Bug 1544794

Summary: Secure Boot not enabled after install Fed 27 on Dell XPS-13 (9370)
Product: [Fedora] Fedora Reporter: Alexander Volovics <volovics>
Component: shimAssignee: Matthew Garrett <mjg59>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: maxime.ripard, mjg59, pjones, pmenzel+bugzilla.redhat.com
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-13 17:46:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Volovics 2018-02-13 14:15:09 UTC 
Description of problem:

Using a USB stick with Fedora-Workstation-Live-x86_64-27 I installed
Fed 27 on a Dell XPS-13 (9370) notebook with UEFI + Secure Boot enabled.
Booting after install I noticed the following:

- the message "Booting in insecure mode" appeared before Grub menu

- $ dmesg |grep -i secure
[    0.000000] secureboot: Secure boot disabled
[    5.564737] Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys keyring

After a successful install of Fed 27 I would expect the following:

- the message "EFI Stub: UEFI Secure boot enabled" after the Grub menu

- $ dmesg |grep -i secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7
[    1.202177] Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys keyring
[    4.544900] Bluetooth: hci0: Secure boot is enabled

So it would appear that Secure Boot is not enabled.

I confirmed this with a new install of Fedora-Workstation-Live but now
using the F27-WORK-x86_64-20180204.iso respin from
https://dl.fedoraproject.org/pub/alt/live-respins/
Again: Secure Boot not enabled.



Version-Release number of selected component (if applicable):
shim-x64-13-0.7.x86_64

How reproducible:
allways

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Matthew Garrett 2018-02-13 17:46:00 UTC 
Dell ship their Sputnik systems with a pre-populated MokSB variable that disables Secure Boot, so this is working as intended on the Fedora side.
Comment 2 Maxime Ripard 2018-04-06 18:54:53 UTC 
*** Bug 1531961 has been marked as a duplicate of this bug. ***