation in favor of the GRUB2 bootloader one, signed with their own keys. ..

Muktware (Oct-2012) >> SecureBoot In Ubuntu 12.10

Ubuntu 12.10 is the first distro that supports the Secure Boot architecture by default. Canonical developers have spent a huge amount of time making sure that Ubuntu runs fine and without problems in all hardware. Steve Langasek, an Ubuntu developer has put forward a nice account in his blog, regarding how they are making Secure Boot supported.

closes with ..

Langasek says that they will backport the secure boot mechanism to Ubuntu 12.04 release as well, so that the LTS version can be installed in Secure Boot devices. So the next major service pack of Ubuntu Precise (12.04.2) will include support for SecureBoot.

Ubuntu – Could not load ‘vboxdrv’ after upgrade to Ubuntu 16.04 (and I want to keep secure boot)

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.

So let's try it.

Create signing keys
```
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"
```
Option: for additional security, skip the -nodes switch, which will ask for a password. Then before moving on to the next step, make sure to export KBUILD_SIGN_PIN='yourpassword'
Sign the module (vboxdrv for this example, but repeat for other modules in ls $(dirname $(modinfo -n vboxdrv))/vbox*.ko) for full functionality)
```
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
```

Confirm the module is signed

tail $(modinfo -n vboxdrv) | grep "Module signature appended"

Register the keys to Secure Boot
```
sudo mokutil --import MOK.der
```
which will ask for a password to use to confirm the import in the next step.
Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
Confirm the key is enrolled
```
mokutil --test-key MOK.der
```

If VirtualBox still does not load, it may be because the module didn't load (sudo modprobe vboxdrv will fix that) or that the key is not signed. Simply repeat that step and everything should work fine.

Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. @zwets for additional security. @shasha_trn for mentioning all the modules.

Additional resource: I created a bash script for my own use every time virtualbox-dkms upgrades and thus overwrites the signed modules. Check out my vboxsign originally on GitHub.

Best Answer

Related Solutions

Ubuntu – How to understand Ubuntu UEFI Secure Boot install

Ubuntu – Could not load ‘vboxdrv’ after upgrade to Ubuntu 16.04 (and I want to keep secure boot)

Related Question