Ubuntu – Unable to disable secure boot with mokutil in 16.04


Problem, new in 16.04:

When I run the command sudo mokutil --disable-validation to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message

Failed to request new MokSB state

Google reveals very little about this obscure error message!


I cannot install nvidia drivers as a result – when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged – the terminology isn't helpful.)


I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.

Best Answer

while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.

I too got the strange error message

Failed to request new MokSB state

after executing mokutil --disable-validation

However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation. After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).

Related Question