Ubuntu – Is secure boot properly enabled on ubuntu 16.10


I know Ubuntu used to ship with secure boot support but only for compatibility.

Canonical's Secure Boot implementation in Ubuntu 15.10 and early is primarily about hardware-enablement and this page focuses on how to test Secure Boot for common hardware-enablement configurations, not for enabling Secure Boot to harden your system. If you want to use Secure Boot as a security mechanism, an appropriate solution would be to use your own keys (optionally enrolling additional keys, see above) and update the bootloader to prohibit booting an unsigned kernel. Ubuntu 16.04 LTS is planned to enable enforcing secure boot (see LP: #1401532 for details).

I was wondering if this is still the case as of Ubuntu 16.10 since the documentation isn't updated.

Also, if one where to replace the grub bootloader with the old signed bootloader that doesn't enforce signed kernel images etc. Wouldn't that still work? has it been revoked somehow? see this

Best Answer

Install mokutil ( It is pre-installed on newer Ubuntu releases)

sudo apt-get install mokutil

mokutil is a tool that lets you add and/or remove machine owners keys ( MOK ).

Check if secure boot is enabled

mokutil --sb-state

Note :

For a normal user keeping secure boot disabled is the best option. Having it enabled creates problems with nvidia and broadcom proprietary drivers.

If you really want to enable secure boot to prevent booting of unsigned kernel read the following articles. Do note that I have never signed to boot image myself. Following instructions may or may not work.

  1. http://www.rodsbooks.com/efi-bootloaders/secureboot.html
  2. http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
Related Question