Bug 1531961

Summary: Booting in insecure mode reported while secure boot is apparently enabled
Product: [Fedora] Fedora Reporter: Maxime Ripard <maxime.ripard>
Component: shim-signedAssignee: Peter Jones <pjones>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: adam, mjg59, pjones
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-06 18:54:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Maxime Ripard 2018-01-06 22:02:59 UTC
Description of problem:

On a Dell XPS13 (9360), the shim displays a message at boot that it is "Booting in insecure mode". The install has been done over the vendor Ubuntu install, using the Fedora 25 installer, and upgraded since. The issue has always been there.

Secure boot is enabled in the UEFI configuration interface.

The kernel indeed reports that it has been booted with secure boot disabled:
$ dmesg | grep Secure
[    0.000000] secureboot: Secure boot disabled

however, mokutil seems to report that secure boot is indeed enabled:
$ mokutil --sb-state
SecureBoot enabled

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Boot the machine, see your Schrödinger's boot :)

Actual results:
Secure boot is disabled

Expected results:
Secure boot is enabled

Let me know if you need anything else, thanks!

Comment 1 Adam Bishop 2018-03-07 13:03:53 UTC
I've just configured an XPS 13 (9370) and had the exactly the same thing.

It's rather concerning that something has (effectively silently, to a non-technical user) disabled an important security feature.

Comment 2 Maxime Ripard 2018-04-06 18:54:53 UTC
This has been discussed here:

You need to run mokutil --enable-validation (as root), reboot, and it should work.

*** This bug has been marked as a duplicate of bug 1544794 ***