Ubuntu – Is secure boot properly enabled on ubuntu 16.10

16.10bootsecure-bootSecurity

I know Ubuntu used to ship with secure boot support but only for compatibility.

Canonical's Secure Boot implementation in Ubuntu 15.10 and early is primarily about hardware-enablement and this page focuses on how to test Secure Boot for common hardware-enablement configurations, not for enabling Secure Boot to harden your system. If you want to use Secure Boot as a security mechanism, an appropriate solution would be to use your own keys (optionally enrolling additional keys, see above) and update the bootloader to prohibit booting an unsigned kernel. Ubuntu 16.04 LTS is planned to enable enforcing secure boot (see LP: #1401532 for details).

I was wondering if this is still the case as of Ubuntu 16.10 since the documentation isn't updated.

Also, if one where to replace the grub bootloader with the old signed bootloader that doesn't enforce signed kernel images etc. Wouldn't that still work? has it been revoked somehow? see this

Best Answer

Install mokutil ( It is pre-installed on newer Ubuntu releases)

sudo apt-get install mokutil

mokutil is a tool that lets you add and/or remove machine owners keys ( MOK ).

Check if secure boot is enabled

mokutil --sb-state

Note :

For a normal user keeping secure boot disabled is the best option. Having it enabled creates problems with nvidia and broadcom proprietary drivers.

If you really want to enable secure boot to prevent booting of unsigned kernel read the following articles. Do note that I have never signed to boot image myself. Following instructions may or may not work.

Related Solutions

Ubuntu – How to enable Secure Boot without issue

Boot loaders are written for the computer's firmware. This is analogous to software, which is written for a particular OS. Thus, you don't "convert... the bootloader to UEFI"; that would be like "converting the mail client to Windows" or "converting the photo editor to Linux." Instead, you install a new program for the desired environment. In some cases, the new program may have the same name as the old one (as in Thunderbird or GIMP, which are available for both Windows and Linux; or GRUB 2, which is available for both BIOS and EFI). In other cases, there are OS- or firmware-specific programs, such as efibootmgr (a Linux-specific tool) or rEFInd (an EFI-specific boot manager).

If your computer is currently booting in BIOS/CSM/legacy mode, then to boot in EFI mode, you must do several things:

Convert the disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT). This step may not be strictly required, but some EFIs can be fussy, and using MBR may require installing your boot loader to the fallback filename (EFI/BOOT/bootx64.efi), which most tools won't do by default. Thus, an MBR-to-GPT conversion is desirable. This can be done fairly painlessly with my gdisk program (which is installed in Ubuntu by default), as described here.
Create an EFI System Partition (ESP). This is a partition where EFI boot loaders reside. It has no exact equivalent in BIOS. You'll probably have to use GParted to resize at least one partition to make room for the ESP. I recommend making it 550MiB in size. Although an ESP is usually the first or second partition on a disk, the realities of partition resizing mean that it may work better to make it the last partition on the disk if you're converting from BIOS/MBR to EFI/GPT.
Install an EFI boot loader. GRUB 2 is the traditional boot loader, and it can be installed fairly automatically by booting an Ubuntu live CD in EFI mode and running Boot Repair. Boot Repair should also set things up to work with Secure Boot. Most other boot loaders will require jumping through some extra hoops to work with Secure Boot, although sometimes this isn't too bad -- if it detects Shim (the most common Linux tool for supporting Secure Boot), my own rEFInd will set itself up to use Secure Boot.
Reboot and hope it all works. Any number of things can go wrong with all this. If you have problems, your best bet is to search here and elsewhere for a solution, and if you don't find one, post a new question here or on some other forum.

Note that in a Linux installation, the only truly critical software difference between a BIOS-mode and an EFI-mode installation is the boot loader. Thus, switching from BIOS-mode to EFI-mode booting doesn't require additional software changes. (In practice, installing an EFI-mode GRUB is likely to pull in some other related packages, like efibootmgr. These are indeed helpful, but not critical for booting.) There are no changes to the kernel, C libraries, shells, GUI, or other core tools required under EFI compared to BIOS. As I've written above, partitioning will need to be adjusted, but that doesn't require any software changes. Secure Boot requires Shim, PreLoader, or special custom setups; and depending on the boot loader, a signed kernel may be required.

As you might gather from this, Ubuntu should work fine with Secure Boot. (There are occasional exceptions because of finicky EFIs, though. Also, using Secure Boot makes it easier to misconfigure something so that it breaks.) When doing a fresh install with Secure Boot active, it should all be pretty transparent. When you do a conversion from an existing BIOS-mode installation, you're more likely to run into problems, since conversion tools don't really exist (unless you count Boot Repair, which does only part of the job). Thus, you'll end up doing more manually, which means there's more room to miss a step or make a mistake.

For more information on Linux and Secure Boot, read my main Web page on the subject, which covers basic principles and typical configurations. If you want to go really hard-core with a custom Secure Boot configuration, read my page on taking complete control of Secure Boot. This describes how to configure the system to boot with Secure Boot active but without Shim or PreLoader, and in a way that enables you to lock Microsoft tools out, if you so desire.

Ubuntu – How to install nvidia driver with secure boot enabled

Try this:

- Step 1: Download latest driver from NVIDIA website, https://www.geforce.com/drivers.

- Step 2: Create new pair private key (Nvidia.key) and public key (Nvidia.der) by entering command:

openssl req -new -x509 -newkey rsa:2048 -keyout PATH_TO_PRIVATE_KEY -outform DER -out PATH_TO_PUBLIC_KEY -nodes -days 36500 -subj "/CN=Graphics Drivers"

Example:

openssl req -new -x509 -newkey rsa:2048 -keyout /home/itpropmn07/Nvidia.key -outform DER -out /home/itpropmn07/Nvidia.der -nodes -days 36500 -subj "/CN=Graphics Drivers"

- Step 3: Enroll public key (nvidia.der) to MOK (Machine Owner Key) by entering command:

sudo mokutil --import PATH_TO_PUBLIC_KEY

Example:

sudo mokutil --import /home/itpropmn07/Nvidia.der

--> This command requires you create password for enrolling. Afterwards, reboot your computer, in the next boot, the system will ask you enroll, you enter your password (which you created in this step) to enroll it. Read more: https://sourceware.org/systemtap/wiki/SecureBoot

- Step 4: For the first time install NVidia driver, you need to disable Nouveau kernel driver by entering command:

echo options nouveau modeset=0 | sudo tee -a /etc/modprobe.d/nouveau-kms.conf; sudo update-initramfs -u

--> Reboot.

-Step 5: Install driver by entering command

sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY

where:

XXXXXX: name of file installer (download from NVIDIA).

PATH_TO_PRIVATE_KEY: full path to private key. If you place in home folder, use /home/USER_NAME/ instead of ~

PATH_TO_PUBLIC_KEY: full path to public key. If you place in home folder, use /home/USER_NAME/ instead of ~

Example:

sudo sh ./NVIDIA-Linux-x86_64-390.67.run -s --module-signing-secret-key=/home/itpropmn07/Nvidia.key --module-signing-public-key=/home/itpropmn07/Nvidia.der

--> Done

Best Answer

Note :

Related Solutions

Ubuntu – How to enable Secure Boot without issue

Ubuntu – How to install nvidia driver with secure boot enabled

Related Question